From 8d54649301b1ea5554e666d3f364017321e7d500 Mon Sep 17 00:00:00 2001 From: DK96-OS <69859316+DK96-OS@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:09:45 -0500 Subject: [PATCH] Release 3.1 (#14) (#134): * schedule-selftest: reduce nagging --------- Signed-off-by: William Woodruff (#140): * requirements: sigstore ~3.0 * selftest: update filenames * action: update another path * action: remove deprecated settings * README: remove old docs --------- Signed-off-by: William Woodruff (#145): * action: use a venv to prevent PEP 668 errors * action: use sys.executable * fight with Windows * setup: minimum Python is 3.8 (This has been true for a while) --------- Signed-off-by: William Woodruff (#142): * action: flip `release-signing-artifacts` --------- Signed-off-by: William Woodruff (#146): * action: remove old output settings * selftest: remove old test ref --------- Signed-off-by: William Woodruff Cleanup workflows (#148): * Workflows: remove default input arg from action call * workflows: Remove unnecessary selftest release-signing-artifacts defaults to "true" so the removed test now duplicates the previous test. We could try testing the release-signing-artifacts == "false" but that's a bit trickier since it could only be done in a release event... * workflows: Drop recently removed job from needs-list --------- Signed-off-by: Jussi Kukkonen Prep 3.0.0 (#143): --------- Signed-off-by: William Woodruff (#152): * build(deps): bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 in the actions group --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (#154): * Fix remaining reference to 2.1.1 in README --------- Signed-off-by: Stefanie Molin <24376333+stefmolin@users.noreply.github.com> (#151): * Enable debugging also if ACTIONS_STEP_DEBUG==true --------- Co-authored-by: rindeal Co-authored-by: William Woodruff Upgrade Dependencies: * Update requirements.txt - upgrade sigstore 3.1, upgrade requests 2.32 --------- Signed-off-by: DK96-OS <69859316+DK96-OS@users.noreply.github.com> --- .github/workflows/release.yml | 1 - .github/workflows/schedule-selftest.yml | 4 +- .github/workflows/selftest.yml | 86 ++++------- CHANGELOG.md | 64 +++++++++ README.md | 180 +++--------------------- action.py | 43 +----- action.yml | 51 ++----- setup/setup.bash | 31 +++- 8 files changed, 153 insertions(+), 307 deletions(-) create mode 100644 CHANGELOG.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 70297e2..eeed331 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,4 +23,3 @@ jobs: id: sigstore-python with: inputs: action.yml action.py - release-signing-artifacts: true diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml index 31acf2f..d259ddd 100644 --- a/.github/workflows/schedule-selftest.yml +++ b/.github/workflows/schedule-selftest.yml @@ -37,10 +37,10 @@ jobs: EOF - name: Open issue - uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0 + uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1 with: title: "[CI] Self-test failure" # created in the previous step content-filepath: /tmp/issue.md labels: bug - assignees: woodruffw,tetsuo-cpp,tnytown + assignees: woodruffw diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index c511733..dc9b3f9 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -19,6 +19,8 @@ jobs: - ubuntu-latest - macos-latest - windows-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: @@ -36,40 +38,31 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 - selftest-whitespace: + selftest-runner-python: strategy: matrix: os: - ubuntu-latest - - macos-latest - - windows-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - if: ${{ matrix.os != 'ubuntu-latest' }} - with: - python-version: "3.x" - name: Sign artifact and publish signature uses: ./ id: sigstore-python with: - inputs: | - ./test/artifact.txt - ./test/white\ space.txt - ./test/"more white space.txt" + inputs: ./test/artifact.txt internal-be-careful-debug: true - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/white\ space.txt ]] || exit 1 - [[ -f ./test/more\ white\ space.txt ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 - selftest-release-signing-artifacts-no-op: + selftest-whitespace: strategy: matrix: os: @@ -88,15 +81,17 @@ jobs: uses: ./ id: sigstore-python with: - inputs: ./test/artifact.txt - # The trigger for this test is not a release, so this has no effect - # (but does not break the workflow either). - release-signing-artifacts: true + inputs: | + ./test/artifact.txt + ./test/white\ space.txt + ./test/"more white space.txt" internal-be-careful-debug: true - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/white\ space.txt ]] || exit 1 + [[ -f ./test/more\ white\ space.txt ]] || exit 1 selftest-xfail-invalid-inputs: runs-on: ubuntu-latest @@ -140,7 +135,7 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-glob: runs-on: ubuntu-latest @@ -156,9 +151,9 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 selftest-xfail-glob-input-expansion: runs-on: ubuntu-latest @@ -200,14 +195,14 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 - [[ -f ./test/another1.txt.sigstore ]] || exit 1 - [[ -f ./test/another2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1 selftest-upload-artifacts: runs-on: ubuntu-latest @@ -229,30 +224,9 @@ jobs: - name: Verify presence of uploaded files run: | [[ -f ./artifact.txt ]] || exit 1 - [[ -f ./artifact.txt.sigstore ]] || exit 1 + [[ -f ./artifact.txt.sigstore.json ]] || exit 1 working-directory: ./test/uploaded - selftest-custom-paths: - runs-on: ubuntu-latest - if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork - steps: - - uses: actions/checkout@v4 - - name: Sign artifact and publish signature - uses: ./ - id: sigstore-python - with: - inputs: ./test/artifact.txt - signature: ./test/custom_signature.sig - certificate: ./test/custom_certificate.crt - bundle: ./test/custom_bundle.sigstore - staging: true - internal-be-careful-debug: true - - name: Check outputs - run: | - [[ -f ./test/custom_signature.sig ]] || exit 1 - [[ -f ./test/custom_certificate.crt ]] || exit 1 - [[ -f ./test/custom_bundle.sigstore ]] || exit 1 - selftest-verify: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork @@ -346,13 +320,11 @@ jobs: needs: - selftest - selftest-whitespace - - selftest-release-signing-artifacts-no-op - selftest-xfail-invalid-inputs - selftest-staging - selftest-glob - selftest-glob-multiple - selftest-upload-artifacts - - selftest-custom-paths - selftest-verify - selftest-xfail-verify-missing-options - selftest-identity-token diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..04da74d --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,64 @@ +# Changelog + +All notable changes to `gh-action-sigstore-python` will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +All versions prior to 3.0.0 are untracked. + +## [Unreleased] + +## [3.0.0] + +### Added + +* `inputs` now allows recursive globbing with `**` + ([#106](https://github.com/sigstore/gh-action-sigstore-python/pull/106)) + +### Removed + +* The following settings have been removed: `fulcio-url`, `rekor-url`, + `ctfe`, `rekor-root-pubkey` + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) +* The following output settings have been removed: `signature`, + `certificate`, `bundle` + ([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146)) + + +### Changed + +* `inputs` is now parsed according to POSIX shell lexing rules, improving + the action's consistency when used with filenames containing whitespace + or other significant characters + ([#104](https://github.com/sigstore/gh-action-sigstore-python/pull/104)) + +* `inputs` is now optional *if* `release-signing-artifacts` is true + *and* the action's event is a `release` event. In this case, the action + takes no explicit inputs, but signs the source archives already attached + to the associated release + ([#110](https://github.com/sigstore/gh-action-sigstore-python/pull/110)) + +* The default suffix has changed from `.sigstore` to `.sigstore.json`, + per Sigstore's client specification + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) + +* `release-signing-artifacts` now defaults to `true` + ([#142](https://github.com/sigstore/gh-action-sigstore-python/pull/142)) + +### Fixed + +* The `release-signing-artifacts` setting no longer causes a hard error + when used under the incorrect event + ([#103](https://github.com/sigstore/gh-action-sigstore-python/pull/103)) + +* Various deprecations present in `sigstore-python`'s 2.x series have been + resolved + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) + +* This workflow now supports CI runners that use PEP 668 to constrain global + package prefixes + ([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145)) + + +[Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD +[3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0 diff --git a/README.md b/README.md index 1639198..379ed05 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v3 - name: install run: python -m pip install . - - uses: sigstore/gh-action-sigstore-python@v2.1.1 + - uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt ``` @@ -53,7 +53,7 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t To sign one or more files: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file0.txt file1.txt file2.txt ``` @@ -61,7 +61,7 @@ To sign one or more files: The `inputs` argument also supports file globbing: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: ./path/to/inputs/*.txt ``` @@ -70,7 +70,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using POSIX shell lexing rules: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: | ./path/to/inputs/*.txt @@ -90,7 +90,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci workflow will use the credentials found in the GitHub Actions environment. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere @@ -106,7 +106,7 @@ Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt oidc-client-id: alternative-sigstore-id @@ -122,151 +122,12 @@ Connect Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt oidc-client-secret: alternative-sigstore-secret ``` -### `signature` - -**Default**: Empty (signature files will get named as `{input}.sig`) - -The `signature` setting controls the name of the output signature file. This setting does not work -when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - signature: custom-signature-filename.sig -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - signature: custom-signature-filename.sig -``` - -### `certificate` - -**Default**: Empty (certificate files will get named as `{input}.crt`) - -The `certificate` setting controls the name of the output certificate file. This setting does not -work when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - certificate: custom-certificate-filename.crt -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - certificate: custom-certificate-filename.crt -``` - -### `bundle` - -**Default**: Empty (bundle files will get named as `{input}.sigstore`) - -The `bundle` setting controls the name of the output Sigstore bundle. This setting does not work -when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - bundle: custom-bundle.sigstore -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - certificate: custom-bundle.sigstore -``` - -### `fulcio-url` - -**Default**: `https://fulcio.sigstore.dev` - -The `fulcio-url` setting controls the Fulcio instance to retrieve the ephemeral signing certificate -from. This setting cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - fulcio-url: https://fulcio.sigstage.dev -``` - -### `rekor-url` - -**Default**: `https://rekor.sigstore.dev` - -The `rekor-url` setting controls the Rekor instance to upload the file signature to. This setting -cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - rekor-url: https://rekor.sigstage.dev -``` - -### `ctfe` - -**Default**: `ctfe.pub` (the CTFE key embedded in `sigstore-python`) - -The `ctfe` setting is a path to a PEM-encoded public key for the CT log. This setting cannot be used -in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/ctfe.pub -``` - -### `rekor-root-pubkey` - -**Default**: `rekor.pub` (the Rekor key embedded in `sigstore-python`) - -The `rekor-root-pubkey` setting is a path to a PEM-encoded public key for Rekor. This setting cannot -be used in combination with `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/rekor.pub -``` - ### `staging` **Default**: `false` @@ -277,7 +138,7 @@ instead of the default production instances. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt staging: true @@ -300,7 +161,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -323,7 +184,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`. Supplying it without `verify-oidc-issuer` will produce an error. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -348,7 +209,7 @@ Supplying it without `verify-cert-identity` will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -370,7 +231,7 @@ workflow artifact retention period is used. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt upload-signing-artifacts: true @@ -378,7 +239,7 @@ Example: ### `release-signing-artifacts` -**Default**: `false` +**Default**: `true` The `release-signing-artifacts` setting controls whether or not `sigstore-python` uploads signing artifacts to the release publishing event that triggered this run. @@ -387,8 +248,6 @@ This setting has no effect on non-`release` events. If enabled, this setting also re-uploads and signs GitHub's default source code artifacts, as they are not guaranteed to be stable. -By default, no release assets are uploaded. - Requires the [`contents: write` permission](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). Example: @@ -399,15 +258,14 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt release-signing-artifacts: true ``` On release events, it is also valid to have no explicit inputs. When used on release -events with `release-signing-artifacts: true`, this action will sign any pre-existing -release artifacts: +events, this action will sign any pre-existing release artifacts: ```yaml permissions: @@ -415,10 +273,8 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - # Only valid on release events - release-signing-artifacts: true +# no explicit settings needed, signs all pre-existing release artifacts +- uses: sigstore/gh-action-sigstore-python@v3.0.0 ``` ### Internal options @@ -442,7 +298,7 @@ permissions: Example: ```yaml - - uses: sigstore/gh-action-sigstore-python@v2.1.1 + - uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt internal-be-careful-debug: true diff --git a/action.py b/action.py index 0e7ec00..b0a43aa 100755 --- a/action.py +++ b/action.py @@ -37,7 +37,8 @@ _SUMMARY = Path(_summary_path).open("a") _RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true" -_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" +_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" or \ + os.getenv("ACTIONS_STEP_DEBUG", "false") == "true" _RELEASE_SIGNING_ARTIFACTS = ( os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS", "true") == "true" @@ -86,12 +87,12 @@ def _download_ref_asset(ext): def _sigstore_sign(global_args, sign_args): - return ["python", "-m", "sigstore", *global_args, "sign", *sign_args] + return [sys.executable, "-m", "sigstore", *global_args, "sign", *sign_args] def _sigstore_verify(global_args, verify_args): return [ - "python", + sys.executable, "-m", "sigstore", *global_args, @@ -146,40 +147,6 @@ def _fatal_help(msg): if client_secret: sigstore_sign_args.extend(["--oidc-client-secret", client_secret]) -signature = os.getenv("GHA_SIGSTORE_PYTHON_SIGNATURE") -if signature: - sigstore_sign_args.extend(["--signature", signature]) - sigstore_verify_args.extend(["--signature", signature]) - signing_artifact_paths.append(signature) - -certificate = os.getenv("GHA_SIGSTORE_PYTHON_CERTIFICATE") -if certificate: - sigstore_sign_args.extend(["--certificate", certificate]) - sigstore_verify_args.extend(["--certificate", certificate]) - signing_artifact_paths.append(certificate) - -bundle = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE") -if bundle: - sigstore_sign_args.extend(["--bundle", bundle]) - sigstore_verify_args.extend(["--bundle", bundle]) - signing_artifact_paths.append(bundle) - -fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL") -if fulcio_url: - sigstore_sign_args.extend(["--fulcio-url", fulcio_url]) - -rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL") -if rekor_url: - sigstore_global_args.extend(["--rekor-url", rekor_url]) - -ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE") -if ctfe: - sigstore_sign_args.extend(["--ctfe", ctfe]) - -rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY") -if rekor_root_pubkey: - sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey]) - if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false": sigstore_global_args.append("--staging") @@ -229,7 +196,7 @@ def _fatal_help(msg): signing_artifact_paths.append(str(file_)) if "--bundle" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.sigstore") + signing_artifact_paths.append(f"{file_}.sigstore.json") sigstore_sign_args.extend([str(f) for f in files]) sigstore_verify_args.extend([str(f) for f in files]) diff --git a/action.yml b/action.yml index efa157b..2fd642b 100644 --- a/action.yml +++ b/action.yml @@ -32,42 +32,14 @@ inputs: description: "the custom OpenID Connect client secret to use during OAuth2" required: false default: "" - signature: - description: "write a single signature to the given file; does not work with multiple input files" - required: false - default: "" - certificate: - description: "write a single certificate to the given file; does not work with multiple input files" - required: false - default: "" - bundle: - description: "write a single Sigstore bundle to the given file; does not work with multiple input files" - required: false - default: "" - fulcio-url: - description: "the Fulcio instance to use (conflicts with `staging`)" - required: false - default: "" - rekor-url: - description: "the Rekor instance to use (conflicts with `staging`)" - required: false - default: "" - ctfe: - description: "a PEM-encoded public key for the CT log (conflicts with `staging`)" - required: false - default: "" - rekor-root-pubkey: - description: "a PEM-encoded root public key for Rekor itself (conflicts with `staging`)" - required: false - default: "" staging: description: "use sigstore's staging instances, instead of the default production instances" required: false - default: false + default: "false" verify: description: "verify the generated signatures after signing" required: false - default: false + default: "false" verify-cert-identity: description: | verify the identity in the signing certificate's Subject Alternative Name @@ -85,20 +57,21 @@ inputs: upload-signing-artifacts: description: "upload all signing artifacts as workflow artifacts" required: false - default: false + default: "false" release-signing-artifacts: description: "attach all signing artifacts as release assets" required: false - default: false + default: "true" internal-be-careful-debug: description: "run with debug logs (default false)" required: false - default: false + default: "false" runs: using: "composite" steps: - name: Set up sigstore-python + id: setup run: | # NOTE: Sourced, not executed as a script. source "${GITHUB_ACTION_PATH}/setup/setup.bash" @@ -109,20 +82,16 @@ runs: - name: Run sigstore-python id: sigstore-python run: | - ${GITHUB_ACTION_PATH}/action.py "${GHA_SIGSTORE_PYTHON_INPUTS}" + "${VENV_PYTHON_PATH}" \ + "${GITHUB_ACTION_PATH}/action.py" \ + "${GHA_SIGSTORE_PYTHON_INPUTS}" env: # The year is 2023, and nonsense like this is still necessary on Windows. PYTHONUTF8: "1" + VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}" GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}" - GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}" - GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}" - GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}" - GHA_SIGSTORE_PYTHON_FULCIO_URL: "${{ inputs.fulcio-url }}" - GHA_SIGSTORE_PYTHON_REKOR_URL: "${{ inputs.rekor-url }}" - GHA_SIGSTORE_PYTHON_CTFE: "${{ inputs.ctfe }}" - GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}" GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}" GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}" GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}" diff --git a/setup/setup.bash b/setup/setup.bash index ba5891e..16785a6 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -22,8 +22,10 @@ die() { } debug() { - if [[ "${GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG}" = "true" ]]; then - echo -e "\033[93mDEBUG: ${1}\033[0m" + if [[ "${GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG:-false}" != "false" || \ + "${ACTIONS_STEP_DEBUG:-false}" == 'true' ]] + then + echo -e "\033[93mDEBUG: ${1}\033[0m" >&2 fi } @@ -35,7 +37,7 @@ if [[ "${0}" == "${BASH_SOURCE[0]}" ]]; then die "Internal error: setup harness was executed instead of being sourced?" fi -# Check the Python version, making sure it's new enough (3.7+) +# Check the Python version, making sure it's new enough (3.8+) # The installation step immediately below will technically catch this, # but doing it explicitly gives us the opportunity to produce a better # error message. @@ -43,8 +45,25 @@ vers=$(python -V | cut -d ' ' -f2) maj_vers=$(cut -d '.' -f1 <<< "${vers}") min_vers=$(cut -d '.' -f2 <<< "${vers}") -[[ "${maj_vers}" == "3" && "${min_vers}" -ge 7 ]] || die "Bad Python version: ${vers}" +[[ "${maj_vers}" == "3" && "${min_vers}" -ge 8 ]] || die "Bad Python version: ${vers}" -python -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" +# If the user didn't explicitly configure a Python version with +# `actions/setup-python`, then we might be using the distribution's Python and +# therefore be subject to PEP 668. We use a virtual environment unconditionally +# to prevent that kind of confusion. +python -m venv "${GITHUB_ACTION_PATH}/.action-env" -debug "sigstore-python: $(python -m sigstore --version)" +# Annoying: Windows venvs use a different structure, for unknown reasons. +if [[ -d "${GITHUB_ACTION_PATH}/.action-env/bin" ]]; then + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/bin/python" +else + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/Scripts/python" +fi + +"${VENV_PYTHON_PATH}" -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" + +debug "sigstore-python: $("${VENV_PYTHON_PATH}" -m sigstore --version)" + +# Finally, propagate VENV_PYTHON_PATH so we can actually kick-start +# the extension from it. +echo "venv-python-path=${VENV_PYTHON_PATH}" >> "${GITHUB_OUTPUT}"