action.py: Support file globbing for inputs (#6)

tetsuo-cpp · web-flow · commit 4d9c525126f2 · 2022-07-11T10:37:29.000-04:00
* action.py: Support file globbing for inputs

* Delay path resolution

* workflows: Add glob selftest

* workflows, test: Add more artifacts so we can test file globbing properly

* README: Add info about file globbing to README
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
@@ -37,3 +37,16 @@ jobs:
       - name: Verify artifact signature
         run: |
           sigstore verify --certificate ./test/artifact.txt.crt --signature ./test/artifact.txt.sig --staging ./test/artifact.txt
+
+  selftest-glob:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifacts and publish signatures
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/*.txt
+      - name: Verify artifact signatures
+        run: |
+          sigstore verify ./test/artifact.txt ./test/artifact1.txt ./test/artifact2.txt
diff --git a/README.md b/README.md
@@ -50,6 +50,14 @@ To sign one or more files:
     inputs: file0.txt file1.txt file2.txt
 ```
 
+The `inputs` argument also supports file globbing:
+
+```yaml
+- uses: trailofbits/gh-action-sigstore-python@v0.0.1
+  with:
+    inputs: ./path/to/inputs/*.txt
+```
+
 ### `oidc-client-id`
 
 **Default**: `sigstore`
diff --git a/action.py b/action.py
@@ -8,6 +8,7 @@
 import os
 import subprocess
 import sys
+from glob import glob
 from pathlib import Path
 
 _OUTPUTS = [sys.stderr]
@@ -43,7 +44,7 @@ def _fatal_help(msg):
     sys.exit(1)
 
 
-inputs = [Path(p).resolve() for p in sys.argv[1].split()]
+inputs = sys.argv[1].split()
 summary = Path(os.getenv("GITHUB_STEP_SUMMARY")).open("a")
 
 # The arguments we pass into `sigstore-python` get built up in this list.
@@ -103,12 +104,16 @@ def _fatal_help(msg):
 for input_ in inputs:
     # Forbid things that look like flags. This isn't a security boundary; just
     # a way to prevent (less motivated) users from breaking the action on themselves.
-    if str(input_).startswith("-"):
+    if input_.startswith("-"):
         _fatal_help(f"input {input_} looks like a flag")
 
-    if not input_.is_file():
-        _fatal_help(f"input {input_} does not look like a file")
-    sigstore_python_args.append(input_)
+    files = [Path(f).resolve() for f in glob(input_)]
+
+    for file_ in files:
+        if not file_.is_file():
+            _fatal_help(f"input {file_} does not look like a file")
+
+    sigstore_python_args.extend(files)
 
 _debug(f"running: sigstore-python {[str(a) for a in sigstore_python_args]}")
 
diff --git a/test/artifact1.txt b/test/artifact1.txt
@@ -0,0 +1 @@
+Hello, World 1!
diff --git a/test/artifact2.txt b/test/artifact2.txt
@@ -0,0 +1 @@
+Hello, World 2!
