action, selftest: deprecate bundle-only: false

.github/workflows/release.yml

@@ -24,4 +24,3 @@ jobs:
         with:
           inputs: action.yml action.py
           release-signing-artifacts: true
-          bundle-only: true

.github/workflows/selftest.yml

@@ -23,8 +23,6 @@ jobs:
           inputs: ./test/artifact.txt
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sig ]] || exit 1
-          [[ -f ./test/artifact.txt.crt ]] || exit 1
           [[ -f ./test/artifact.txt.sigstore ]] || exit 1
 
   selftest-xfail-invalid-inputs:
@@ -67,8 +65,6 @@ jobs:
           staging: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sig ]] || exit 1
-          [[ -f ./test/artifact.txt.crt ]] || exit 1
           [[ -f ./test/artifact.txt.sigstore ]] || exit 1
 
   selftest-glob:
@@ -102,8 +98,6 @@ jobs:
       - name: Verify presence of uploaded files
         run: |
           [[ -f ./artifact.txt ]] || exit 1
-          [[ -f ./artifact.txt.sig ]] || exit 1
-          [[ -f ./artifact.txt.crt ]] || exit 1
           [[ -f ./artifact.txt.sigstore ]] || exit 1
         working-directory: ./test/uploaded
 

README.md

@@ -388,29 +388,6 @@ permissions:
     release-signing-artifacts: true
 ```
 
-### `bundle-only`
-
-**Default**: `false`
-
-The `bundle-only` setting controls whether or not `sigstore-python` uploads `.crt`
-or `.sig` artifacts.
-
-This setting affects the behavior of the `upload-signing-artifacts` and `release-signing-artifacts`
-settings. If neither of those settings are specified, this setting has no effect.
-
-By default, `.crt` and `.sig` artifacts are uploaded. If enabled, only the `.sigstore`
-signing artifact is uploaded.
-
-Example:
-
-```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.2.3
-  with:
-    inputs: file.txt
-    upload-signing-artifacts: true
-    bundle-only: true
-```
-
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>

action.py

@@ -190,7 +190,6 @@ def _fatal_help(msg):
         if artifact is not None:
             inputs.append(artifact)
 
-bundle_only = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE_ONLY") == "true"
 for input_ in inputs:
     # Forbid things that look like flags. This isn't a security boundary; just
     # a way to prevent (less motivated) users from breaking the action on themselves.
@@ -206,10 +205,6 @@ def _fatal_help(msg):
         # Also upload artifact being signed for.
         signing_artifact_paths.append(str(file_))
 
-        if not bundle_only and "--certificate" not in sigstore_sign_args:
-            signing_artifact_paths.append(f"{file_}.crt")
-        if not bundle_only and "--signature" not in sigstore_sign_args:
-            signing_artifact_paths.append(f"{file_}.sig")
         if "--bundle" not in sigstore_sign_args:
             signing_artifact_paths.append(f"{file_}.sigstore")
 

action.yml

@@ -90,13 +90,6 @@ inputs:
     description: "attach all signing artifacts as release assets"
     required: false
     default: false
-  bundle-only:
-    description: |
-      upload only the Sigstore bundle
-
-      has no effect if `upload-signing-artifacts` or `release-signing-artifacts` is not enabled
-    required: false
-    default: false
   internal-be-careful-debug:
     description: "run with debug logs (default false)"
     required: false
@@ -131,7 +124,6 @@ runs:
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
         GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS: "${{ inputs.release-signing-artifacts }}"
-        GHA_SIGSTORE_PYTHON_BUNDLE_ONLY: "${{ inputs.bundle-only }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash