Merge pull request #161 from sigstore/ww/warn #339
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Self-test | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
workflow_dispatch: | |
workflow_call: | |
permissions: {} | |
jobs: | |
selftest: | |
permissions: | |
id-token: write | |
strategy: | |
matrix: | |
os: | |
- ubuntu-latest | |
- macos-latest | |
- windows-latest | |
# TODO: Can be removed when 24.04 becomes ubuntu-latest. | |
- ubuntu-24.04 | |
runs-on: ${{ matrix.os }} | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
if: ${{ matrix.os != 'ubuntu-latest' }} | |
with: | |
python-version: "3.x" | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
internal-be-careful-debug: true | |
- name: Check outputs | |
shell: bash | |
run: | | |
[[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 | |
selftest-runner-python: | |
permissions: | |
id-token: write | |
strategy: | |
matrix: | |
os: | |
- ubuntu-latest | |
# TODO: Can be removed when 24.04 becomes ubuntu-latest. | |
- ubuntu-24.04 | |
runs-on: ${{ matrix.os }} | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
internal-be-careful-debug: true | |
- name: Check outputs | |
shell: bash | |
run: | | |
[[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 | |
selftest-whitespace: | |
permissions: | |
id-token: write | |
strategy: | |
matrix: | |
os: | |
- ubuntu-latest | |
- macos-latest | |
- windows-latest | |
runs-on: ${{ matrix.os }} | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
if: ${{ matrix.os != 'ubuntu-latest' }} | |
with: | |
python-version: "3.x" | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: | | |
./test/artifact.txt | |
./test/white\ space.txt | |
./test/"more white space.txt" | |
internal-be-careful-debug: true | |
- name: Check outputs | |
shell: bash | |
run: | | |
[[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/white\ space.txt ]] || exit 1 | |
[[ -f ./test/more\ white\ space.txt ]] || exit 1 | |
selftest-xfail-invalid-inputs: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
input: | |
# We forbid inputs that look like flags | |
- "--this-should-not-work" | |
# We fail if the input doesn't exist | |
- "/tmp/extremely-nonexistent-file" | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifact and publish signature | |
continue-on-error: true | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ${{ matrix.input }} | |
internal-be-careful-debug: true | |
- name: Check failure | |
env: | |
XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} | |
JOB_NAME: ${{ github.job }} | |
run: | | |
echo "xfail ${JOB_NAME}: ${XFAIL}" | |
[[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } | |
selftest-staging: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
run: | | |
[[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 | |
selftest-glob: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifacts and publish signatures | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/*.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
run: | | |
[[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 | |
selftest-xfail-glob-input-expansion: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
env: | |
TEST_DIR: test | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifacts and publish signatures | |
continue-on-error: true | |
uses: ./ | |
id: sigstore-python | |
with: | |
# This should fail since we should never directly expand ${TEST_DIR}; | |
# the user should have to pre-expand it for us. | |
inputs: ./${TEST_DIR}/*.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check failure | |
env: | |
XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} | |
JOB_NAME: ${{ github.job }} | |
run: | | |
echo "xfail ${JOB_NAME}: ${XFAIL}" | |
[[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } | |
selftest-glob-multiple: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifacts and publish signatures | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact*.txt ./test/another*.txt ./test/subdir/*.txt | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check outputs | |
run: | | |
[[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/another1.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/another2.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1 | |
[[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1 | |
selftest-upload-artifacts: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
staging: true | |
upload-signing-artifacts: true | |
internal-be-careful-debug: true | |
- uses: actions/download-artifact@v4 | |
with: | |
name: "signing-artifacts-${{ github.job }}" | |
path: ./test/uploaded | |
- name: Verify presence of uploaded files | |
run: | | |
[[ -f ./artifact.txt ]] || exit 1 | |
[[ -f ./artifact.txt.sigstore.json ]] || exit 1 | |
working-directory: ./test/uploaded | |
selftest-verify: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
verify: true | |
verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }} | |
verify-oidc-issuer: https://token.actions.githubusercontent.com | |
staging: true | |
internal-be-careful-debug: true | |
selftest-xfail-verify-missing-options: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
config: | |
# fails if both verify-cert-identity and verify-oidc-issuer are missing | |
- verify: true | |
# fails if either is missing | |
- verify: true | |
verify-oidc-issuer: https://token.actions.githubusercontent.com | |
- verify: true | |
verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }} | |
# fails if either option is passed while verification is disabled | |
- verify: false | |
verify-oidc-issuer: https://token.actions.githubusercontent.com | |
- verify: false | |
verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }} | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Sign artifact and publish signature | |
continue-on-error: true | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
verify: ${{ matrix.config.verify }} | |
verify-oidc-issuer: ${{ matrix.config.verify-oidc-issuer }} | |
verify-cert-identity: ${{ matrix.config.verify-cert-identity }} | |
staging: true | |
internal-be-careful-debug: true | |
- name: Check failure | |
env: | |
XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }} | |
JOB_NAME: ${{ github.job }} | |
run: | | |
echo "xfail ${JOB_NAME}: ${XFAIL}" | |
[[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } | |
selftest-identity-token: | |
permissions: | |
id-token: write | |
runs-on: ubuntu-latest | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Get OIDC token | |
id: get-oidc-token | |
run: | | |
identity_token=$( \ | |
curl -H \ | |
"Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" \ | |
| jq -r .value \ | |
) | |
echo "identity-token=$identity_token" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Sign artifact and publish signature | |
uses: ./ | |
id: sigstore-python | |
with: | |
inputs: ./test/artifact.txt | |
identity-token: ${{ steps.get-oidc-token.outputs.identity-token }} | |
staging: true | |
internal-be-careful-debug: true | |
all-selftests-pass: | |
if: always() | |
needs: | |
- selftest | |
- selftest-whitespace | |
- selftest-xfail-invalid-inputs | |
- selftest-staging | |
- selftest-glob | |
- selftest-glob-multiple | |
- selftest-upload-artifacts | |
- selftest-verify | |
- selftest-xfail-verify-missing-options | |
- selftest-identity-token | |
runs-on: ubuntu-latest | |
steps: | |
- name: check test jobs | |
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork | |
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 | |
with: | |
jobs: ${{ toJSON(needs) }} |