Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_download_ref_asset does not handle file separators in branch names #62

Closed
MatthiasValvekens opened this issue Apr 22, 2023 · 2 comments · Fixed by #63
Closed

_download_ref_asset does not handle file separators in branch names #62

MatthiasValvekens opened this issue Apr 22, 2023 · 2 comments · Fixed by #63
Assignees
@woodruffw
Labels
bug Something isn't working

Comments

@MatthiasValvekens
Copy link

Description

Hi, I'm currently experimenting with sigstore releases on a branch named ci/release-workflow in one of my repos. I got the following error on my first test run:

Traceback (most recent call last):
  File "/home/runner/work/_actions/sigstore/gh-action-sigstore-python/v1.2.3/action.py", line 189, in <module>
    artifact = _download_ref_asset(filetype)
  File "/home/runner/work/_actions/sigstore/gh-action-sigstore-python/v1.2.3/action.py", line 70, in _download_ref_asset
    with artifact.open("wb") as io:
  File "/usr/lib/python3.10/pathlib.py", line 1119, in open
    return self._accessor.open(self, mode, buffering, encoding, errors,
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ci/release-workflow.zip'

Looking at the code, this line seems to be the culprit:

gh-action-sigstore-python/action.py

Line 65 in e323e1b

artifact = Path(f"/tmp/{os.getenv('GITHUB_REF_NAME')}.{ext}")

GITHUB_REF_NAME is ci/release-workflow in my case, so the path is rendered as /tmp/ci/release-workflow.zip, which results in a file not found error because the /tmp/ci directory doesn't exist.

Suggest either of the following:

  • Sanitise the refname to remove/replace characters that can't appear in file names
  • Create all parent directories prior to writing the file

Version

v1.2.3 of this GitHub action :)
@MatthiasValvekens MatthiasValvekens added the bug Something isn't working label Apr 22, 2023
@woodruffw
Copy link
Member

Thanks for the report @MatthiasValvekens!

Sanitizing the GITHUB_REF_NAME makes the most sense to me -- I can work on a fix for this in a bit.

@woodruffw woodruffw self-assigned this Apr 22, 2023
@MatthiasValvekens
Copy link
Author

That was quick---thanks!

woodruffw added a commit that referenced this issue Apr 22, 2023
@woodruffw
action: handle slashes in ref names
9a93bbf 
Fixes #62.

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw mentioned this issue Apr 22, 2023
Merged
tetsuo-cpp pushed a commit that referenced this issue Apr 24, 2023
@woodruffw
action: handle slashes in ref names (#63)
64c04b5 
* action: handle slashes in ref names

Fixes #62.

Signed-off-by: William Woodruff <william@trailofbits.com>

* requirements: bump sigstore

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@woodruffw woodruffw

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

action: handle slashes in ref names sigstore/gh-action-sigstore-python
2 participants
@woodruffw @MatthiasValvekens