Small addition to "About linked artifacts" (#59398)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>

Author: isaacmbrown

content/code-security/concepts/supply-chain-security/linked-artifacts.md

@@ -38,6 +38,8 @@ Storage records include the repository containing the artifact's source code, th
 
 ![Screenshot of an artifact page. Highlighted fields: storage registry, artifact repository, source repository.](/assets/images/help/security/virtual-registry-storage-record.png)
 
+The _artifact repository_ is not mandatory. It refers to the concept of a repository in certain external package registries: a place where multiple packages can be grouped. By contrast, the _source repository_ refers to the {% data variables.product.github %} repository where the artifact is built. The source repository is mandatory, and is detected automatically if the artifact has a build provenance attestation.
+
 For more information about attestations and SLSA levels, see [AUTOTITLE](/actions/concepts/security/artifact-attestations).
 
 ### Deployment records