From 26de7459ab0625282c11ecbcf6e65941b2886b09 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 7 Jun 2024 15:19:05 -0400 Subject: [PATCH 01/11] schedule-selftest: reduce nagging (#134) Signed-off-by: William Woodruff --- .github/workflows/schedule-selftest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml index 31acf2f..b5f43e9 100644 --- a/.github/workflows/schedule-selftest.yml +++ b/.github/workflows/schedule-selftest.yml @@ -43,4 +43,4 @@ jobs: # created in the previous step content-filepath: /tmp/issue.md labels: bug - assignees: woodruffw,tetsuo-cpp,tnytown + assignees: woodruffw From 94661007ff419d4795b935732494905162e79738 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 17 Jun 2024 10:18:13 -0400 Subject: [PATCH 02/11] requirements: sigstore ~3.0 (#140) * requirements: sigstore ~3.0 Signed-off-by: William Woodruff * selftest: update filenames Signed-off-by: William Woodruff * action: update another path Signed-off-by: William Woodruff * action: remove deprecated settings Signed-off-by: William Woodruff * README: remove old docs Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 32 ++++++++--------- README.md | 64 ---------------------------------- action.py | 18 +--------- action.yml | 20 ----------- requirements.txt | 2 +- 5 files changed, 18 insertions(+), 118 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index c511733..38b20ab 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -36,7 +36,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-whitespace: strategy: @@ -65,7 +65,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 [[ -f ./test/white\ space.txt ]] || exit 1 [[ -f ./test/more\ white\ space.txt ]] || exit 1 @@ -96,7 +96,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-xfail-invalid-inputs: runs-on: ubuntu-latest @@ -140,7 +140,7 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-glob: runs-on: ubuntu-latest @@ -156,9 +156,9 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 selftest-xfail-glob-input-expansion: runs-on: ubuntu-latest @@ -200,14 +200,14 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 - [[ -f ./test/another1.txt.sigstore ]] || exit 1 - [[ -f ./test/another2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1 selftest-upload-artifacts: runs-on: ubuntu-latest @@ -229,7 +229,7 @@ jobs: - name: Verify presence of uploaded files run: | [[ -f ./artifact.txt ]] || exit 1 - [[ -f ./artifact.txt.sigstore ]] || exit 1 + [[ -f ./artifact.txt.sigstore.json ]] || exit 1 working-directory: ./test/uploaded selftest-custom-paths: diff --git a/README.md b/README.md index 1639198..9910109 100644 --- a/README.md +++ b/README.md @@ -203,70 +203,6 @@ However, this example is invalid: certificate: custom-bundle.sigstore ``` -### `fulcio-url` - -**Default**: `https://fulcio.sigstore.dev` - -The `fulcio-url` setting controls the Fulcio instance to retrieve the ephemeral signing certificate -from. This setting cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - fulcio-url: https://fulcio.sigstage.dev -``` - -### `rekor-url` - -**Default**: `https://rekor.sigstore.dev` - -The `rekor-url` setting controls the Rekor instance to upload the file signature to. This setting -cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - rekor-url: https://rekor.sigstage.dev -``` - -### `ctfe` - -**Default**: `ctfe.pub` (the CTFE key embedded in `sigstore-python`) - -The `ctfe` setting is a path to a PEM-encoded public key for the CT log. This setting cannot be used -in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/ctfe.pub -``` - -### `rekor-root-pubkey` - -**Default**: `rekor.pub` (the Rekor key embedded in `sigstore-python`) - -The `rekor-root-pubkey` setting is a path to a PEM-encoded public key for Rekor. This setting cannot -be used in combination with `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/rekor.pub -``` - ### `staging` **Default**: `false` diff --git a/action.py b/action.py index 0e7ec00..09e961f 100755 --- a/action.py +++ b/action.py @@ -164,22 +164,6 @@ def _fatal_help(msg): sigstore_verify_args.extend(["--bundle", bundle]) signing_artifact_paths.append(bundle) -fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL") -if fulcio_url: - sigstore_sign_args.extend(["--fulcio-url", fulcio_url]) - -rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL") -if rekor_url: - sigstore_global_args.extend(["--rekor-url", rekor_url]) - -ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE") -if ctfe: - sigstore_sign_args.extend(["--ctfe", ctfe]) - -rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY") -if rekor_root_pubkey: - sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey]) - if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false": sigstore_global_args.append("--staging") @@ -229,7 +213,7 @@ def _fatal_help(msg): signing_artifact_paths.append(str(file_)) if "--bundle" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.sigstore") + signing_artifact_paths.append(f"{file_}.sigstore.json") sigstore_sign_args.extend([str(f) for f in files]) sigstore_verify_args.extend([str(f) for f in files]) diff --git a/action.yml b/action.yml index efa157b..7dc3faa 100644 --- a/action.yml +++ b/action.yml @@ -44,22 +44,6 @@ inputs: description: "write a single Sigstore bundle to the given file; does not work with multiple input files" required: false default: "" - fulcio-url: - description: "the Fulcio instance to use (conflicts with `staging`)" - required: false - default: "" - rekor-url: - description: "the Rekor instance to use (conflicts with `staging`)" - required: false - default: "" - ctfe: - description: "a PEM-encoded public key for the CT log (conflicts with `staging`)" - required: false - default: "" - rekor-root-pubkey: - description: "a PEM-encoded root public key for Rekor itself (conflicts with `staging`)" - required: false - default: "" staging: description: "use sigstore's staging instances, instead of the default production instances" required: false @@ -119,10 +103,6 @@ runs: GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}" - GHA_SIGSTORE_PYTHON_FULCIO_URL: "${{ inputs.fulcio-url }}" - GHA_SIGSTORE_PYTHON_REKOR_URL: "${{ inputs.rekor-url }}" - GHA_SIGSTORE_PYTHON_CTFE: "${{ inputs.ctfe }}" - GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}" GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}" GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}" GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}" diff --git a/requirements.txt b/requirements.txt index 393b58b..5ecd303 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -sigstore ~= 2.1 +sigstore ~= 3.0 requests ~= 2.28 From 1ddeb829cc81aadc391a78096478d61db0dee7e6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 4 Jul 2024 08:04:47 -0400 Subject: [PATCH 03/11] action: use a venv to prevent PEP 668 errors (#145) * action: use a venv to prevent PEP 668 errors Signed-off-by: William Woodruff * action: use sys.executable Signed-off-by: William Woodruff * fight with Windows Signed-off-by: William Woodruff * setup: minimum Python is 3.8 This has been true for a while. Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 24 ++++++++++++++++++++++++ action.py | 4 ++-- action.yml | 6 +++++- setup/setup.bash | 25 +++++++++++++++++++++---- 4 files changed, 52 insertions(+), 7 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 38b20ab..f2edc93 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -19,6 +19,8 @@ jobs: - ubuntu-latest - macos-latest - windows-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: @@ -38,6 +40,28 @@ jobs: run: | [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + selftest-runner-python: + strategy: + matrix: + os: + - ubuntu-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 + runs-on: ${{ matrix.os }} + if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork + steps: + - uses: actions/checkout@v4 + - name: Sign artifact and publish signature + uses: ./ + id: sigstore-python + with: + inputs: ./test/artifact.txt + internal-be-careful-debug: true + - name: Check outputs + shell: bash + run: | + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + selftest-whitespace: strategy: matrix: diff --git a/action.py b/action.py index 09e961f..1cd38fc 100755 --- a/action.py +++ b/action.py @@ -86,12 +86,12 @@ def _download_ref_asset(ext): def _sigstore_sign(global_args, sign_args): - return ["python", "-m", "sigstore", *global_args, "sign", *sign_args] + return [sys.executable, "-m", "sigstore", *global_args, "sign", *sign_args] def _sigstore_verify(global_args, verify_args): return [ - "python", + sys.executable, "-m", "sigstore", *global_args, diff --git a/action.yml b/action.yml index 7dc3faa..d765d61 100644 --- a/action.yml +++ b/action.yml @@ -83,6 +83,7 @@ runs: using: "composite" steps: - name: Set up sigstore-python + id: setup run: | # NOTE: Sourced, not executed as a script. source "${GITHUB_ACTION_PATH}/setup/setup.bash" @@ -93,10 +94,13 @@ runs: - name: Run sigstore-python id: sigstore-python run: | - ${GITHUB_ACTION_PATH}/action.py "${GHA_SIGSTORE_PYTHON_INPUTS}" + "${VENV_PYTHON_PATH}" \ + "${GITHUB_ACTION_PATH}/action.py" \ + "${GHA_SIGSTORE_PYTHON_INPUTS}" env: # The year is 2023, and nonsense like this is still necessary on Windows. PYTHONUTF8: "1" + VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}" GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}" GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}" GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}" diff --git a/setup/setup.bash b/setup/setup.bash index ba5891e..62ece86 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -35,7 +35,7 @@ if [[ "${0}" == "${BASH_SOURCE[0]}" ]]; then die "Internal error: setup harness was executed instead of being sourced?" fi -# Check the Python version, making sure it's new enough (3.7+) +# Check the Python version, making sure it's new enough (3.8+) # The installation step immediately below will technically catch this, # but doing it explicitly gives us the opportunity to produce a better # error message. @@ -43,8 +43,25 @@ vers=$(python -V | cut -d ' ' -f2) maj_vers=$(cut -d '.' -f1 <<< "${vers}") min_vers=$(cut -d '.' -f2 <<< "${vers}") -[[ "${maj_vers}" == "3" && "${min_vers}" -ge 7 ]] || die "Bad Python version: ${vers}" +[[ "${maj_vers}" == "3" && "${min_vers}" -ge 8 ]] || die "Bad Python version: ${vers}" -python -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" +# If the user didn't explicitly configure a Python version with +# `actions/setup-python`, then we might be using the distribution's Python and +# therefore be subject to PEP 668. We use a virtual environment unconditionally +# to prevent that kind of confusion. +python -m venv "${GITHUB_ACTION_PATH}/.action-env" -debug "sigstore-python: $(python -m sigstore --version)" +# Annoying: Windows venvs use a different structure, for unknown reasons. +if [[ -d "${GITHUB_ACTION_PATH}/.action-env/bin" ]]; then + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/bin/python" +else + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/Scripts/python" +fi + +"${VENV_PYTHON_PATH}" -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" + +debug "sigstore-python: $("${VENV_PYTHON_PATH}" -m sigstore --version)" + +# Finally, propagate VENV_PYTHON_PATH so we can actually kick-start +# the extension from it. +echo "venv-python-path=${VENV_PYTHON_PATH}" >> "${GITHUB_OUTPUT}" From 16fbe9a8d335cfde2d487c8c459707abdd1c3704 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 8 Jul 2024 11:50:32 -0400 Subject: [PATCH 04/11] action: flip `release-signing-artifacts` (#142) Signed-off-by: William Woodruff --- README.md | 11 +++-------- action.yml | 10 +++++----- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 9910109..a192f31 100644 --- a/README.md +++ b/README.md @@ -314,7 +314,7 @@ Example: ### `release-signing-artifacts` -**Default**: `false` +**Default**: `true` The `release-signing-artifacts` setting controls whether or not `sigstore-python` uploads signing artifacts to the release publishing event that triggered this run. @@ -323,8 +323,6 @@ This setting has no effect on non-`release` events. If enabled, this setting also re-uploads and signs GitHub's default source code artifacts, as they are not guaranteed to be stable. -By default, no release assets are uploaded. - Requires the [`contents: write` permission](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). Example: @@ -342,8 +340,7 @@ permissions: ``` On release events, it is also valid to have no explicit inputs. When used on release -events with `release-signing-artifacts: true`, this action will sign any pre-existing -release artifacts: +events, this action will sign any pre-existing release artifacts: ```yaml permissions: @@ -351,10 +348,8 @@ permissions: # ... +# no explicit settings needed, signs all pre-existing release artifacts - uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - # Only valid on release events - release-signing-artifacts: true ``` ### Internal options diff --git a/action.yml b/action.yml index d765d61..cf1d467 100644 --- a/action.yml +++ b/action.yml @@ -47,11 +47,11 @@ inputs: staging: description: "use sigstore's staging instances, instead of the default production instances" required: false - default: false + default: "false" verify: description: "verify the generated signatures after signing" required: false - default: false + default: "false" verify-cert-identity: description: | verify the identity in the signing certificate's Subject Alternative Name @@ -69,15 +69,15 @@ inputs: upload-signing-artifacts: description: "upload all signing artifacts as workflow artifacts" required: false - default: false + default: "false" release-signing-artifacts: description: "attach all signing artifacts as release assets" required: false - default: false + default: "true" internal-be-careful-debug: description: "run with debug logs (default false)" required: false - default: false + default: "false" runs: using: "composite" From 551a497f0abe7bcba261fd45a195f3d17eebb0c0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 9 Jul 2024 02:39:14 -0400 Subject: [PATCH 05/11] action: remove old output settings (#146) * action: remove old output settings Signed-off-by: William Woodruff * selftest: remove old test ref Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 22 ---------- README.md | 75 ---------------------------------- action.py | 18 -------- action.yml | 15 ------- 4 files changed, 130 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index f2edc93..bc0e724 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -256,27 +256,6 @@ jobs: [[ -f ./artifact.txt.sigstore.json ]] || exit 1 working-directory: ./test/uploaded - selftest-custom-paths: - runs-on: ubuntu-latest - if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork - steps: - - uses: actions/checkout@v4 - - name: Sign artifact and publish signature - uses: ./ - id: sigstore-python - with: - inputs: ./test/artifact.txt - signature: ./test/custom_signature.sig - certificate: ./test/custom_certificate.crt - bundle: ./test/custom_bundle.sigstore - staging: true - internal-be-careful-debug: true - - name: Check outputs - run: | - [[ -f ./test/custom_signature.sig ]] || exit 1 - [[ -f ./test/custom_certificate.crt ]] || exit 1 - [[ -f ./test/custom_bundle.sigstore ]] || exit 1 - selftest-verify: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork @@ -376,7 +355,6 @@ jobs: - selftest-glob - selftest-glob-multiple - selftest-upload-artifacts - - selftest-custom-paths - selftest-verify - selftest-xfail-verify-missing-options - selftest-identity-token diff --git a/README.md b/README.md index a192f31..5e10741 100644 --- a/README.md +++ b/README.md @@ -128,81 +128,6 @@ Example: oidc-client-secret: alternative-sigstore-secret ``` -### `signature` - -**Default**: Empty (signature files will get named as `{input}.sig`) - -The `signature` setting controls the name of the output signature file. This setting does not work -when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - signature: custom-signature-filename.sig -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - signature: custom-signature-filename.sig -``` - -### `certificate` - -**Default**: Empty (certificate files will get named as `{input}.crt`) - -The `certificate` setting controls the name of the output certificate file. This setting does not -work when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - certificate: custom-certificate-filename.crt -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - certificate: custom-certificate-filename.crt -``` - -### `bundle` - -**Default**: Empty (bundle files will get named as `{input}.sigstore`) - -The `bundle` setting controls the name of the output Sigstore bundle. This setting does not work -when signing multiple input files. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - bundle: custom-bundle.sigstore -``` - -However, this example is invalid: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file0.txt file1.txt file2.txt - certificate: custom-bundle.sigstore -``` - ### `staging` **Default**: `false` diff --git a/action.py b/action.py index 1cd38fc..b6231b7 100755 --- a/action.py +++ b/action.py @@ -146,24 +146,6 @@ def _fatal_help(msg): if client_secret: sigstore_sign_args.extend(["--oidc-client-secret", client_secret]) -signature = os.getenv("GHA_SIGSTORE_PYTHON_SIGNATURE") -if signature: - sigstore_sign_args.extend(["--signature", signature]) - sigstore_verify_args.extend(["--signature", signature]) - signing_artifact_paths.append(signature) - -certificate = os.getenv("GHA_SIGSTORE_PYTHON_CERTIFICATE") -if certificate: - sigstore_sign_args.extend(["--certificate", certificate]) - sigstore_verify_args.extend(["--certificate", certificate]) - signing_artifact_paths.append(certificate) - -bundle = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE") -if bundle: - sigstore_sign_args.extend(["--bundle", bundle]) - sigstore_verify_args.extend(["--bundle", bundle]) - signing_artifact_paths.append(bundle) - if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false": sigstore_global_args.append("--staging") diff --git a/action.yml b/action.yml index cf1d467..2fd642b 100644 --- a/action.yml +++ b/action.yml @@ -32,18 +32,6 @@ inputs: description: "the custom OpenID Connect client secret to use during OAuth2" required: false default: "" - signature: - description: "write a single signature to the given file; does not work with multiple input files" - required: false - default: "" - certificate: - description: "write a single certificate to the given file; does not work with multiple input files" - required: false - default: "" - bundle: - description: "write a single Sigstore bundle to the given file; does not work with multiple input files" - required: false - default: "" staging: description: "use sigstore's staging instances, instead of the default production instances" required: false @@ -102,9 +90,6 @@ runs: PYTHONUTF8: "1" VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}" GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}" - GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}" - GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}" - GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}" GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}" From da238ad4806ad4bceff0a421e715ba34c3c4f962 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 9 Jul 2024 20:09:40 +0300 Subject: [PATCH 06/11] Cleanup workflows (#148) * Workflows: remove default input arg from action call Signed-off-by: Jussi Kukkonen * workflows: Remove unnecessary selftest release-signing-artifacts defaults to "true" so the removed test now duplicates the previous test. We could try testing the release-signing-artifacts == "false" but that's a bit trickier since it could only be done in a release event... Signed-off-by: Jussi Kukkonen * workflows: Drop recently removed job from needs-list Signed-off-by: Jussi Kukkonen --------- Signed-off-by: Jussi Kukkonen --- .github/workflows/release.yml | 1 - .github/workflows/selftest.yml | 30 ------------------------------ 2 files changed, 31 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 70297e2..eeed331 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,4 +23,3 @@ jobs: id: sigstore-python with: inputs: action.yml action.py - release-signing-artifacts: true diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index bc0e724..dc9b3f9 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -93,35 +93,6 @@ jobs: [[ -f ./test/white\ space.txt ]] || exit 1 [[ -f ./test/more\ white\ space.txt ]] || exit 1 - selftest-release-signing-artifacts-no-op: - strategy: - matrix: - os: - - ubuntu-latest - - macos-latest - - windows-latest - runs-on: ${{ matrix.os }} - if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - if: ${{ matrix.os != 'ubuntu-latest' }} - with: - python-version: "3.x" - - name: Sign artifact and publish signature - uses: ./ - id: sigstore-python - with: - inputs: ./test/artifact.txt - # The trigger for this test is not a release, so this has no effect - # (but does not break the workflow either). - release-signing-artifacts: true - internal-be-careful-debug: true - - name: Check outputs - shell: bash - run: | - [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 - selftest-xfail-invalid-inputs: runs-on: ubuntu-latest strategy: @@ -349,7 +320,6 @@ jobs: needs: - selftest - selftest-whitespace - - selftest-release-signing-artifacts-no-op - selftest-xfail-invalid-inputs - selftest-staging - selftest-glob From f514d46b907ebcd5bedc05145c03b69c1edd8b46 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 15 Jul 2024 11:18:42 -0400 Subject: [PATCH 07/11] Prep 3.0.0 (#143) --- CHANGELOG.md | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 28 +++++++++++------------ 2 files changed, 78 insertions(+), 14 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..04da74d --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,64 @@ +# Changelog + +All notable changes to `gh-action-sigstore-python` will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +All versions prior to 3.0.0 are untracked. + +## [Unreleased] + +## [3.0.0] + +### Added + +* `inputs` now allows recursive globbing with `**` + ([#106](https://github.com/sigstore/gh-action-sigstore-python/pull/106)) + +### Removed + +* The following settings have been removed: `fulcio-url`, `rekor-url`, + `ctfe`, `rekor-root-pubkey` + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) +* The following output settings have been removed: `signature`, + `certificate`, `bundle` + ([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146)) + + +### Changed + +* `inputs` is now parsed according to POSIX shell lexing rules, improving + the action's consistency when used with filenames containing whitespace + or other significant characters + ([#104](https://github.com/sigstore/gh-action-sigstore-python/pull/104)) + +* `inputs` is now optional *if* `release-signing-artifacts` is true + *and* the action's event is a `release` event. In this case, the action + takes no explicit inputs, but signs the source archives already attached + to the associated release + ([#110](https://github.com/sigstore/gh-action-sigstore-python/pull/110)) + +* The default suffix has changed from `.sigstore` to `.sigstore.json`, + per Sigstore's client specification + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) + +* `release-signing-artifacts` now defaults to `true` + ([#142](https://github.com/sigstore/gh-action-sigstore-python/pull/142)) + +### Fixed + +* The `release-signing-artifacts` setting no longer causes a hard error + when used under the incorrect event + ([#103](https://github.com/sigstore/gh-action-sigstore-python/pull/103)) + +* Various deprecations present in `sigstore-python`'s 2.x series have been + resolved + ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140)) + +* This workflow now supports CI runners that use PEP 668 to constrain global + package prefixes + ([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145)) + + +[Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD +[3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0 diff --git a/README.md b/README.md index 5e10741..174d000 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v3 - name: install run: python -m pip install . - - uses: sigstore/gh-action-sigstore-python@v2.1.1 + - uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt ``` @@ -53,7 +53,7 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t To sign one or more files: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file0.txt file1.txt file2.txt ``` @@ -61,7 +61,7 @@ To sign one or more files: The `inputs` argument also supports file globbing: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: ./path/to/inputs/*.txt ``` @@ -70,7 +70,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using POSIX shell lexing rules: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: | ./path/to/inputs/*.txt @@ -90,7 +90,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci workflow will use the credentials found in the GitHub Actions environment. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere @@ -106,7 +106,7 @@ Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt oidc-client-id: alternative-sigstore-id @@ -122,7 +122,7 @@ Connect Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt oidc-client-secret: alternative-sigstore-secret @@ -138,7 +138,7 @@ instead of the default production instances. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt staging: true @@ -161,7 +161,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -184,7 +184,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`. Supplying it without `verify-oidc-issuer` will produce an error. ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -209,7 +209,7 @@ Supplying it without `verify-cert-identity` will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt verify: true @@ -231,7 +231,7 @@ workflow artifact retention period is used. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt upload-signing-artifacts: true @@ -258,7 +258,7 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt release-signing-artifacts: true @@ -298,7 +298,7 @@ permissions: Example: ```yaml - - uses: sigstore/gh-action-sigstore-python@v2.1.1 + - uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: file.txt internal-be-careful-debug: true From 35b92324b30c0d54bd855a061eebba8eb84d4986 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 16:51:43 -0400 Subject: [PATCH 08/11] build(deps): bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 in the actions group (#152) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/schedule-selftest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml index b5f43e9..d259ddd 100644 --- a/.github/workflows/schedule-selftest.yml +++ b/.github/workflows/schedule-selftest.yml @@ -37,7 +37,7 @@ jobs: EOF - name: Open issue - uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0 + uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1 with: title: "[CI] Self-test failure" # created in the previous step From 2b042a8b3bf384a2c4f739f644281617576a91f1 Mon Sep 17 00:00:00 2001 From: Stefanie Molin <24376333+stefmolin@users.noreply.github.com> Date: Wed, 2 Oct 2024 02:41:59 -0400 Subject: [PATCH 09/11] Fix remaining reference to 2.1.1 in README (#154) Signed-off-by: Stefanie Molin <24376333+stefmolin@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 174d000..379ed05 100644 --- a/README.md +++ b/README.md @@ -274,7 +274,7 @@ permissions: # ... # no explicit settings needed, signs all pre-existing release artifacts -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 ``` ### Internal options From ac25d5ac15463b74656819a832bc80401a37fa59 Mon Sep 17 00:00:00 2001 From: rindeal Date: Wed, 2 Oct 2024 15:49:17 +0000 Subject: [PATCH 10/11] Enable debugging also if ACTIONS_STEP_DEBUG==true (#151) Co-authored-by: William Woodruff --- action.py | 3 ++- setup/setup.bash | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/action.py b/action.py index b6231b7..b0a43aa 100755 --- a/action.py +++ b/action.py @@ -37,7 +37,8 @@ _SUMMARY = Path(_summary_path).open("a") _RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true" -_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" +_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" or \ + os.getenv("ACTIONS_STEP_DEBUG", "false") == "true" _RELEASE_SIGNING_ARTIFACTS = ( os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS", "true") == "true" diff --git a/setup/setup.bash b/setup/setup.bash index 62ece86..16785a6 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -22,8 +22,10 @@ die() { } debug() { - if [[ "${GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG}" = "true" ]]; then - echo -e "\033[93mDEBUG: ${1}\033[0m" + if [[ "${GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG:-false}" != "false" || \ + "${ACTIONS_STEP_DEBUG:-false}" == 'true' ]] + then + echo -e "\033[93mDEBUG: ${1}\033[0m" >&2 fi } From a1e4659dadfab808e840859d4b5007b8690d5027 Mon Sep 17 00:00:00 2001 From: DK96-OS <69859316+DK96-OS@users.noreply.github.com> Date: Tue, 3 Dec 2024 10:18:03 -0500 Subject: [PATCH 11/11] Project Root: * Update requirements.txt - upgrade sigstore 3.1, upgrade requests 2.32 Signed-off-by: DK96-OS <69859316+DK96-OS@users.noreply.github.com> --- requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 5ecd303..04468b2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -sigstore ~= 3.0 -requests ~= 2.28 +sigstore ~= 3.1 +requests ~= 2.32