Add support for creating artifact metadata storage records

[malancas]

This adds a new boolean create-storage-record field that when set to true, will create an artifact metadata storage record when the push-to-registry field is also set to true. If the push-to-registry field is set to false, a storage record will not be created.

Because creating storage records requires the artifact-metadata:write permission, the Action will not create a record if the permission is not provided and continue operations gracefully.

[Copilot]

Pull request overview

This PR adds support for creating artifact metadata storage records when attestations are pushed to OCI registries. The feature is controlled by a new create-storage-record input parameter that defaults to true and requires the artifact-metadata:write permission.

• Adds a new create-storage-record input field to control artifact metadata storage record creation
• Updates the Actions version from v3.0.0 to v3.1.0
• Documents the new artifact-metadata:write permission requirement

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
package.json	Bumps package version from 2.0.0 to 3.1.0 to reflect the new feature
action.yml	Adds the new create-storage-record input parameter and updates the actions/attest dependency to v3.1.0
README.md	Documents the new permission requirement and the create-storage-record configuration option

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The documentation states that create-storage-record requires subject-name to specify a fully-qualified image name, but this requirement is not mentioned in the action.yml description or the PR description. Consider either adding this constraint to the action.yml description for consistency, or removing it from the README if it's not actually enforced.

[bdehamer]

We can ditch the package.json changes.