_download_ref_asset does not handle file separators in branch names

[MatthiasValvekens]

Description

Hi, I'm currently experimenting with sigstore releases on a branch named ci/release-workflow in one of my repos. I got the following error on my first test run:

Traceback (most recent call last):
  File "/home/runner/work/_actions/sigstore/gh-action-sigstore-python/v1.2.3/action.py", line 189, in <module>
    artifact = _download_ref_asset(filetype)
  File "/home/runner/work/_actions/sigstore/gh-action-sigstore-python/v1.2.3/action.py", line 70, in _download_ref_asset
    with artifact.open("wb") as io:
  File "/usr/lib/python3.10/pathlib.py", line 1119, in open
    return self._accessor.open(self, mode, buffering, encoding, errors,
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ci/release-workflow.zip'

Looking at the code, this line seems to be the culprit:

gh-action-sigstore-python/action.py

Line 65 in e323e1b

artifact = Path(f"/tmp/{os.getenv('GITHUB_REF_NAME')}.{ext}")

GITHUB_REF_NAME is ci/release-workflow in my case, so the path is rendered as /tmp/ci/release-workflow.zip, which results in a file not found error because the /tmp/ci directory doesn't exist.

Suggest either of the following:

• Sanitise the refname to remove/replace characters that can't appear in file names
• Create all parent directories prior to writing the file

Version

v1.2.3 of this GitHub action :)

[woodruffw]

Thanks for the report @MatthiasValvekens!

Sanitizing the GITHUB_REF_NAME makes the most sense to me -- I can work on a fix for this in a bit.

[MatthiasValvekens]

That was quick---thanks!