-
Notifications
You must be signed in to change notification settings - Fork 11
/
action.yml
113 lines (106 loc) · 4.21 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Copyright 2022 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: "gh-action-sigstore-python"
author: "Sigstore Authors <sigstore-dev@googlegroups.com>"
description: "Use sigstore-python to sign Python packages"
inputs:
inputs:
description: "the files to sign, whitespace separated"
required: false
default: ""
identity-token:
description: "the OIDC identity token to use"
required: false
default: ""
oidc-client-id:
description: "the custom OpenID Connect client ID to use during OAuth2"
required: false
default: ""
oidc-client-secret:
description: "the custom OpenID Connect client secret to use during OAuth2"
required: false
default: ""
staging:
description: "use sigstore's staging instances, instead of the default production instances"
required: false
default: "false"
verify:
description: "verify the generated signatures after signing"
required: false
default: "false"
verify-cert-identity:
description: |
verify the identity in the signing certificate's Subject Alternative Name
required if `verify` is enabled; has no effect otherwise.
required: false
default: ""
verify-oidc-issuer:
description: |
verify the issuer extension of the signing certificate
required if `verify` is enabled; has no effect otherwise.
required: false
default: ""
upload-signing-artifacts:
description: "upload all signing artifacts as workflow artifacts"
required: false
default: "false"
release-signing-artifacts:
description: "attach all signing artifacts as release assets"
required: false
default: "true"
internal-be-careful-debug:
description: "run with debug logs (default false)"
required: false
default: "false"
runs:
using: "composite"
steps:
- name: Set up sigstore-python
id: setup
run: |
# NOTE: Sourced, not executed as a script.
source "${GITHUB_ACTION_PATH}/setup/setup.bash"
env:
GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
shell: bash
- name: Run sigstore-python
id: sigstore-python
run: |
"${VENV_PYTHON_PATH}" \
"${GITHUB_ACTION_PATH}/action.py" \
"${GHA_SIGSTORE_PYTHON_INPUTS}"
env:
# The year is 2023, and nonsense like this is still necessary on Windows.
PYTHONUTF8: "1"
VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}"
GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS: "${{ inputs.release-signing-artifacts }}"
GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
GHA_SIGSTORE_PYTHON_INPUTS: "${{ inputs.inputs }}"
shell: bash
- uses: actions/upload-artifact@v4
if: inputs.upload-signing-artifacts == 'true'
with:
name: "signing-artifacts-${{ github.job }}"
path: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}"
- uses: softprops/action-gh-release@v2
if: inputs.release-signing-artifacts == 'true' && github.event_name == 'release' && github.event.action == 'published'
with:
files: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}"