Allow empty inputs with release artifacts (#110)

* Make inputs optional on releases if release-signing-artifacts is set to true Signed-off-by: Jean-Christophe Morin <[email protected]> * Add basic .gitignore to ignore venv Signed-off-by: Jean-Christophe Morin <[email protected]> * Make behavior more explicit Signed-off-by: Jean-Christophe Morin <[email protected]> --------- Signed-off-by: Jean-Christophe Morin <[email protected]>
sigstore · Feb 23, 2024 · 08a568c · 08a568c
1 parent 8579d48
commit 08a568c
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+env/
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ optional.
 ### `inputs`
 
 The `inputs` setting controls what files `sigstore-python` signs. At least one input must be
-provided.
+provided unless [release-signing-artifacts](#release-signing-artifacts) is set to `true` on release events.
 
 To sign one or more files:
 
@@ -405,6 +405,22 @@ permissions:
     release-signing-artifacts: true
 ```
 
+On release events, it is also valid to have no explicit inputs. When used on release
+events with `release-signing-artifacts: true`, this action will sign any pre-existing
+release artifacts:
+
+```yaml
+permissions:
+  contents: write
+
+# ...
+
+- uses: sigstore/[email protected]
+  with:
+    # Only valid on release events
+    release-signing-artifacts: true
+```
+
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>

diff --git a/action.py b/action.py
@@ -106,7 +106,15 @@ def _fatal_help(msg):
     sys.exit(1)
 
 
-inputs = shlex.split(sys.argv[1])
+# Allow inputs to be empty if the event type is release and release-signing-artifacts is
+# set to true. This allows projects without artifacts to still sign the source
+# archives in their releases.
+inputs = shlex.split(sys.argv[1]) if len(sys.argv) == 2 else []
+if not inputs and not _RELEASE_SIGNING_ARTIFACTS:
+    _fatal_help(
+        "inputs must be specified when release-signing-artifacts is disabled "
+        "and the event type is not release"
+    )
 
 # The arguments we pass into `sigstore-python` get built up in these lists.
 sigstore_global_args = []

diff --git a/action.yml b/action.yml
@@ -18,7 +18,7 @@ description: "Use sigstore-python to sign Python packages"
 inputs:
   inputs:
     description: "the files to sign, whitespace separated"
-    required: true
+    required: false
     default: ""
   identity-token:
     description: "the OIDC identity token to use"