From 3548791113e7d811f9d8c4ef8d738bf7f46b15e1 Mon Sep 17 00:00:00 2001
From: Andrew Pan <3821575+tnytown@users.noreply.github.com>
Date: Thu, 23 Mar 2023 14:15:44 -0500
Subject: [PATCH 1/4] action: upload artifact being signed for (#55)
* action: upload artifact being signed for
Signed-off-by: Andrew Pan
* workflows/selftest: confirm presence of artifacts
Signed-off-by: Andrew Pan
---------
Signed-off-by: Andrew Pan
---
.github/workflows/selftest.yml | 11 +++++++++++
action.py | 4 ++++
2 files changed, 15 insertions(+)
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
index 5c829b0..573a69e 100644
--- a/.github/workflows/selftest.yml
+++ b/.github/workflows/selftest.yml
@@ -95,6 +95,17 @@ jobs:
inputs: ./test/artifact.txt
staging: true
upload-signing-artifacts: true
+ - uses: actions/download-artifact@v3
+ with:
+ name: "signing-artifacts-${{ github.job }}"
+ path: ./test/uploaded
+ - name: Verify presence of uploaded files
+ run: |
+ [[ -f ./artifact.txt ]] || exit 1
+ [[ -f ./artifact.txt.sig ]] || exit 1
+ [[ -f ./artifact.txt.crt ]] || exit 1
+ [[ -f ./artifact.txt.sigstore ]] || exit 1
+ working-directory: ./test/uploaded
selftest-custom-paths:
runs-on: ubuntu-latest
diff --git a/action.py b/action.py
index 71ee386..43e8db3 100755
--- a/action.py
+++ b/action.py
@@ -200,6 +200,10 @@ def _fatal_help(msg):
for file_ in files:
if not file_.is_file():
_fatal_help(f"input {file_} does not look like a file")
+
+ # Also upload artifact being signed for.
+ signing_artifact_paths.append(file_)
+
if not bundle_only and "--certificate" not in sigstore_sign_args:
signing_artifact_paths.append(f"{file_}.crt")
if not bundle_only and "--signature" not in sigstore_sign_args:
From b71bf555b8ab1eebf19f9661c054041c170689c5 Mon Sep 17 00:00:00 2001
From: Andrew Pan <3821575+tnytown@users.noreply.github.com>
Date: Thu, 23 Mar 2023 14:28:38 -0500
Subject: [PATCH 2/4] action: stringify `file_` (#57)
Signed-off-by: Andrew Pan
---
action.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/action.py b/action.py
index 43e8db3..3da8474 100755
--- a/action.py
+++ b/action.py
@@ -202,7 +202,7 @@ def _fatal_help(msg):
_fatal_help(f"input {file_} does not look like a file")
# Also upload artifact being signed for.
- signing_artifact_paths.append(file_)
+ signing_artifact_paths.append(str(file_))
if not bundle_only and "--certificate" not in sigstore_sign_args:
signing_artifact_paths.append(f"{file_}.crt")
From b8ab929e350f8ee7963107d00f9da24c1e310d63 Mon Sep 17 00:00:00 2001
From: Andrew Pan <3821575+tnytown@users.noreply.github.com>
Date: Thu, 23 Mar 2023 15:01:11 -0500
Subject: [PATCH 3/4] Makefile, action: lint with mypy + resolve lints (#58)
Signed-off-by: Andrew Pan
---
Makefile | 8 +++++---
action.py | 37 +++++++++++++++++++++----------------
dev-requirements.txt | 2 ++
3 files changed, 28 insertions(+), 19 deletions(-)
diff --git a/Makefile b/Makefile
index 26b6ff4..8b88c26 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,8 @@ dev: env/pyvenv.cfg
.PHONY: lint
lint: env/pyvenv.cfg action.py
- ./env/bin/python -m black action.py
- ./env/bin/python -m isort action.py
- ./env/bin/python -m flake8 --max-line-length 100 action.py
+ . ./env/bin/activate && \
+ black action.py && \
+ isort action.py && \
+ mypy action.py && \
+ flake8 --max-line-length 100 action.py
diff --git a/action.py b/action.py
index 3da8474..3a82cf2 100755
--- a/action.py
+++ b/action.py
@@ -31,7 +31,10 @@
_HERE = Path(__file__).parent.resolve()
_TEMPLATES = _HERE / "templates"
-_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")).open("a")
+_summary_path = os.getenv("GITHUB_STEP_SUMMARY")
+assert _summary_path is not None
+_SUMMARY = Path(_summary_path).open("a")
+
_RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true"
_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false"
@@ -117,49 +120,49 @@ def _fatal_help(msg):
sigstore_python_env["SIGSTORE_LOGLEVEL"] = "DEBUG"
identity_token = os.getenv("GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN")
-if identity_token != "":
+if identity_token:
sigstore_sign_args.extend(["--identity-token", identity_token])
client_id = os.getenv("GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID")
-if client_id != "":
+if client_id:
sigstore_sign_args.extend(["--oidc-client-id", client_id])
client_secret = os.getenv("GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET")
-if client_secret != "":
+if client_secret:
sigstore_sign_args.extend(["--oidc-client-secret", client_secret])
signature = os.getenv("GHA_SIGSTORE_PYTHON_SIGNATURE")
-if signature != "":
+if signature:
sigstore_sign_args.extend(["--signature", signature])
sigstore_verify_args.extend(["--signature", signature])
signing_artifact_paths.append(signature)
certificate = os.getenv("GHA_SIGSTORE_PYTHON_CERTIFICATE")
-if certificate != "":
+if certificate:
sigstore_sign_args.extend(["--certificate", certificate])
sigstore_verify_args.extend(["--certificate", certificate])
signing_artifact_paths.append(certificate)
bundle = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE")
-if bundle != "":
+if bundle:
sigstore_sign_args.extend(["--bundle", bundle])
sigstore_verify_args.extend(["--bundle", bundle])
signing_artifact_paths.append(bundle)
fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL")
-if fulcio_url != "":
+if fulcio_url:
sigstore_sign_args.extend(["--fulcio-url", fulcio_url])
rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL")
-if rekor_url != "":
+if rekor_url:
sigstore_global_args.extend(["--rekor-url", rekor_url])
ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE")
-if ctfe != "":
+if ctfe:
sigstore_sign_args.extend(["--ctfe", ctfe])
rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY")
-if rekor_root_pubkey != "":
+if rekor_root_pubkey:
sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey])
if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
@@ -170,7 +173,7 @@ def _fatal_help(msg):
_fatal_help("verify-cert-identity must be specified when verify is enabled")
elif not enable_verify and verify_cert_identity:
_fatal_help("verify-cert-identity cannot be specified without verify: true")
-else:
+elif verify_cert_identity:
sigstore_verify_args.extend(["--cert-identity", verify_cert_identity])
verify_oidc_issuer = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER")
@@ -178,7 +181,7 @@ def _fatal_help(msg):
_fatal_help("verify-oidc-issuer must be specified when verify is enabled")
elif not enable_verify and verify_oidc_issuer:
_fatal_help("verify-oidc-issuer cannot be specified without verify: true")
-else:
+elif verify_oidc_issuer:
sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer])
if os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS") == "true":
@@ -211,8 +214,8 @@ def _fatal_help(msg):
if "--bundle" not in sigstore_sign_args:
signing_artifact_paths.append(f"{file_}.sigstore")
- sigstore_sign_args.extend(files)
- sigstore_verify_args.extend(files)
+ sigstore_sign_args.extend([str(f) for f in files])
+ sigstore_verify_args.extend([str(f) for f in files])
_debug(f"signing: sigstore-python {[str(a) for a in sigstore_sign_args]}")
@@ -273,7 +276,9 @@ def _fatal_help(msg):
