From 8f4df93a5ae38b4246c41681433c9b3a4353274e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 9 Jan 2024 11:28:15 -0500 Subject: [PATCH 01/15] add dependabot config (#101) Signed-off-by: William Woodruff --- .github/dependabot.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ae42f1d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 + +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + open-pull-requests-limit: 99 + rebase-strategy: "disabled" + groups: + actions: + patterns: + - "*" From afe705fa678a2a20c4fc7cb2de62fd1788a66f80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:40:39 -0500 Subject: [PATCH 02/15] build(deps): bump the actions group with 4 updates (#102) Bumps the actions group with 4 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact), [actions/checkout](https://github.com/actions/checkout), [actions/setup-python](https://github.com/actions/setup-python) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/upload-artifact` from 3 to 4 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) Updates `actions/checkout` from 3 to 4 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) Updates `actions/setup-python` from 4 to 5 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4...v5) Updates `actions/download-artifact` from 3 to 4 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/selftest.yml | 26 +++++++++++++------------- .github/workflows/semgrep.yml | 2 +- action.yml | 2 +- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bef3871..7fe68e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,8 +10,8 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 with: python-version: "3.x" - name: lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3183fc3..70297e2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: sign uses: ./ diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index d213d33..44496c2 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -22,8 +22,8 @@ jobs: runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: python-version: "3.x" @@ -49,7 +49,7 @@ jobs: - "/tmp/extremely-nonexistent-file" if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifact and publish signature continue-on-error: true uses: ./ @@ -70,7 +70,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -86,7 +86,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifacts and publish signatures uses: ./ id: sigstore-python @@ -106,7 +106,7 @@ jobs: TEST_DIR: test if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifacts and publish signatures continue-on-error: true uses: ./ @@ -130,7 +130,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifacts and publish signatures uses: ./ id: sigstore-python @@ -153,7 +153,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -162,7 +162,7 @@ jobs: staging: true upload-signing-artifacts: true internal-be-careful-debug: true - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 with: name: "signing-artifacts-${{ github.job }}" path: ./test/uploaded @@ -176,7 +176,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -197,7 +197,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -233,7 +233,7 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sign artifact and publish signature continue-on-error: true uses: ./ @@ -259,7 +259,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Get OIDC token id: get-oidc-token run: | diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 08e15a6..1df680c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -18,5 +18,5 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: semgrep ci diff --git a/action.yml b/action.yml index b20d943..70a8702 100644 --- a/action.yml +++ b/action.yml @@ -132,7 +132,7 @@ runs: GHA_SIGSTORE_PYTHON_INPUTS: "${{ inputs.inputs }}" shell: bash - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 if: inputs.upload-signing-artifacts == 'true' with: name: "signing-artifacts-${{ github.job }}" From b3690e3a279c94669b1e9e4e1e29317cdc7a52d5 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 10 Jan 2024 10:27:16 -0500 Subject: [PATCH 03/15] Fix `release-signing-artifacts` behavior and docs (#103) * action: don't attempt to download artifacts on non-releases Signed-off-by: William Woodruff * README: clarify release-signing-artifacts behavior Signed-off-by: William Woodruff * add another selftest Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 30 ++++++++++++++++++++++++++++++ README.md | 1 + action.py | 7 ++++++- 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 44496c2..5d95868 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -38,6 +38,35 @@ jobs: run: | [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + selftest-release-signing-artifacts-no-op: + strategy: + matrix: + os: + - ubuntu-latest + - macos-latest + - windows-latest + runs-on: ${{ matrix.os }} + if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + if: ${{ matrix.os != 'ubuntu-latest' }} + with: + python-version: "3.x" + - name: Sign artifact and publish signature + uses: ./ + id: sigstore-python + with: + inputs: ./test/artifact.txt + # The trigger for this test is not a release, so this has no effect + # (but does not break the workflow either). + release-signing-artifacts: true + internal-be-careful-debug: true + - name: Check outputs + shell: