From 08a568c3d1b0d7483cb913510a741887d37c57e0 Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin <38703886+JeanChristopheMorinPerso@users.noreply.github.com> Date: Fri, 23 Feb 2024 18:06:53 -0500 Subject: [PATCH] Allow empty inputs with release artifacts (#110) * Make inputs optional on releases if release-signing-artifacts is set to true Signed-off-by: Jean-Christophe Morin * Add basic .gitignore to ignore venv Signed-off-by: Jean-Christophe Morin * Make behavior more explicit Signed-off-by: Jean-Christophe Morin --------- Signed-off-by: Jean-Christophe Morin --- .gitignore | 1 + README.md | 18 +++++++++++++++++- action.py | 10 +++++++++- action.yml | 2 +- 4 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ae412d6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +env/ \ No newline at end of file diff --git a/README.md b/README.md index d278aa1..1639198 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ optional. ### `inputs` The `inputs` setting controls what files `sigstore-python` signs. At least one input must be -provided. +provided unless [release-signing-artifacts](#release-signing-artifacts) is set to `true` on release events. To sign one or more files: @@ -405,6 +405,22 @@ permissions: release-signing-artifacts: true ``` +On release events, it is also valid to have no explicit inputs. When used on release +events with `release-signing-artifacts: true`, this action will sign any pre-existing +release artifacts: + +```yaml +permissions: + contents: write + +# ... + +- uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + # Only valid on release events + release-signing-artifacts: true +``` + ### Internal options
⚠️ Internal options ⚠️ diff --git a/action.py b/action.py index c721f6b..0e7ec00 100755 --- a/action.py +++ b/action.py @@ -106,7 +106,15 @@ def _fatal_help(msg): sys.exit(1) -inputs = shlex.split(sys.argv[1]) +# Allow inputs to be empty if the event type is release and release-signing-artifacts is +# set to true. This allows projects without artifacts to still sign the source +# archives in their releases. +inputs = shlex.split(sys.argv[1]) if len(sys.argv) == 2 else [] +if not inputs and not _RELEASE_SIGNING_ARTIFACTS: + _fatal_help( + "inputs must be specified when release-signing-artifacts is disabled " + "and the event type is not release" + ) # The arguments we pass into `sigstore-python` get built up in these lists. sigstore_global_args = [] diff --git a/action.yml b/action.yml index 70a8702..05bc508 100644 --- a/action.yml +++ b/action.yml @@ -18,7 +18,7 @@ description: "Use sigstore-python to sign Python packages" inputs: inputs: description: "the files to sign, whitespace separated" - required: true + required: false default: "" identity-token: description: "the OIDC identity token to use"