From 2708162562ec240138ee7c2b31f2a6f2f1e4f6cb Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Thu, 18 Dec 2025 13:03:29 -0800
Subject: [PATCH] add artifact-metadata permission docs

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 9735307..98c7c73 100644
--- a/README.md
+++ b/README.md
@@ -46,11 +46,15 @@ attest:
    permissions:
      id-token: write
      attestations: write
+     artifact-metadata: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
    necessary to request a Sigstore signing certificate. The `attestations`
    permission is necessary to persist the attestation.
+   The `artifact-metadata` permission is required to generate artifact
+   metadata storage records. If this permission is not included, the action
+   will continue without creating the record.
 
 1. Add the following to your workflow after your artifact has been built: