From 9247cf35631e3219a770a287bd0981aacfc1ebcb Mon Sep 17 00:00:00 2001 From: Andrew Pan <3821575+tnytown@users.noreply.github.com> Date: Sun, 23 Apr 2023 13:27:32 -0600 Subject: [PATCH 1/8] action, selftest: deprecate `bundle-only: false` (#65) * action, selftest: deprecate `bundle-only: false`` Signed-off-by: Andrew Pan * action, release: remove `bundle-only` Signed-off-by: Andrew Pan --------- Signed-off-by: Andrew Pan --- .github/workflows/release.yml | 1 - .github/workflows/selftest.yml | 6 ------ README.md | 23 ----------------------- action.py | 5 ----- action.yml | 8 -------- 5 files changed, 43 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d57ce9f..3183fc3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,4 +24,3 @@ jobs: with: inputs: action.yml action.py release-signing-artifacts: true - bundle-only: true diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 573a69e..6bcede1 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -23,8 +23,6 @@ jobs: inputs: ./test/artifact.txt - name: Check outputs run: | - [[ -f ./test/artifact.txt.sig ]] || exit 1 - [[ -f ./test/artifact.txt.crt ]] || exit 1 [[ -f ./test/artifact.txt.sigstore ]] || exit 1 selftest-xfail-invalid-inputs: @@ -67,8 +65,6 @@ jobs: staging: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sig ]] || exit 1 - [[ -f ./test/artifact.txt.crt ]] || exit 1 [[ -f ./test/artifact.txt.sigstore ]] || exit 1 selftest-glob: @@ -102,8 +98,6 @@ jobs: - name: Verify presence of uploaded files run: | [[ -f ./artifact.txt ]] || exit 1 - [[ -f ./artifact.txt.sig ]] || exit 1 - [[ -f ./artifact.txt.crt ]] || exit 1 [[ -f ./artifact.txt.sigstore ]] || exit 1 working-directory: ./test/uploaded diff --git a/README.md b/README.md index 986ec30..f6b9bfc 100644 --- a/README.md +++ b/README.md @@ -388,29 +388,6 @@ permissions: release-signing-artifacts: true ``` -### `bundle-only` - -**Default**: `false` - -The `bundle-only` setting controls whether or not `sigstore-python` uploads `.crt` -or `.sig` artifacts. - -This setting affects the behavior of the `upload-signing-artifacts` and `release-signing-artifacts` -settings. If neither of those settings are specified, this setting has no effect. - -By default, `.crt` and `.sig` artifacts are uploaded. If enabled, only the `.sigstore` -signing artifact is uploaded. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 - with: - inputs: file.txt - upload-signing-artifacts: true - bundle-only: true -``` - ### Internal options
⚠️ Internal options ⚠️ diff --git a/action.py b/action.py index a791b02..3999362 100755 --- a/action.py +++ b/action.py @@ -190,7 +190,6 @@ def _fatal_help(msg): if artifact is not None: inputs.append(artifact) -bundle_only = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE_ONLY") == "true" for input_ in inputs: # Forbid things that look like flags. This isn't a security boundary; just # a way to prevent (less motivated) users from breaking the action on themselves. @@ -206,10 +205,6 @@ def _fatal_help(msg): # Also upload artifact being signed for. signing_artifact_paths.append(str(file_)) - if not bundle_only and "--certificate" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.crt") - if not bundle_only and "--signature" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.sig") if "--bundle" not in sigstore_sign_args: signing_artifact_paths.append(f"{file_}.sigstore") diff --git a/action.yml b/action.yml index af447ee..e3af429 100644 --- a/action.yml +++ b/action.yml @@ -90,13 +90,6 @@ inputs: description: "attach all signing artifacts as release assets" required: false default: false - bundle-only: - description: | - upload only the Sigstore bundle - - has no effect if `upload-signing-artifacts` or `release-signing-artifacts` is not enabled - required: false - default: false internal-be-careful-debug: description: "run with debug logs (default false)" required: false @@ -131,7 +124,6 @@ runs: GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}" GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}" GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS: "${{ inputs.release-signing-artifacts }}" - GHA_SIGSTORE_PYTHON_BUNDLE_ONLY: "${{ inputs.bundle-only }}" GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}" shell: bash From 64c04b591e55d3b2c1a1008ac201dc7baed6a0e7 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sun, 23 Apr 2023 20:21:43 -0600 Subject: [PATCH 2/8] action: handle slashes in ref names (#63) * action: handle slashes in ref names Fixes #62. Signed-off-by: William Woodruff * requirements: bump sigstore Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- action.py | 7 ++++++- requirements.txt | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/action.py b/action.py index 3999362..d5719e7 100755 --- a/action.py +++ b/action.py @@ -62,7 +62,12 @@ def _download_ref_asset(ext): repo = os.getenv("GITHUB_REPOSITORY") ref = os.getenv("GITHUB_REF") - artifact = Path(f"/tmp/{os.getenv('GITHUB_REF_NAME')}.{ext}") + # NOTE: Branch names often have `/` in them (e.g. `feat/some-name`), + # which would break the artifact path we construct below. + # We "fix" these by lossily replacing all `/` with `-`. + ref_name_normalized = os.getenv("GITHUB_REF_NAME").replace("/", "-") + + artifact = Path(f"/tmp/{ref_name_normalized}.{ext}") # GitHub supports /:org/:repo/archive/:ref<.tar.gz|.zip>. r = requests.get(f"https://github.com/{repo}/archive/{ref}.{ext}", stream=True) diff --git a/requirements.txt b/requirements.txt index e99b40c..77f1ad6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -sigstore ~= 1.1 +sigstore ~= 1.1.2 requests ~= 2.28 From dbe0a6f6573e77ea08687d37d16aa7e080916c3c Mon Sep 17 00:00:00 2001 From: Andrew Pan <3821575+tnytown@users.noreply.github.com> Date: Mon, 24 Apr 2023 09:15:55 -0600 Subject: [PATCH 3/8] schedule-selftest: init (#66) Signed-off-by: Andrew Pan Co-authored-by: William Woodruff --- .github/workflows/schedule-selftest.yml | 46 +++++++++++++++++++++++++ .github/workflows/selftest.yml | 1 + 2 files changed, 47 insertions(+) create mode 100644 .github/workflows/schedule-selftest.yml diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml new file mode 100644 index 0000000..acb05b1 --- /dev/null +++ b/.github/workflows/schedule-selftest.yml @@ -0,0 +1,46 @@ +name: Scheduled self-test + +on: + schedule: + - cron: '0 12 * * *' # Every day at 1200 UTC + +jobs: + run-selftests: + permissions: + id-token: write + + uses: ./.github/workflows/selftest.yml + open-issue: + permissions: + issues: write + + runs-on: ubuntu-latest + if: ${{ failure() }} + needs: run-selftests + + steps: + - name: Generate issue text + run: | + cat <<- EOF >/tmp/issue.md + ## Self-test failure + + A scheduled test of the workflow has failed. + + This suggests one of three conditions: + * A backwards-incompatible change in a Sigstore component; + * A regression in \`gh-action-sigstore-python\`; + * A transient error. + + The full CI failure can be found here: + + ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/$GITHUB_RUN_ID + EOF + + - name: Open issue + uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # v4.0.1 + with: + title: "[CI] Self-test failure" + # created in the previous step + content-filepath: /tmp/issue.md + labels: bug + assignees: woodruffw,tetsuo-cpp,tnytown diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 6bcede1..cc1d360 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -6,6 +6,7 @@ on: - main pull_request: workflow_dispatch: + workflow_call: permissions: id-token: write From 0f34eb3f25180842aa03e969b7e804d8a378cb5d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sun, 6 Aug 2023 22:04:54 -0400 Subject: [PATCH 4/8] action: accommodate Windows (#72) * action: accommodate Windows Signed-off-by: William Woodruff * selftest: macOS, Windows Signed-off-by: William Woodruff * selftest: explicit python version Needed for macOS, Windows (probably) Signed-off-by: William Woodruff * action: force bash for action.py invocation as well Signed-off-by: William Woodruff * Revert "action: force bash for action.py invocation as well" This reverts commit 1c3a3327e835230c7d8b36ba9c1705eb8947f4c9. * action: Windows force UTF-8 Signed-off-by: William Woodruff * action: hackety hack Signed-off-by: William Woodruff * action: random delim Signed-off-by: William Woodruff * action: oops Signed-off-by: William Woodruff * selftest: shell: bash Signed-off-by: William Woodruff * ci: loosen python constraint Signed-off-by: William Woodruff * action: use os.urandom Signed-off-by: William Woodruff * action: document random delimiter Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 2 +- .github/workflows/selftest.yml | 13 ++++++++++++- action.py | 20 ++++++++++---------- action.yml | 7 +++++-- 4 files changed, 28 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b05f795..bef3871 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,6 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: - python-version: "3.7" + python-version: "3.x" - name: lint run: make lint diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index cc1d360..06798f2 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -13,16 +13,27 @@ permissions: jobs: selftest: - runs-on: ubuntu-latest + strategy: + matrix: + os: + - ubuntu-latest + - macos-latest + - windows-latest + runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + if: ${{ matrix.os != 'ubuntu-latest' }} + with: + python-version: "3.x" - name: Sign artifact and publish signature uses: ./ id: sigstore-python with: inputs: ./test/artifact.txt - name: Check outputs + shell: bash run: | [[ -f ./test/artifact.txt.sigstore ]] || exit 1 diff --git a/action.py b/action.py index d5719e7..23044f5 100755 --- a/action.py +++ b/action.py @@ -280,16 +280,16 @@ def _fatal_help(msg): with Path(_github_env).open("a") as gh_env: # Multiline values must match the following syntax: # - # {name}<<{delimiter} - # {value} - # {delimiter} - gh_env.write( - "GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS< Date: Mon, 7 Aug 2023 15:42:34 -0400 Subject: [PATCH 5/8] README: prep 2.0.0 (#73) Signed-off-by: William Woodruff --- README.md | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index f6b9bfc..ce986a7 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v3 - name: install run: python -m pip install . - - uses: sigstore/gh-action-sigstore-python@v1.2.3 + - uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt ``` @@ -53,7 +53,7 @@ provided. To sign one or more files: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file0.txt file1.txt file2.txt ``` @@ -61,7 +61,7 @@ To sign one or more files: The `inputs` argument also supports file globbing: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: ./path/to/inputs/*.txt ``` @@ -74,7 +74,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci workflow will use the credentials found in the GitHub Actions environment. ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere @@ -90,7 +90,7 @@ Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt oidc-client-id: alternative-sigstore-id @@ -106,7 +106,7 @@ Connect Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt oidc-client-secret: alternative-sigstore-secret @@ -122,7 +122,7 @@ when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt signature: custom-signature-filename.sig @@ -131,7 +131,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file0.txt file1.txt file2.txt signature: custom-signature-filename.sig @@ -147,7 +147,7 @@ work when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt certificate: custom-certificate-filename.crt @@ -156,7 +156,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file0.txt file1.txt file2.txt certificate: custom-certificate-filename.crt @@ -172,7 +172,7 @@ when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt bundle: custom-bundle.sigstore @@ -181,7 +181,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file0.txt file1.txt file2.txt certificate: custom-bundle.sigstore @@ -197,7 +197,7 @@ from. This setting cannot be used in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt fulcio-url: https://fulcio.sigstage.dev @@ -213,7 +213,7 @@ cannot be used in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt rekor-url: https://rekor.sigstage.dev @@ -229,7 +229,7 @@ in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt ctfe: ./path/to/ctfe.pub @@ -245,7 +245,7 @@ be used in combination with `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt ctfe: ./path/to/rekor.pub @@ -261,7 +261,7 @@ instead of the default production instances. