From fbdd6efd7f34436b3219d3e71d50d3c9b469b609 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 22 Jun 2022 17:19:28 -0400
Subject: [PATCH] action, README: add settings for custom/extra indexes

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 README.md  | 37 +++++++++++++++++++++++++++++++++++++
 action.py  |  9 +++++++++
 action.yml | 10 ++++++++++
 3 files changed, 56 insertions(+)

diff --git a/README.md b/README.md
index 77e3307..6688ac9 100644
--- a/README.md
+++ b/README.md
@@ -196,6 +196,43 @@ Example:
     summary: false
   ```
 
+### `index-url`
+
+**Default**: Empty, indicating [PyPI](https://pypi.org)
+
+The `index-url` setting specifies a base URL for an alternative PEP 503-compatible
+package index.
+
+**This is probably not want you want.** If your goal is to add *complementary*
+indices to search (such as a corporate index with private packages), see
+[`extra-index-urls`](#extra-index-urls).
+
+Example:
+
+```yaml
+- uses: trailofbits/gh-action-pip-audit@v0.0.4
+  with:
+    index-url: https://example.corporate.local/simple
+```
+
+### `extra-index-urls`
+
+**Default**: Empty (no extra indexes are searched by default)
+
+The `extra-index-urls` specifies one or more *extra* PEP 503-compatible packages
+indexes to search when resolving dependencies. Each URL is whitespace-separated.
+
+
+Example:
+
+```yaml
+- uses: trailofbits/gh-action-pip-audit@v0.0.4
+  with:
+    extra-index-urls: |
+      https://example.corporate.local/simple
+      https://prod.corporate.local/simple
+```
+
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>
diff --git a/action.py b/action.py
index 8576845..db39340 100755
--- a/action.py
+++ b/action.py
@@ -72,6 +72,15 @@ def _fatal_help(msg):
 if os.getenv("GHA_PIP_AUDIT_LOCAL", "false") != "false":
     pip_audit_args.append("--local")
 
+index_url = os.getenv("GHA_PIP_AUDIT_INDEX_URL")
+if index_url != "":
+    pip_audit_args.extend(["--index-url", index_url])
+
+
+extra_index_urls = os.getenv("GHA_PIP_AUDIT_EXTRA_INDEX_URLS", "").split()
+if len(extra_index_urls) > 0:
+    for url in extra_index_urls:
+        pip_audit_args.extend(["--extra-index-url", url])
 
 pip_audit_args.extend(
     [
diff --git a/action.yml b/action.yml
index 5cbd597..5fee43e 100644
--- a/action.yml
+++ b/action.yml
@@ -30,6 +30,14 @@ inputs:
     description: "for environmental audits, consider only packages marked local (default false)"
     required: false
     default: false
+  index-url:
+    description: "the base URL for the PEP 503-compatible package index to use"
+    required: false
+    default: ""
+  extra-index-urls:
+    description: "extra PEP 503-compatible indexes to use, space separated"
+    required: false
+    default: ""
   internal-be-careful-allow-failure:
     description: "don't fail the job if the audit fails (default false)"
     required: false
@@ -67,6 +75,8 @@ runs:
         GHA_PIP_AUDIT_VULNERABILITY_SERVICE: "${{ inputs.vulnerability-service }}"
         GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT: "${{ inputs.virtual-environment }}"
         GHA_PIP_AUDIT_LOCAL: "${{ inputs.local }}"
+        GHA_PIP_AUDIT_INDEX_URL: "${{ inputs.index-url }}"
+        GHA_PIP_AUDIT_EXTRA_INDEX_URLS: "${{ inputs.extra-index-urls }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: "${{ inputs.internal-be-careful-allow-failure }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash