Fix release-signing-artifacts
behavior and docs
#279
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Self-test | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
workflow_dispatch: | |
workflow_call: | |
permissions: | |
id-token: write | |
jobs: | |
selftest: | |
strategy: | |
matrix: | |
os: | |
- ubuntu-latest | |
- macos-latest | |
- windows-latest | |
runs-on: ${{ matrix.os }} | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
if: ${{ matrix.os != 'ubuntu-latest' }} | |
with: | |
python-version: "3.x" | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
internal-be-careful-debug: true | |
- name: Check outputs | |
shell: bash | |
run: | | |
[[ -f ./test/artifact.txt.sigstore ]] || exit 1 | |
selftest-release-signing-artifacts-no-op: | |
strategy: | |
matrix: | |
os: | |
- ubuntu-latest | |
- macos-latest | |
- windows-latest | |
runs-on: ${{ matrix.os }} | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
if: ${{ matrix.os != 'ubuntu-latest' }} | |
with: | |
python-version: "3.x" | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
# The trigger for this test is not a release, so this has no effect | |
# (but does not break the workflow either). | |
release-signing-artifacts: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
shell: bash | |
run: | | |
[[ -f ./test/artifact.txt.sigstore ]] || exit 1 | |
selftest-xfail-invalid-inputs: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
input: | |
# We forbid inputs that look like flags | |
- "--this-should-not-work" | |
# We fail if the input doesn't exist | |
- "/tmp/extremely-nonexistent-file" | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifact and publish signature | |
continue-on-error: true | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ${{ matrix.input }} | |
internal-be-careful-debug: true | |
- name: Check failure | |
env: | |
XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} | |
JOB_NAME: ${{ github.job }} | |
run: | | |
echo "xfail ${JOB_NAME}: ${XFAIL}" | |
[[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } | |
selftest-staging: | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
run: | | |
[[ -f ./test/artifact.txt.sigstore ]] || exit 1 | |
selftest-glob: | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifacts and publish signatures | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/*.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
run: | | |
[[ -f ./test/artifact.txt.sigstore ]] || exit 1 | |
[[ -f ./test/artifact1.txt.sigstore ]] || exit 1 | |
[[ -f ./test/artifact2.txt.sigstore ]] || exit 1 | |
selftest-xfail-glob-input-expansion: | |
runs-on: ubuntu-latest | |
env: | |
TEST_DIR: test | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifacts and publish signatures | |
continue-on-error: true | |
uses: ./ | |
id: sigstore-python | |
with: | |
# This should fail since we should never directly expand ${TEST_DIR}; | |
# the user should have to pre-expand it for us. | |
inputs: ./${TEST_DIR}/*.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check failure | |
env: | |
XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} | |
JOB_NAME: ${{ github.job }} | |
run: | | |
echo "xfail ${JOB_NAME}: ${XFAIL}" | |
[[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } | |
selftest-glob-multiple: | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifacts and publish signatures | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact*.txt ./test/another*.txt ./test/subdir/*.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
run: | | |
[[ -f ./test/artifact.txt.sigstore ]] || exit 1 | |
[[ -f ./test/artifact1.txt.sigstore ]] || exit 1 | |
[[ -f ./test/artifact2.txt.sigstore ]] || exit 1 | |
[[ -f ./test/another1.txt.sigstore ]] || exit 1 | |
[[ -f ./test/another2.txt.sigstore ]] || exit 1 | |
[[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1 | |
[[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1 | |
[[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1 | |
selftest-upload-artifacts: | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
staging: true | |
upload-signing-artifacts: true | |
internal-be-careful-debug: true | |
- uses: actions/download-artifact@v4 | |
with: | |
name: "signing-artifacts-${{ github.job }}" | |
path: ./test/uploaded | |
- name: Verify presence of uploaded files | |
run: | | |
[[ -f ./artifact.txt ]] || exit 1 | |
[[ -f ./artifact.txt.sigstore ]] || exit 1 | |
working-directory: ./test/uploaded | |
selftest-custom-paths: | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
signature: ./test/custom_signature.sig | |
certificate: ./test/custom_certificate.crt | |
bundle: ./test/custom_bundle.sigstore | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
run: | | |
[[ -f ./test/custom_signature.sig ]] || exit 1 | |
[[ -f ./test/custom_certificate.crt ]] || exit 1 | |
[[ -f ./test/custom_bundle.sigstore ]] || exit 1 | |
selftest-verify: | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
verify: true | |
verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }} | |
verify-oidc-issuer: https://token.actions.githubusercontent.com | |
staging: true | |
internal-be-careful-debug: true | |
selftest-xfail-verify-missing-options: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
config: | |
# fails if both verify-cert-identity and verify-oidc-issuer are missing | |
- verify: true | |
# fails if either is missing | |
- verify: true | |
verify-oidc-issuer: https://token.actions.githubusercontent.com | |
- verify: true | |
verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }} | |
# fails if either option is passed while verification is disabled | |
- verify: false | |
verify-oidc-issuer: https://token.actions.githubusercontent.com | |
- verify: false | |
verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }} | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Sign artifact and publish signature | |
continue-on-error: true | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
verify: ${{ matrix.config.verify }} | |
verify-oidc-issuer: ${{ matrix.config.verify-oidc-issuer }} | |
verify-cert-identity: ${{ matrix.config.verify-cert-identity }} | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check failure | |
env: | |
XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} | |
JOB_NAME: ${{ github.job }} | |
run: | | |
echo "xfail ${JOB_NAME}: ${XFAIL}" | |
[[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } | |
selftest-identity-token: | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get OIDC token | |
id: get-oidc-token | |
run: | | |
identity_token=$( \ | |
curl -H \ | |
"Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" \ | |
| jq -r .value \ | |
) | |
echo "identity-token=$identity_token" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
identity-token: ${{ steps.get-oidc-token.outputs.identity-token }} | |
staging: true | |
internal-be-careful-debug: true | |
all-selftests-pass: | |
if: always() | |
needs: | |
- selftest | |
- selftest-release-signing-artifacts-no-op | |
- selftest-xfail-invalid-inputs | |
- selftest-staging | |
- selftest-glob | |
- selftest-glob-multiple | |
- selftest-upload-artifacts | |
- selftest-custom-paths | |
- selftest-verify | |
- selftest-xfail-verify-missing-options | |
- selftest-identity-token | |
runs-on: ubuntu-latest | |
steps: | |
- name: check test jobs | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 | |
with: | |
jobs: ${{ toJSON(needs) }} |