Expose the signature and certificate outputs as workflow artifacts (#11)

* Expose the signature and certificate outputs as workflow artifacts

* Put each path on a newline

* Cleanup

* Support `--certificate` and `--signature` flags

* Don't write artifact paths if `--no-default-files` has been provided

* README, action: configure workflow artifacts

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: test artifact uploads

Signed-off-by: William Woodruff <[email protected]>

* action: fiddle with condition

Signed-off-by: William Woodruff <[email protected]>

Co-authored-by: William Woodruff <[email protected]>

Author: tetsuo-cpp

.github/workflows/selftest.yml

@@ -50,3 +50,15 @@ jobs:
       - name: Verify artifact signatures
         run: |
           sigstore verify ./test/artifact.txt ./test/artifact1.txt ./test/artifact2.txt
+
+  selftest-upload-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          staging: true
+          upload-signing-artifacts: true

README.md

@@ -278,6 +278,26 @@ Example:
     staging: true
 ```
 
+### `upload-signing-artifacts`
+
+**Default**: `false`
+
+The `upload-signing-artifacts` setting controls whether or not `sigstore-python` creates
+[workflow artifacts](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts)
+for the outputs produced by signing operations.
+
+By default, no workflow artifacts are uploaded. When enabled, the default
+workflow artifact retention period is used.
+
+Example:
+
+```yaml
+- uses: trailofbits/[email protected]
+  with:
+    inputs: file.txt
+    upload-signing-artifacts: true
+```
+
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>

action.py

@@ -53,6 +53,10 @@ def _fatal_help(msg):
 # The environment variables that we apply to `sigstore-python`.
 sigstore_python_env = {}
 
+# A list of paths to signing artifacts generated by `sigstore-python`. We want
+# to upload these as workflow artifacts after signing.
+signing_artifact_paths = []
+
 if _DEBUG:
     sigstore_python_env["SIGSTORE_LOGLEVEL"] = "DEBUG"
 
@@ -70,10 +74,12 @@ def _fatal_help(msg):
 output_signature = os.getenv("GHA_SIGSTORE_PYTHON_OUTPUT_SIGNATURE")
 if output_signature != "":
     sigstore_python_args.extend(["--output-signature", output_signature])
+    signing_artifact_paths.append(output_signature)
 
 output_certificate = os.getenv("GHA_SIGSTORE_PYTHON_OUTPUT_CERTIFICATE")
 if output_certificate != "":
     sigstore_python_args.extend(["--output-certificate", output_certificate])
+    signing_artifact_paths.append(output_certificate)
 
 if os.getenv("GHA_SIGSTORE_PYTHON_OVERWRITE", "false") != "false":
     sigstore_python_args.append("--overwrite")
@@ -112,6 +118,10 @@ def _fatal_help(msg):
     for file_ in files:
         if not file_.is_file():
             _fatal_help(f"input {file_} does not look like a file")
+        if "--output_certificate" not in sigstore_python_args:
+            signing_artifact_paths.append(f"{file_}.crt")
+        if "--output_signature" not in sigstore_python_args:
+            signing_artifact_paths.append(f"{file_}.sig")
 
     sigstore_python_args.extend(files)
 
@@ -150,4 +160,24 @@ def _fatal_help(msg):
     """
 )
 
+# Now populate the `GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS` environment variable
+# so that later steps know which files to upload as workflow artifacts.
+#
+# In GitHub Actions, environment variables can be made to persist across
+# workflow steps by appending to the file at `GITHUB_ENV`.
+if "--no-default-files" not in sigstore_python_args:
+    with Path(os.getenv("GITHUB_ENV")).open("a") as gh_env:
+        # Multiline values must match the following syntax:
+        #
+        # {name}<<{delimiter}
+        # {value}
+        # {delimiter}
+        gh_env.write(
+            "GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS<<EOF"
+            + os.linesep
+            + os.linesep.join(signing_artifact_paths)
+            + os.linesep
+            + "EOF"
+        )
+
 sys.exit(status.returncode)

action.yml

@@ -54,10 +54,15 @@ inputs:
     description: "use sigstore's staging instances, instead of the default production instances"
     required: false
     default: false
+  upload-signing-artifacts:
+    description: "upload all signing artifacts as workflow artifacts"
+    required: false
+    default: false
   internal-be-careful-debug:
     description: "run with debug logs (default false)"
     required: false
     default: false
+
 runs:
   using: "composite"
   steps:
@@ -86,3 +91,9 @@ runs:
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash
+
+    - uses: actions/upload-artifact@v3
+      if: ${{ inputs.upload-signing-artifacts == 'true' }}
+      with:
+        name: "signing-artifacts-${{ github.job }}"
+        path: "${{ env.GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS }}"