How should open source security attestations be published?

Mailing list discussion suggested that for ease of consumption at scale, a .md file in the repo would be helpful. Is it the thought that this file would include the security attestation or would this file indicate whether an attestation is available and if so, under what conditions?