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt staging: true @@ -284,7 +284,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt verify: true @@ -307,7 +307,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`. Supplying it without `verify-oidc-issuer` will produce an error. ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt verify: true @@ -332,7 +332,7 @@ Supplying it without `verify-cert-identity` will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt verify: true @@ -354,7 +354,7 @@ workflow artifact retention period is used. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt upload-signing-artifacts: true @@ -382,7 +382,7 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v1.2.3 +- uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt release-signing-artifacts: true @@ -409,7 +409,7 @@ permissions: Example: ```yaml - - uses: sigstore/gh-action-sigstore-python@v1.2.3 + - uses: sigstore/gh-action-sigstore-python@v2.0.0 with: inputs: file.txt internal-be-careful-debug: true From d48c9cd10ebecb37a673110474e7533b904106af Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 7 Aug 2023 23:53:02 -0400 Subject: [PATCH 6/8] feat: more debugging, version printing (#68) Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 10 ++++++++++ action.yml | 2 ++ setup/setup.bash | 9 +++++++++ 3 files changed, 21 insertions(+) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 06798f2..1a2910c 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -32,6 +32,7 @@ jobs: id: sigstore-python with: inputs: ./test/artifact.txt + internal-be-careful-debug: true - name: Check outputs shell: bash run: | @@ -55,6 +56,7 @@ jobs: id: sigstore-python with: inputs: ${{ matrix.input }} + internal-be-careful-debug: true - name: Check failure env: XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} @@ -75,6 +77,7 @@ jobs: with: inputs: ./test/artifact.txt staging: true + internal-be-careful-debug: true - name: Check outputs run: | [[ -f ./test/artifact.txt.sigstore ]] || exit 1 @@ -90,6 +93,7 @@ jobs: with: inputs: ./test/*.txt staging: true + internal-be-careful-debug: true selftest-upload-artifacts: runs-on: ubuntu-latest @@ -103,6 +107,7 @@ jobs: inputs: ./test/artifact.txt staging: true upload-signing-artifacts: true + internal-be-careful-debug: true - uses: actions/download-artifact@v3 with: name: "signing-artifacts-${{ github.job }}" @@ -127,6 +132,7 @@ jobs: certificate: ./test/custom_certificate.crt bundle: ./test/custom_bundle.sigstore staging: true + internal-be-careful-debug: true - name: Check outputs run: | [[ -f ./test/custom_signature.sig ]] || exit 1 @@ -147,6 +153,7 @@ jobs: verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }} verify-oidc-issuer: https://token.actions.githubusercontent.com staging: true + internal-be-careful-debug: true selftest-xfail-verify-missing-options: runs-on: ubuntu-latest @@ -183,6 +190,8 @@ jobs: verify-oidc-issuer: ${{ matrix.config.verify-oidc-issuer }} verify-cert-identity: ${{ matrix.config.verify-cert-identity }} staging: true + internal-be-careful-debug: true + - name: Check failure env: XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} @@ -215,6 +224,7 @@ jobs: inputs: ./test/artifact.txt identity-token: ${{ steps.get-oidc-token.outputs.identity-token }} staging: true + internal-be-careful-debug: true all-selftests-pass: if: always() diff --git a/action.yml b/action.yml index a6fa96a..b20d943 100644 --- a/action.yml +++ b/action.yml @@ -102,6 +102,8 @@ runs: run: | # NOTE: Sourced, not executed as a script. source "${GITHUB_ACTION_PATH}/setup/setup.bash" + env: + GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}" shell: bash - name: Run sigstore-python diff --git a/setup/setup.bash b/setup/setup.bash index 498a8e5..ee645bb 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -21,6 +21,15 @@ die() { exit 1 } +debug() { + if [[ "${GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG}" = "true" ]]; then + echo -e "\033[93mDEBUG: ${1}\033[0m" + fi +} + +debug "Python: $(python -V)" +debug "pip: $(python -m pip --version)" + # NOTE: This file is meant to be sourced, not executed as a script. if [[ "${0}" == "${BASH_SOURCE[0]}" ]]; then