bash + run: | + [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + selftest-xfail-invalid-inputs: runs-on: ubuntu-latest strategy: @@ -285,6 +314,7 @@ jobs: needs: - selftest + - selftest-release-signing-artifacts-no-op - selftest-xfail-invalid-inputs - selftest-staging - selftest-glob diff --git a/README.md b/README.md index 6260d5e..8207783 100644 --- a/README.md +++ b/README.md @@ -370,6 +370,7 @@ Example: The `release-signing-artifacts` setting controls whether or not `sigstore-python` uploads signing artifacts to the release publishing event that triggered this run. +This setting has no effect on non-`release` events. If enabled, this setting also re-uploads and signs GitHub's default source code artifacts, as they are not guaranteed to be stable. diff --git a/action.py b/action.py index 2374c82..7e80319 100755 --- a/action.py +++ b/action.py @@ -38,6 +38,11 @@ _RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true" _DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" +_RELEASE_SIGNING_ARTIFACTS = ( + os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS", "true") == "true" + and os.getenv("GITHUB_EVENT_NAME") == "release" +) + def _template(name): path = _TEMPLATES / f"{name}.md" @@ -189,7 +194,7 @@ def _fatal_help(msg): elif verify_oidc_issuer: sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer]) -if os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS") == "true": +if _RELEASE_SIGNING_ARTIFACTS: for filetype in ["zip", "tar.gz"]: artifact = _download_ref_asset(filetype) if artifact is not None: From faa37e30f2b57e3b724df1290c18033034bae42c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 10 Jan 2024 23:08:04 -0500 Subject: [PATCH 04/15] action: use shlex.split (#104) * action: use shlex.split Closes #77. Signed-off-by: William Woodruff * whitespace selftests Signed-off-by: William Woodruff * document `inputs` a bit more Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 32 ++++++++++++++++++++++++++++++++ README.md | 12 ++++++++++++ action.py | 7 ++----- test/more white space.txt | 1 + test/white space.txt | 1 + 5 files changed, 48 insertions(+), 5 deletions(-) create mode 100644 test/more white space.txt create mode 100644 test/white space.txt diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 5d95868..c511733 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -38,6 +38,37 @@ jobs: run: | [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + selftest-whitespace: + strategy: + matrix: + os: + - ubuntu-latest + - macos-latest + - windows-latest + runs-on: ${{ matrix.os }} + if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + if: ${{ matrix.os != 'ubuntu-latest' }} + with: + python-version: "3.x" + - name: Sign artifact and publish signature + uses: ./ + id: sigstore-python + with: + inputs: | + ./test/artifact.txt + ./test/white\ space.txt + ./test/"more white space.txt" + internal-be-careful-debug: true + - name: Check outputs + shell: bash + run: | + [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/white\ space.txt ]] || exit 1 + [[ -f ./test/more\ white\ space.txt ]] || exit 1 + selftest-release-signing-artifacts-no-op: strategy: matrix: @@ -314,6 +345,7 @@ jobs: needs: - selftest + - selftest-whitespace - selftest-release-signing-artifacts-no-op - selftest-xfail-invalid-inputs - selftest-staging diff --git a/README.md b/README.md index 8207783..d278aa1 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,18 @@ The `inputs` argument also supports file globbing: inputs: ./path/to/inputs/*.txt ``` +Multiple lines are fine, and whitespace in filenames can also be escaped using +POSIX shell lexing rules: + +```yaml +- uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: | + ./path/to/inputs/*.txt + ./another/path/foo\ bar.txt + ./a/third/path/"easier to quote than to escape".txt +``` + > [!NOTE]\ > In versions of this action before 2.0.0, the `inputs` setting allowed for shell expansion. > This was unintentional, and was removed with 2.0.0. diff --git a/action.py b/action.py index 7e80319..49aa126 100755 --- a/action.py +++ b/action.py @@ -20,6 +20,7 @@ # is a whitespace-separated list of inputs import os +import shlex import string import subprocess import sys @@ -100,16 +101,12 @@ def _sigstore_verify(global_args, verify_args): ] -def _warning(msg): - print(f"::warning::⚠️ {msg}") - - def _fatal_help(msg): print(f"::error::❌ {msg}") sys.exit(1) -inputs = sys.argv[1].split() +inputs = shlex.split(sys.argv[1]) # The arguments we pass into `sigstore-python` get built up in these lists. sigstore_global_args = [] diff --git a/test/more white space.txt b/test/more white space.txt new file mode 100644 index 0000000..bb26104 --- /dev/null +++ b/test/more white space.txt @@ -0,0 +1 @@ +This is another input with a whitespace filename. diff --git a/test/white space.txt b/test/white space.txt new file mode 100644 index 0000000..73b58e6 --- /dev/null +++ b/test/white space.txt @@ -0,0 +1 @@ +This input has a filename with whitespace in it. From bd901157b951b248d124a111d4ed32a264cf408d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 24 Jan 2024 23:29:20 -0500 Subject: [PATCH 05/15] action: allow `**` globs (#106) Signed-off-by: William Woodruff --- action.