#
# In GitHub Actions, environment variables can be made to persist across
# workflow steps by appending to the file at `GITHUB_ENV`.
-with Path(os.getenv("GITHUB_ENV")).open("a") as gh_env:
+_github_env = os.getenv("GITHUB_ENV")
+assert _github_env is not None
+with Path(_github_env).open("a") as gh_env:
# Multiline values must match the following syntax:
#
# {name}<<{delimiter}
diff --git a/dev-requirements.txt b/dev-requirements.txt
index f086aa4..e3da308 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -1,3 +1,5 @@
flake8
isort
black
+mypy
+types-requests
From fd04d371f70269671a4bfa57b7f5ea4ce5697678 Mon Sep 17 00:00:00 2001
From: William Woodruff
Date: Fri, 24 Mar 2023 02:49:01 -0400
Subject: [PATCH 4/4] README: prep 1.2.2 (#59)
Signed-off-by: William Woodruff
---
README.md | 48 ++++++++++++++++++++++++------------------------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/README.md b/README.md
index b046a36..5627bc3 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ jobs:
- uses: actions/checkout@v3
- name: install
run: python -m pip install .
- - uses: sigstore/gh-action-sigstore-python@v1.2.1
+ - uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
```
@@ -53,7 +53,7 @@ provided.
To sign one or more files:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file0.txt file1.txt file2.txt
```
@@ -61,7 +61,7 @@ To sign one or more files:
The `inputs` argument also supports file globbing:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: ./path/to/inputs/*.txt
```
@@ -74,7 +74,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci
workflow will use the credentials found in the GitHub Actions environment.
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere
@@ -90,7 +90,7 @@ Server during OAuth2.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
oidc-client-id: alternative-sigstore-id
@@ -106,7 +106,7 @@ Connect Server during OAuth2.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
oidc-client-secret: alternative-sigstore-secret
@@ -122,7 +122,7 @@ when signing multiple input files.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
signature: custom-signature-filename.sig
@@ -131,7 +131,7 @@ Example:
However, this example is invalid:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file0.txt file1.txt file2.txt
signature: custom-signature-filename.sig
@@ -147,7 +147,7 @@ work when signing multiple input files.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
certificate: custom-certificate-filename.crt
@@ -156,7 +156,7 @@ Example:
However, this example is invalid:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file0.txt file1.txt file2.txt
certificate: custom-certificate-filename.crt
@@ -172,7 +172,7 @@ when signing multiple input files.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
bundle: custom-bundle.sigstore
@@ -181,7 +181,7 @@ Example:
However, this example is invalid:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file0.txt file1.txt file2.txt
certificate: custom-bundle.sigstore
@@ -197,7 +197,7 @@ from. This setting cannot be used in combination with the `staging` setting.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
fulcio-url: https://fulcio.sigstage.dev
@@ -213,7 +213,7 @@ cannot be used in combination with the `staging` setting.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
rekor-url: https://rekor.sigstage.dev
@@ -229,7 +229,7 @@ in combination with the `staging` setting.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
ctfe: ./path/to/ctfe.pub
@@ -245,7 +245,7 @@ be used in combination with `staging` setting.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
ctfe: ./path/to/rekor.pub
@@ -261,7 +261,7 @@ instead of the default production instances.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
staging: true
@@ -284,7 +284,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
verify: true
@@ -307,7 +307,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`.
Supplying it without `verify-oidc-issuer` will produce an error.
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
verify: true
@@ -332,7 +332,7 @@ Supplying it without `verify-cert-identity` will produce an error.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
verify: true
@@ -354,7 +354,7 @@ workflow artifact retention period is used.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
upload-signing-artifacts: true
@@ -382,7 +382,7 @@ permissions:
# ...
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
release-signing-artifacts: true
@@ -404,7 +404,7 @@ signing artifact is uploaded.
Example:
```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.1
+- uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
upload-signing-artifacts: true
@@ -432,7 +432,7 @@ Example:
Example:
```yaml
- - uses: sigstore/gh-action-sigstore-python@v1.2.1
+ - uses: sigstore/gh-action-sigstore-python@v1.2.2
with:
inputs: file.txt
internal-be-careful-debug: true