die "Internal error: setup harness was executed instead of being sourced?" From d260c7bc16e2ef605ee3539b0ab21de9e39bdacc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 10 Aug 2023 11:57:53 -0400 Subject: [PATCH 7/8] selftest: add checks to selftest-glob (#75) --- .github/workflows/selftest.yml | 55 ++++++++++++++++++++++++++++++++++ README.md | 4 +++ action.py | 12 ++++++-- test/another1.txt | 1 + test/another2.txt | 1 + test/subdir/hello1.txt | 0 test/subdir/hello2.txt | 0 test/subdir/hello3.txt | 0 8 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 test/another1.txt create mode 100644 test/another2.txt create mode 100644 test/subdir/hello1.txt create mode 100644 test/subdir/hello2.txt create mode 100644 test/subdir/hello3.txt diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 1a2910c..d213d33 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -94,6 +94,60 @@ jobs: inputs: ./test/*.txt staging: true internal-be-careful-debug: true + - name: Check outputs + run: | + [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 + + selftest-xfail-glob-input-expansion: + runs-on: ubuntu-latest + env: + TEST_DIR: test + if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork + steps: + - uses: actions/checkout@v3 + - name: Sign artifacts and publish signatures + continue-on-error: true + uses: ./ + id: sigstore-python + with: + # This should fail since we should never directly expand ${TEST_DIR}; + # the user should have to pre-expand it for us. + inputs: ./${TEST_DIR}/*.txt + staging: true + internal-be-careful-debug: true + - name: Check failure + env: + XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} + JOB_NAME: ${{ github.job }} + run: | + echo "xfail ${JOB_NAME}: ${XFAIL}" + + [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } + + selftest-glob-multiple: + runs-on: ubuntu-latest + if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork + steps: + - uses: actions/checkout@v3 + - name: Sign artifacts and publish signatures + uses: ./ + id: sigstore-python + with: + inputs: ./test/artifact*.txt ./test/another*.txt ./test/subdir/*.txt + staging: true + internal-be-careful-debug: true + - name: Check outputs + run: | + [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 + [[ -f ./test/another1.txt.sigstore ]] || exit 1 + [[ -f ./test/another2.txt.sigstore ]] || exit 1 + [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1 + [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1 + [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1 selftest-upload-artifacts: runs-on: ubuntu-latest @@ -234,6 +288,7 @@ jobs: - selftest-xfail-invalid-inputs - selftest-staging - selftest-glob + - selftest-glob-multiple - selftest-upload-artifacts - selftest-custom-paths - selftest-verify diff --git a/README.md b/README.md index ce986a7..962ad80 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,10 @@ The `inputs` argument also supports file globbing: inputs: ./path/to/inputs/*.txt ``` +> [!NOTE]\ +> In versions of this action before 2.0.0, the `inputs` setting allowed for shell expansion. +> This was unintentional, and was removed with 2.0.0. + ### `identity-token` **Default**: Empty (the GitHub Actions credential will be used) diff --git a/action.py b/action.py index 23044f5..2374c82 100755 --- a/action.py +++ b/action.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/env python # Copyright 2022 The Sigstore Authors # @@ -201,7 +201,15 @@ def _fatal_help(msg): if input_.startswith("-"): _fatal_help(f"input {input_} looks like a flag") - files = [Path(f).resolve() for f in glob(input_)] + # NOTE: We use a set here to deduplicate inputs, in case a glob expands + # to the same input multiple times. + files = {Path(f).resolve() for f in glob(input_)} + + # Prevent empty glob expansions, rather than silently allowing them. + # Either behavior is technically correct but an empty glob indicates + # user confusion, so we fail for them. + if not files: + _fatal_help(f"input {input_} doesn't expand to one or more filenames") for file_ in files: if not file_.is_file(): diff --git a/test/another1.txt b/test/another1.txt new file mode 100644 index 0000000..730100b --- /dev/null +++ b/test/another1.txt @@ -0,0 +1 @@ +Another input. diff --git a/test/another2.txt b/test/another2.txt new file mode 100644 index 0000000..666e074 --- /dev/null +++ b/test/another2.txt @@ -0,0 +1 @@ +Yet another input. diff --git a/test/subdir/hello1.txt b/test/subdir/hello1.txt new file mode 100644 index 0000000..e69de29 diff --git a/test/subdir/hello2.txt b/test/subdir/hello2.txt new file mode 100644 index 0000000..e69de29 diff --git a/test/subdir/hello3.txt b/test/subdir/hello3.txt new file mode 100644 index 0000000..e69de29 From 9310933b45d7dfc2fe40c1d701ac114548c28d31 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 10 Aug 2023 15:04:14 -0400 Subject: [PATCH 8/8] README: prep 2.0.1 (#78) Signed-off-by: William Woodruff --- README.md | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 962ad80..ce17a51 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v3 - name: install run: python -m pip install . - - uses: sigstore/gh-action-sigstore-python@v2.0.0 + - uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt ``` @@ -53,7 +53,7 @@ provided. To sign one or more files: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file0.txt file1.txt file2.txt ``` @@ -61,7 +61,7 @@ To sign one or more files: The `inputs` argument also supports file globbing: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: ./path/to/inputs/*.txt ``` @@ -78,7 +78,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci workflow will use the credentials found in the GitHub Actions environment. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere @@ -94,7 +94,7 @@ Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt oidc-client-id: alternative-sigstore-id @@ -110,7 +110,7 @@ Connect Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt oidc-client-secret: alternative-sigstore-secret @@ -126,7 +126,7 @@ when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt signature: custom-signature-filename.sig @@ -135,7 +135,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file0.txt file1.txt file2.txt signature: custom-signature-filename.sig @@ -151,7 +151,7 @@ work when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt certificate: custom-certificate-filename.crt @@ -160,7 +160,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file0.txt file1.txt file2.txt certificate: custom-certificate-filename.crt @@ -176,7 +176,7 @@ when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt bundle: custom-bundle.sigstore @@ -185,7 +185,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file0.txt file1.txt file2.txt certificate: custom-bundle.sigstore @@ -201,7 +201,7 @@ from. This setting cannot be used in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt fulcio-url: https://fulcio.sigstage.dev @@ -217,7 +217,7 @@ cannot be used in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt rekor-url: https://rekor.sigstage.dev @@ -233,7 +233,7 @@ in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt ctfe: ./path/to/ctfe.pub @@ -249,7 +249,7 @@ be used in combination with `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt ctfe: ./path/to/rekor.pub @@ -265,7 +265,7 @@ instead of the default production instances. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt staging: true @@ -288,7 +288,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt verify: true @@ -311,7 +311,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`. Supplying it without `verify-oidc-issuer` will produce an error. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt verify: true @@ -336,7 +336,7 @@ Supplying it without `verify-cert-identity` will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt verify: true @@ -358,7 +358,7 @@ workflow artifact retention period is used. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt upload-signing-artifacts: true @@ -386,7 +386,7 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v2.0.0 +- uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt release-signing-artifacts: true @@ -413,7 +413,7 @@ permissions: Example: ```yaml - - uses: sigstore/gh-action-sigstore-python@v2.0.0 + - uses: sigstore/gh-action-sigstore-python@v2.0.1 with: inputs: file.txt internal-be-careful-debug: true