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.py b/action.py index 49aa126..c721f6b 100755 --- a/action.py +++ b/action.py @@ -205,7 +205,7 @@ def _fatal_help(msg): # NOTE: We use a set here to deduplicate inputs, in case a glob expands # to the same input multiple times. - files = {Path(f).resolve() for f in glob(input_)} + files = {Path(f).resolve() for f in glob(input_, recursive=True)} # Prevent empty glob expansions, rather than silently allowing them. # Either behavior is technically correct but an empty glob indicates From 8579d4832209d59081f278b17073a30dffc5da9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 15:38:11 -0500 Subject: [PATCH 06/15] build(deps): bump the actions group with 1 update (#107) Bumps the actions group with 1 update: [peter-evans/create-issue-from-file](https://github.com/peter-evans/create-issue-from-file). Updates `peter-evans/create-issue-from-file` from 4.0.1 to 5.0.0 - [Release notes](https://github.com/peter-evans/create-issue-from-file/releases) - [Commits](https://github.com/peter-evans/create-issue-from-file/compare/433e51abf769039ee20ba1293a088ca19d573b7f...24452a72d85239eacf1468b0f1982a9f3fec4c94) --- updated-dependencies: - dependency-name: peter-evans/create-issue-from-file dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/schedule-selftest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml index acb05b1..31acf2f 100644 --- a/.github/workflows/schedule-selftest.yml +++ b/.github/workflows/schedule-selftest.yml @@ -37,7 +37,7 @@ jobs: EOF - name: Open issue - uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # v4.0.1 + uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0 with: title: "[CI] Self-test failure" # created in the previous step From 08a568c3d1b0d7483cb913510a741887d37c57e0 Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin <38703886+JeanChristopheMorinPerso@users.noreply.github.com> Date: Fri, 23 Feb 2024 18:06:53 -0500 Subject: [PATCH 07/15] Allow empty inputs with release artifacts (#110) * Make inputs optional on releases if release-signing-artifacts is set to true Signed-off-by: Jean-Christophe Morin * Add basic .gitignore to ignore venv Signed-off-by: Jean-Christophe Morin * Make behavior more explicit Signed-off-by: Jean-Christophe Morin --------- Signed-off-by: Jean-Christophe Morin --- .gitignore | 1 + README.md | 18 +++++++++++++++++- action.py | 10 +++++++++- action.yml | 2 +- 4 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ae412d6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +env/ \ No newline at end of file diff --git a/README.md b/README.md index d278aa1..1639198 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ optional. ### `inputs` The `inputs` setting controls what files `sigstore-python` signs. At least one input must be -provided. +provided unless [release-signing-artifacts](#release-signing-artifacts) is set to `true` on release events. To sign one or more files: @@ -405,6 +405,22 @@ permissions: release-signing-artifacts: true ``` +On release events, it is also valid to have no explicit inputs. When used on release +events with `release-signing-artifacts: true`, this action will sign any pre-existing +release artifacts: + +```yaml +permissions: + contents: write + +# ... + +- uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + # Only valid on release events + release-signing-artifacts: true +``` + ### Internal options
⚠️ Internal options ⚠️ diff --git a/action.py b/action.py index c721f6b..0e7ec00 100755 --- a/action.py +++ b/action.py @@ -106,7 +106,15 @@ def _fatal_help(msg): sys.exit(1) -inputs = shlex.split(sys.argv[1]) +# Allow inputs to be empty if the event type is release and release-signing-artifacts is +# set to true. This allows projects without artifacts to still sign the source +# archives in their releases. +inputs = shlex.split(sys.argv[1]) if len(sys.argv) == 2 else [] +if not inputs and not _RELEASE_SIGNING_ARTIFACTS: + _fatal_help( + "inputs must be specified when release-signing-artifacts is disabled " + "and the event type is not release" + ) # The arguments we pass into `sigstore-python` get built up in these lists. sigstore_global_args = [] diff --git a/action.yml b/action.yml index 70a8702..05bc508 100644 --- a/action.yml +++ b/action.yml @@ -18,7 +18,7 @@ description: "Use sigstore-python to sign Python packages" inputs: inputs: description: "the files to sign, whitespace separated" - required: true + required: false default: "" identity-token: description: "the OIDC identity token to use" From 4dde77f8178a041d4cd24f34a5624231b525513d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 15:44:36 -0500 Subject: [PATCH 08/15] build(deps): bump the actions group with 1 update (#111) Bumps the actions group with 1 update: [softprops/action-gh-release](https://github.com/softprops/action-gh-release). Updates `softprops/action-gh-release` from 1 to 2 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 05bc508..efa157b 100644 --- a/action.yml +++ b/action.yml @@ -138,7 +138,7 @@ runs: name: "signing-artifacts-${{ github.job }}" path: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" - - uses: softprops/action-gh-release@v1 + - uses: softprops/action-gh-release@v2 if: inputs.release-signing-artifacts == 'true' && github.event_name == 'release' && github.event.action == 