Prep 1.2.0 (#52)

woodruffw · web-flow · commit 310f3cb441ad · 2023-02-15T16:37:26.000-05:00
* action: mark env var as internal explicitly

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* README: prep 1.2.0

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

---------

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: install
         run: python -m pip install .
-      - uses: sigstore/gh-action-sigstore-python@v1.1.0
+      - uses: sigstore/gh-action-sigstore-python@v1.2.0
         with:
           inputs: file.txt
 ```
@@ -53,15 +53,15 @@ provided.
 To sign one or more files:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file0.txt file1.txt file2.txt
 ```
 
 The `inputs` argument also supports file globbing:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: ./path/to/inputs/*.txt
 ```
@@ -74,7 +74,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci
 workflow will use the credentials found in the GitHub Actions environment.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     identity-token: ${{ IDENTITY_TOKEN  }} # assigned elsewhere
@@ -90,7 +90,7 @@ Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     oidc-client-id: alternative-sigstore-id
@@ -106,7 +106,7 @@ Connect Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     oidc-client-secret: alternative-sigstore-secret
@@ -122,7 +122,7 @@ when signing multiple input files.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     signature: custom-signature-filename.sig
@@ -131,7 +131,7 @@ Example:
 However, this example is invalid:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file0.txt file1.txt file2.txt
     signature: custom-signature-filename.sig
@@ -147,7 +147,7 @@ work when signing multiple input files.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     certificate: custom-certificate-filename.crt
@@ -156,7 +156,7 @@ Example:
 However, this example is invalid:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file0.txt file1.txt file2.txt
     certificate: custom-certificate-filename.crt
@@ -172,7 +172,7 @@ when signing multiple input files.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     bundle: custom-bundle.sigstore
@@ -181,7 +181,7 @@ Example:
 However, this example is invalid:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file0.txt file1.txt file2.txt
     certificate: custom-bundle.sigstore
@@ -197,7 +197,7 @@ from. This setting cannot be used in combination with the `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     fulcio-url: https://fulcio.sigstage.dev
@@ -213,7 +213,7 @@ cannot be used in combination with the `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     rekor-url: https://rekor.sigstage.dev
@@ -229,7 +229,7 @@ in combination with the `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     ctfe: ./path/to/ctfe.pub
@@ -245,7 +245,7 @@ be used in combination with `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     ctfe: ./path/to/rekor.pub
@@ -261,7 +261,7 @@ instead of the default production instances.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     staging: true
@@ -284,7 +284,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     verify: true
@@ -307,7 +307,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`.
 Supplying it without `verify-oidc-issuer` will produce an error.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     verify: true
@@ -332,7 +332,7 @@ Supplying it without `verify-cert-identity` will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     verify: true
@@ -354,7 +354,7 @@ workflow artifact retention period is used.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     upload-signing-artifacts: true
@@ -382,7 +382,7 @@ permissions:
 
 # ...
 
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     release-signing-artifacts: true
@@ -404,7 +404,7 @@ signing artifact is uploaded.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v1.1.0
+- uses: sigstore/gh-action-sigstore-python@v1.2.0
   with:
     inputs: file.txt
     upload-signing-artifacts: true
@@ -432,7 +432,7 @@ Example:
   Example:
 
   ```yaml
-  - uses: sigstore/gh-action-sigstore-python@v1.1.0
+  - uses: sigstore/gh-action-sigstore-python@v1.2.0
     with:
       inputs: file.txt
       internal-be-careful-debug: true
diff --git a/action.py b/action.py
@@ -56,7 +56,7 @@ def _log(msg):
 
 
 def _download_ref_asset(ext):
-    repo = os.getenv('GITHUB_REPOSITORY')
+    repo = os.getenv("GITHUB_REPOSITORY")
     ref = os.getenv("GITHUB_REF")
 
     artifact = Path(f"/tmp/{os.getenv('GITHUB_REF_NAME')}").with_suffix(ext)
@@ -264,8 +264,8 @@ def _fatal_help(msg):
     assert verify_status is None
     sys.exit(sign_status.returncode)
 
-# Now populate the `GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS` environment variable
-# so that later steps know which files to upload as workflow artifacts.
+# Now populate the `GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS` environment
+# variable so that later steps know which files to upload as workflow artifacts.
 #
 # In GitHub Actions, environment variables can be made to persist across
 # workflow steps by appending to the file at `GITHUB_ENV`.
@@ -276,7 +276,7 @@ def _fatal_help(msg):
     # {value}
     # {delimiter}
     gh_env.write(
-        "GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS<<EOF"
+        "GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS<<EOF"
         + os.linesep
         + os.linesep.join(signing_artifact_paths)
         + os.linesep
diff --git a/action.yml b/action.yml
@@ -139,9 +139,9 @@ runs:
       if: inputs.upload-signing-artifacts == 'true'
       with:
         name: "signing-artifacts-${{ github.job }}"
-        path: "${{ env.GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS }}"
+        path: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}"
 
     - uses: softprops/action-gh-release@v1
       if: inputs.release-signing-artifacts == 'true' && github.event_name == 'release' && github.event.action == 'published'
       with:
-        files: "${{ env.GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS }}"
+        files: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}"
