@@ -48,11 +48,11 @@ the inputs you provide:
4848
4949<!-- markdownlint-disable MD013 -->
5050
51- | Mode | When Used | Description |
52- | -------------- | ------------------------------------------------------ | ------------------------------------------------ |
53- | ** Provenance** | No ` sbom-path ` or predicate inputs | Auto-generates [ SLSA build provenance] [ 10 ] |
54- | ** SBOM** | ` sbom-path ` is provided | Creates attestation from SPDX or CycloneDX SBOM |
55- | ** Custom** | ` predicate-type ` /` predicate ` /` predicate-path ` provided | User-supplied predicate |
51+ | Mode | When Used | Description |
52+ | -------------- | ------------------------------------------------------ | ----------------------------------------------- |
53+ | ** Provenance** | No ` sbom-path ` or predicate inputs | Auto-generates [ SLSA build provenance] [ 10 ] |
54+ | ** SBOM** | ` sbom-path ` is provided | Creates attestation from SPDX or CycloneDX SBOM |
55+ | ** Custom** | ` predicate-type ` /` predicate ` /` predicate-path ` provided | User-supplied predicate |
5656
5757<!-- markdownlint-enable MD013 -->
5858
@@ -159,7 +159,7 @@ See [action.yml](action.yml)
159159<!-- markdownlint-disable MD013 -->
160160
161161| Name | Description | Example |
162- | ------------------- | -------------------------------------------------------------- | ------------------------------------------------ |
162+ | -------------------- | -------------------------------------------------------------- | ------------------------------------------------ |
163163| `attestation-id` | GitHub ID for the attestation | `123456` |
164164| `attestation-url` | URL for the attestation summary | `https://github.com/foo/bar/attestations/123456` |
165165| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
@@ -320,9 +320,25 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
320320" acme.azurecr.io/user/app" ). Do NOT include a tag as part of the image name --
321321the specific image being attested is identified by the supplied digest.
322322
323- If the `push-to-registry` option is set to true, the Action will also
324- emit an Artifact Metadata Storage Record. If you do not want to emit a
325- storage record, set `create-storage-record` to `false`.
323+ # ### Artifact Metadata Storage Records
324+
325+ When generating a build provenance attestation, if the `push-to-registry` option
326+ is set to true, the Action will also emit an
327+ [Artifact Metadata Storage Record](https://docs.github.com/en/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record).
328+ Storage records enrich artifact metadata by capturing storage related details,
329+ such as which registry an image is hosted on and whether it's marked as active.
330+
331+ If you do not want to emit a storage record, set `create-storage-record` to
332+ ` false` .
333+
334+ > **NOTE**: Storage records can only be created for artifacts built from
335+ > [organization-owned](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations)
336+ > repositories.
337+
338+ Artifacts associated with a storage record can be viewed by navigating to the
339+ `Linked Artifacts` page in your organization :
340+ ` https://github.com/orgs/YOUR_ORG/artifacts` (replace `YOUR_ORG` with your
341+ organization name).
326342
327343> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
328344> portion of the image name.
0 commit comments