'published' with: files: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" From 26de7459ab0625282c11ecbcf6e65941b2886b09 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 7 Jun 2024 15:19:05 -0400 Subject: [PATCH 09/15] schedule-selftest: reduce nagging (#134) Signed-off-by: William Woodruff --- .github/workflows/schedule-selftest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml index 31acf2f..b5f43e9 100644 --- a/.github/workflows/schedule-selftest.yml +++ b/.github/workflows/schedule-selftest.yml @@ -43,4 +43,4 @@ jobs: # created in the previous step content-filepath: /tmp/issue.md labels: bug - assignees: woodruffw,tetsuo-cpp,tnytown + assignees: woodruffw From 94661007ff419d4795b935732494905162e79738 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 17 Jun 2024 10:18:13 -0400 Subject: [PATCH 10/15] requirements: sigstore ~3.0 (#140) * requirements: sigstore ~3.0 Signed-off-by: William Woodruff * selftest: update filenames Signed-off-by: William Woodruff * action: update another path Signed-off-by: William Woodruff * action: remove deprecated settings Signed-off-by: William Woodruff * README: remove old docs Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 32 ++++++++--------- README.md | 64 ---------------------------------- action.py | 18 +--------- action.yml | 20 ----------- requirements.txt | 2 +- 5 files changed, 18 insertions(+), 118 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index c511733..38b20ab 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -36,7 +36,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-whitespace: strategy: @@ -65,7 +65,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 [[ -f ./test/white\ space.txt ]] || exit 1 [[ -f ./test/more\ white\ space.txt ]] || exit 1 @@ -96,7 +96,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-xfail-invalid-inputs: runs-on: ubuntu-latest @@ -140,7 +140,7 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-glob: runs-on: ubuntu-latest @@ -156,9 +156,9 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 selftest-xfail-glob-input-expansion: runs-on: ubuntu-latest @@ -200,14 +200,14 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 - [[ -f ./test/another1.txt.sigstore ]] || exit 1 - [[ -f ./test/another2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1 selftest-upload-artifacts: runs-on: ubuntu-latest @@ -229,7 +229,7 @@ jobs: - name: Verify presence of uploaded files run: | [[ -f ./artifact.txt ]] || exit 1 - [[ -f ./artifact.txt.sigstore ]] || exit 1 + [[ -f ./artifact.txt.sigstore.json ]] || exit 1 working-directory: ./test/uploaded selftest-custom-paths: diff --git a/README.md b/README.md index 1639198..9910109 100644 --- a/README.md +++ b/README.md @@ -203,70 +203,6 @@ However, this example is invalid: certificate: custom-bundle.sigstore ``` -### `fulcio-url` - -**Default**: `https://fulcio.sigstore.dev` - -The `fulcio-url` setting controls the Fulcio instance to retrieve the ephemeral signing certificate -from. This setting cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - fulcio-url: https://fulcio.sigstage.dev -``` - -### `rekor-url` - -**Default**: `https://rekor.sigstore.dev` - -The `rekor-url` setting controls the Rekor instance to upload the file signature to. This setting -cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - rekor-url: https://rekor.sigstage.dev -``` - -### `ctfe` - -**Default**: `ctfe.pub` (the CTFE key embedded in `sigstore-python`) - -The `ctfe` setting is a path to a PEM-encoded public key for the CT log. This setting cannot be used -in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/ctfe.pub -``` - -### `rekor-root-pubkey` - -**Default**: `rekor.pub` (the Rekor key embedded in `sigstore-python`) - -The `rekor-root-pubkey` setting is a path to a PEM-encoded public key for Rekor. This setting cannot -be used in combination with `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/rekor.pub -``` - ### `staging` **Default**: `false` diff --git a/action.py b/action.py index 0e7ec00..09e961f 100755 --- a/action.py +++ b/action.py @@ -164,22 +164,6 @@ def _fatal_help(msg): sigstore_verify_args.extend(["--bundle", bundle]) signing_artifact_paths.append(bundle) -fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL") -if fulcio_url: - sigstore_sign_args.extend(["--fulcio-url", fulcio_url]) - -rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL") -if rekor_url: - sigstore_global_args.extend(["--rekor-url", rekor_url]) - -ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE") -if ctfe: - sigstore_sign_args.extend(["--ctfe", ctfe]) - -rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY") -if rekor_root_pubkey: - sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey]) - if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false": sigstore_global_args.append("--staging") @@ -229,7 +213,7 @@ def _fatal_help(msg): signing_artifact_paths.append(str(file_)) if "--bundle" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.sigstore") + signing_artifact_paths.append(f"{file_}.sigstore.json") sigstore_sign_args.extend([str(f) for f in files]) sigstore_verify_args.extend([str(f) for f in files]) diff --git a/action.yml b/action.yml index efa157b..7dc3faa 100644 --- a/action.yml +++ b/action.yml @@ -44,22 +44,6 @@ inputs: description: "write a single Sigstore bundle to the given file; does not work with multiple input files" required: false default: "" - fulcio-url: - description: "the Fulcio instance to use (conflicts with `staging`)" - required: false - default: "" - rekor-url: - description: "the Rekor instance to use (conflicts with `staging`)" - required: false - default: "" - ctfe: - description: "a PEM-encoded public key for the CT log (conflicts with `staging`)" - required: false - default: "" - rekor-root-pubkey: - description: "a PEM-encoded root public key for Rekor itself (conflicts with `staging`)" - required: false - default: "" staging: description: "use sigstore's staging instances, instead of the default production instances" required: false @@ -119,10 +103,6 @@ runs: GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}" - GHA_SIGSTORE_PYTHON_FULCIO_URL: "${{ inputs.fulcio-url }}" - GHA_SIGSTORE_PYTHON_REKOR_URL: "${{ inputs.rekor-url }}" - GHA_SIGSTORE_PYTHON_CTFE: "${{ inputs.ctfe }}" - GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}" GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}" GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}" GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}" diff --git a/requirements.txt b/requirements.txt index 393b58b..5ecd303 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -sigstore ~= 2.1 +sigstore ~= 3.0 requests ~= 2.28 From 1ddeb829cc81aadc391a78096478d61db0dee7e6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 4 Jul 2024 08:04:47 -0400 Subject: [PATCH 11/15] action: use a venv to prevent PEP 668 errors (#145) * action: use a venv to prevent PEP 668 errors Signed-off-by: William Woodruff * action: use sys.executable Signed-off-by: William Woodruff * fight with Windows Signed-off-by: William Woodruff * setup: minimum Python is 3.8 This has been true for a while. Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 24 ++++++++++++++++++++++++ action.py | 4 ++-- action.yml | 6 +++++- setup/setup.bash | 25 +++++++++++++++++++++---- 4 files changed, 52 insertions(+), 7 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 38b20ab..f2edc93 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -19,6 +19,8 @@ jobs: - ubuntu-latest - macos-latest - windows-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: @@ -38,6 +40,28 @@ jobs: run: | [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + selftest-runner-python: + strategy: + matrix: + os: + - ubuntu-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 + runs-on: ${{ matrix.os }} + if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork + steps: + - uses: actions/checkout@v4 + - name: Sign artifact and publish signature + uses: ./ + id: sigstore-python + with: + inputs: ./test/artifact.txt + internal-be-careful-debug: true + - name: Check outputs + shell: bash + run: | + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + selftest-whitespace: strategy: matrix: diff --git a/action.py b/action.py index 09e961f..1cd38fc 100755 --- a/action.py +++ b/action.py @@ -86,12 +86,12 @@ def _download_ref_asset(ext): def _sigstore_sign(global_args, sign_args): - return ["python", "-m", "sigstore", *global_args, "sign", *sign_args] + return [sys.executable, "-m", "sigstore", *global_args, "sign", *sign_args] def _sigstore_verify(global_args, verify_args): return [ - "python", + sys.executable, "-m", "sigstore", *global_args, diff --git a/action.yml b/action.yml index 7dc3faa..d765d61 100644 --- a/action.yml +++ b/action.yml @@ -83,6 +83,7 @@ runs: using: "composite" steps: - name: Set up sigstore-python + id: setup run: | # NOTE: Sourced, not executed as a script. source "${GITHUB_ACTION_PATH}/setup/setup.bash" @@ -93,10 +94,13 @@ runs: - name: Run sigstore-python id: sigstore-python run: | - ${GITHUB_ACTION_PATH}/action.py "${GHA_SIGSTORE_PYTHON_INPUTS}" + "${VENV_PYTHON_PATH}" \ + "${GITHUB_ACTION_PATH}/action.py" \ + "${GHA_SIGSTORE_PYTHON_INPUTS}" env: # The year is 2023, and nonsense like this is still necessary on Windows. PYTHONUTF8: "1" + VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}" GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}" GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}" GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}" diff --git a/setup/setup.bash b/setup/setup.bash index ba5891e..62ece86 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -35,7 +35,7 @@ if [[ "${0}" == "${BASH_SOURCE[0]}" ]]; then die "Internal error: setup harness was executed instead of being sourced?" fi -# Check the Python version, making sure it's new enough (3.7+) +# Check the Python version, making sure it's new enough (3.8+) # The installation step immediately below will technically catch this, # but doing it explicitly gives us the opportunity to produce a better # error message. @@ -43,8 +43,25 @@ vers=$(python -V | cut -d ' ' -f2) maj_vers=$(cut -d '.' -f1 <<< "${vers}") min_vers=$(cut -d '.' -f2 <<< "${vers}") -[[ "${maj_vers}" == "3" && "${min_vers}" -ge 7 ]] || die "Bad Python version: ${vers}" +[[ "${maj_vers}" == "3" && "${min_vers}" -ge 8 ]] || die "Bad Python version: ${vers}" -python -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" +# If the user didn't explicitly configure a Python version with +# `actions/setup-python`, then we might be using the distribution's Python and +# therefore be subject to PEP 668. We use a virtual environment unconditionally +# to prevent that kind of confusion. +python -m venv "${GITHUB_ACTION_PATH}/.action-env" -debug "sigstore-python: $(python -m sigstore --version)" +# Annoying: Windows venvs use a different structure, for unknown reasons. +if [[ -d "${GITHUB_ACTION_PATH}/.action-env/bin" ]]; then + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/bin/python" +else + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/Scripts/python" +fi + +"${VENV_PYTHON_PATH}" -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" + +debug "sigstore-python: $("${VENV_PYTHON_PATH}" -m sigstore --version)" + +# Finally, propagate VENV_PYTHON_PATH so we can actually kick-start +# the extension from it. +echo "venv-python-path=${VENV_PYTHON_PATH}" >> "${GITHUB_OUTPUT}" From 16fbe9a8d335cfde2d487c8c459707abdd1c3704 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 8 Jul 2024 11:50:32 -0400 Subject: [PATCH 12/15] action: flip `release-signing-artifacts` (#142) Signed-off-by: William Woodruff --- README.md | 11 +++-------- action.yml | 10 +++++----- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 9910109..a192f31 100644 --- a/README.md +++ b/README.md @@ -314,7 +314,7 @@ Example: ### `release-signing-artifacts` -**Default**: `false` +**Default**: `true` The `release-signing-artifacts` setting controls whether or not `sigstore-python` uploads signing artifacts to the release publishing event that triggered this run. @@ -323,8 +323,6 @@ This setting has no effect on non-`release` events. If enabled, this setting also re-uploads and signs GitHub's default source code artifacts, as they are not guaranteed to be stable. -By default, no release assets are uploaded. - Requires the [`contents: write` permission](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). Example: @@ -342,8 +340,7 @@ permissions: ``` On release events, it is also valid to have no explicit inputs. When used on release -events with `release-signing-artifacts: true`, this action will sign any pre-existing -release artifacts: +events, this action will sign any pre-existing release artifacts: ```yaml permissions: @@ -351,10 +348,8 @@ permissions: # ... +# no explicit settings needed, signs all pre-existing release artifacts - uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - # Only valid on release events - release-signing-artifacts: true ``` ### Internal options diff --git a/action.yml b/action.yml index d765d61..cf1d467 100644 --- a/action.yml +++ b/action.yml @@ -47,11 +47,11 @@ inputs: staging: description: "use sigstore's staging instances, instead of the default production instances" required: false - default: false + default: "false" verify: description: "verify the generated signatures after signing" required: false - default: false + default: "false" verify-cert-identity: description: | verify the identity in the signing certificate's Subject Alternative Name @@ -69,15 +69,15 @@ inputs: upload-signing-artifacts: description: "upload all signing artifacts as workflow artifacts" required: false - default: false + default: "false" release-signing-artifacts: description: "attach all signing artifacts as release assets" required: false - default: false + default: "true" internal-be-careful-debug: description: "run with debug logs (default false)" required: false - default: false + default: "false" runs: using: "composite" From 551a497f0abe7bcba261fd45a195f3d17eebb0c0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 9 Jul 2024 02:39:14 -0400 Subject: [PATCH 13/15] action: remove old output settings (#146) * action: remove old output settings Signed-off-by: William Woodruff * selftest: remove old test ref Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 22 ---------- README.md | 75 ---------------------------------- action.py | 18 -------- action.yml | 15 ------- 4 files changed, 130 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index f2edc93..bc0e724 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -256,27 +256,6 @@ jobs: [[ -f ./artifact.txt.sigstore.json ]] || exit 1 working-directory: ./test/uploaded - selftest-custom-paths: - runs-on: ubuntu-latest - if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork - steps: - - uses: actions/checkout@v4 - - name: Sign artifact and publish signature - uses: ./ - id: sigstore-python - with: - inputs: ./test/artifact.txt - signature: ./test/custom_signature.sig - certificate: ./test/custom_certificate.crt - bundle: ./test/custom_bundle.sigstore - staging: true - internal-be-careful-debug: true - - name: Check outputs - run: | - [[ -f ./test/custom_signature.sig ]] || exit 1 - [[ -f ./test/custom_certificate.crt ]] || exit 1 - [[ -f ./test/custom_bundle.sigstore ]] || exit 1 - selftest-verify: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork @@ -376,7 +355,6 @@ jobs: - selftest-glob - selftest-glob-multiple - selftest-upload-artifacts - - selftest-custom-paths - selftest-verify - selftest-xfail-verify-missing-options - selftest-identity-token diff --git a/README.md b/README.md index a192f31..5e10741 100644 --- a/README.md +++ b/README.md @@ -128,81 +128,6 @@ Example: oidc-client-secret: alternative-sigstore-secret ``` -### `signature` - -**Default**: Empty (signature files will get named as `{input}.sig`) - -The `signature` setting controls the name of the output signature file. This setting does not work -when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - signature: custom-signature-filename.sig -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - signature: custom-signature-filename.sig -``` - -### `certificate` - -**Default**: Empty (certificate files will get named as `{input}.crt`) - -The `certificate` setting controls the name of the output certificate file. This setting does not -work when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - certificate: custom-certificate-filename.crt -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - certificate: custom-certificate-filename.crt -``` - -### `bundle` - -**Default**: Empty (bundle files will get named as `{input}.sigstore`) - -The `bundle` setting controls the name of the output Sigstore bundle. This setting does not work -when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - bundle: custom-bundle.sigstore -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - certificate: custom-bundle.sigstore -``` - ### `staging` **Default**: `false` diff --git a/action.py b/action.py index 1cd38fc..b6231b7 100755 --- a/action.py +++ b/action.py @@ -146,24 +146,6 @@ def _fatal_help(msg): if client_secret: sigstore_sign_args.extend(["--oidc-client-secret", client_secret]) -signature = os.getenv("GHA_SIGSTORE_PYTHON_SIGNATURE") -if signature: - sigstore_sign_args.extend(["--signature", signature]) - sigstore_verify_args.extend(["--signature", signature]) - signing_artifact_paths.append(signature) - -certificate = os.getenv("GHA_SIGSTORE_PYTHON_CERTIFICATE") -if certificate: - sigstore_sign_args.extend(["--certificate", certificate]) - sigstore_verify_args.extend(["--certificate", certificate]) - signing_artifact_paths.append(certificate) - -bundle = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE") -if bundle: - sigstore_sign_args.extend(["--bundle", bundle]) - sigstore_verify_args.extend(["--bundle", bundle]) - signing_artifact_paths.append(bundle) - if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false": sigstore_global_args.append("--staging") diff --git a/action.yml b/action.yml index cf1d467..2fd642b 100644 --- a/action.yml +++ b/action.yml @@ -32,18 +32,6 @@ inputs: description: "the custom OpenID Connect client secret to use during OAuth2" required: false default: "" - signature: - description: "write a single signature to the given file; does not work with multiple input files" - required: false - default: "" - certificate: - description: "write a single certificate to the given file; does not work with multiple input files" - required: false - default: "" - bundle: - description: "write a single Sigstore bundle to the given file; does not work with multiple input files" - required: false - default: "" staging: description: "use sigstore's staging instances, instead of the default production instances" required: false @@ -102,9 +90,6 @@ runs: PYTHONUTF8: "1" VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}" GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}" - GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}" - GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}" - GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}" GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}" From da238ad4806ad4bceff0a421e715ba34c3c4f962 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 9 Jul 2024 20:09:40 +0300 Subject: [PATCH 14/15] Cleanup workflows (#148) * Workflows: remove default input arg from action call Signed-off-by: Jussi Kukkonen * workflows: Remove unnecessary selftest release-signing-artifacts defaults to "true" so the removed test now duplicates the previous test. We could try testing the release-signing-artifacts == "false" but that's a bit trickier since it could only be done in a release event... Signed-off-by: Jussi Kukkonen * workflows: Drop recently removed job from needs-list Signed-off-by: Jussi Kukkonen --------- Signed-off-by: Jussi Kukkonen --- .github/workflows/release.yml | 1 - .github/workflows/selftest.yml | 30 ------------------------------ 2 files changed, 31 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 70297e2..eeed331 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,4 +23,3 @@ jobs: id: sigstore-python with: inputs: action.yml action.py - release-signing-artifacts: true diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index bc0e724..dc9b3f9 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -93,35 +93,6 @@ jobs: [[ -f ./test/white\ space.txt ]] || exit 1 [[ -f ./test/more\ white\ space.txt ]] || exit 1 - selftest-release-signing-artifacts-no-op: - strategy: - matrix: - os: - - ubuntu-latest - - macos-latest - - windows-latest - runs-on: ${{ matrix.os }} - if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - if: ${{ matrix.os != 'ubuntu-latest' }} - with: - python-version: "3.x" - - name: Sign artifact and publish signature - uses: ./ - id: sigstore-python - with: - inputs: ./test/artifact.txt - # The trigger for this test is not a release, so this has no effect - # (but does not break the workflow either). - release-signing-artifacts: true - internal-be-careful-debug: true - - name: Check outputs - shell: bash - run: | - [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 - selftest-xfail-invalid-inputs: runs-on: ubuntu-latest strategy: @@ -349,7 +320,6 @@ jobs: needs: - selftest - selftest-whitespace - - selftest-release-signing-artifacts-no-op - selftest-xfail-invalid-inputs - selftest-staging - selftest-glob From f514d46b907ebcd5bedc05145c03b69c1edd8b46 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 15 Jul 2024 11:18:42 -0400 Subject: [PATCH 15/15] Prep 3.0.0 (#143) --- CHANGELOG.md | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 28 +++++++++++------------ 2 files changed, 78 insertions(+), 14 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..04da74d --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,64 @@ +# Changelog + +All notable changes to `gh-action-sigstore-python` will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +All versions prior to 3.0.0 are untracked. + +## [Unreleased] + +## [3.0.0] + +### Added + +* `inputs` now allows recursive globbing with `**` + ([#106](https://github.com/sigstore/gh-action-sigstore-python/pull/106)) + +### Removed + +* The following settings have been removed: `fulcio-url`, `rekor-url`, + `ctfe`, `rekor-root-pubkey` + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) +* The following output settings have been removed: `signature`, + `certificate`, `bundle` + ([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146)) + + +### Changed + +* `inputs` is now parsed according to POSIX shell lexing rules, improving + the action's consistency when used with filenames containing whitespace + or other significant characters + ([#104](https://github.com/sigstore/gh-action-sigstore-python/pull/104)) + +* `inputs` is now optional *if* `release-signing-artifacts` is true + *and* the action's event is a `release` event. In this case, the action + takes no explicit inputs, but signs the source archives already attached + to the associated release + ([#110](https://github.com/sigstore/gh-action-sigstore-python/pull/110)) + +* The default suffix has changed from `.sigstore` to `.sigstore.json`, + per Sigstore's client specification + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) + +* `release-signing-artifacts` now defaults to `true` + ([#142](https://github.com/sigstore/gh-action-sigstore-python/pull/142)) + +### Fixed + +* The `release-signing-artifacts` setting no longer causes a hard error + when used under the incorrect event + ([#103](https://github.com/sigstore/gh-action-sigstore-python/pull/103)) + +* Various deprecations present in `sigstore-python`'s 2.x series have been + resolved + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) + +* This workflow now supports CI runners that use PEP 668 to constrain global + package prefixes + ([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145)) + + +[Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD +[3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0 diff --git a/README.md b/README.md index 5e10741..174d000 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v3 - name: install run: python -m pip install . - - uses: sigstore/gh-action-sigstore-python@v2.1.1 + - uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt ``` @@ -53,7 +53,7 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t To sign one or more files: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file0.txt file1.txt file2.txt ``` @@ -61,7 +61,7 @@ To sign one or more files: The `inputs` argument also supports file globbing: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: ./path/to/inputs/*.txt ``` @@ -70,7 +70,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using POSIX shell lexing rules: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: | ./path/to/inputs/*.txt @@ -90,7 +90,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci workflow will use the credentials found in the GitHub Actions environment. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere @@ -106,7 +106,7 @@ Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt oidc-client-id: alternative-sigstore-id @@ -122,7 +122,7 @@ Connect Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt oidc-client-secret: alternative-sigstore-secret @@ -138,7 +138,7 @@ instead of the default production instances. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt staging: true @@ -161,7 +161,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -184,7 +184,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`. Supplying it without `verify-oidc-issuer` will produce an error. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -209,7 +209,7 @@ Supplying it without `verify-cert-identity` will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -231,7 +231,7 @@ workflow artifact retention period is used. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt upload-signing-artifacts: true @@ -258,7 +258,7 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt release-signing-artifacts: true @@ -298,7 +298,7 @@ permissions: Example: ```yaml - - uses: sigstore/gh-action-sigstore-python@v2.1.1 + - uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt internal-be-careful-debug: true