Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix release-signing-artifacts behavior and docs #103

Merged
merged 3 commits into from
Jan 10, 2024
Merged

Fix release-signing-artifacts behavior and docs #103

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8027707
action: don't attempt to download artifacts on non-releases
woodruffw Jan 9, 2024
2dcf66a
README: clarify release-signing-artifacts behavior
woodruffw Jan 9, 2024
3a6bf36
add another selftest
woodruffw Jan 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/workflows/selftest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,35 @@ jobs:
run: |
[[ -f ./test/artifact.txt.sigstore ]] || exit 1

selftest-release-signing-artifacts-no-op:
strategy:
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-latest
runs-on: ${{ matrix.os }}
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
if: ${{ matrix.os != 'ubuntu-latest' }}
with:
python-version: "3.x"
- name: Sign artifact and publish signature
uses: ./
id: sigstore-python
with:
inputs: ./test/artifact.txt
# The trigger for this test is not a release, so this has no effect
# (but does not break the workflow either).
release-signing-artifacts: true
internal-be-careful-debug: true
- name: Check outputs
shell: bash
run: |
[[ -f ./test/artifact.txt.sigstore ]] || exit 1

selftest-xfail-invalid-inputs:
runs-on: ubuntu-latest
strategy:
Expand Down Expand Up @@ -285,6 +314,7 @@ jobs:

needs:
- selftest
- selftest-release-signing-artifacts-no-op
- selftest-xfail-invalid-inputs
- selftest-staging
- selftest-glob
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,7 @@ Example:

The `release-signing-artifacts` setting controls whether or not `sigstore-python`
uploads signing artifacts to the release publishing event that triggered this run.
This setting has no effect on non-`release` events.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also did not realise the intended usage was to use the "release" event so this is useful (I've always made my release pipelines triggered from release git tags).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, which is why I tripped over it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, this was entirely an oversight on our side -- the actual release uploading step only runs when the event name matches; we just missed the corresponding check on this side 🙂


If enabled, this setting also re-uploads and signs GitHub's default source code artifacts,
as they are not guaranteed to be stable.
Expand Down
7 changes: 6 additions & 1 deletion action.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@
_RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true"
_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false"

_RELEASE_SIGNING_ARTIFACTS = (
os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS", "true") == "true"
and os.getenv("GITHUB_EVENT_NAME") == "release"
)


def _template(name):
path = _TEMPLATES / f"{name}.md"
Expand Down Expand Up @@ -189,7 +194,7 @@ def _fatal_help(msg):
elif verify_oidc_issuer:
sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer])

if os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS") == "true":
if _RELEASE_SIGNING_ARTIFACTS:
for filetype in ["zip", "tar.gz"]:
artifact = _download_ref_asset(filetype)
if artifact is not None:
Expand Down
Loading