action: download default release assets to sign

Signed-off-by: Andrew Pan <a@tny.town>
sigstore · Feb 15, 2023 · 400d4f4 · 400d4f4
1 parent 9ea3c9d
commit 400d4f4
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/action.py b/action.py
@@ -53,6 +53,34 @@ def _log(msg):
     print(msg, file=sys.stderr)
 
 
+def _download_ref_asset(ext):
+    repo = os.getenv('GITHUB_REPOSITORY')
+    ref = os.getenv("GITHUB_REF")
+
+    artifact = f"{os.getenv('GITHUB_REF_NAME')}-signed{ext}"
+
+    # GitHub supports /:org/:repo/archive/:ref<.tar.gz|.zip>.
+    # XX: will this work in Windows runners?
+    curl_status = subprocess.run(
+        ["curl",
+         "-f",
+         "-L",
+         "-o", str(artifact),
+         f"https://github.com/{repo}/archive/{ref}{ext}"],
+        text=True,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.STDOUT,
+        # do not pass environment to curl
+    )
+    _debug(curl_status.stdout)
+
+    if curl_status.returncode != 0:
+        _summary(f"❌ failed to download {ext} archive for {ref}")
+        return None
+
+    return artifact
+
+
 def _sigstore_sign(global_args, sign_args):
     return ["python", "-m", "sigstore", *global_args, "sign", *sign_args]
 
@@ -163,6 +191,13 @@ def _fatal_help(msg):
 else:
     sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer])
 
+if os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS") == "true":
+    for filetype in [".zip", ".tar.gz"]:
+        artifact = _download_ref_asset(filetype)
+        if artifact is not None:
+            signing_artifact_paths.append(artifact)
+            inputs.append(artifact)
+
 for input_ in inputs:
     # Forbid things that look like flags. This isn't a security boundary; just
     # a way to prevent (less motivated) users from breaking the action on themselves.

diff --git a/action.yml b/action.yml
@@ -123,6 +123,7 @@ runs:
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
         GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
+        GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS: "${{ inputs.release-signing-artifacts }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash