action: implement and document bundle-only (#49)

tnytown · web-flow · commit 607296ab1309 · 2023-02-15T16:25:50.000-05:00
* action: implement and document `bundle-only`

Signed-off-by: Andrew Pan &lt;a@tny.town&gt;

* workflows/release: enable `bundle-only`

Signed-off-by: Andrew Pan &lt;a@tny.town&gt;

---------

Signed-off-by: Andrew Pan &lt;a@tny.town&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,3 +24,4 @@ jobs:
         with:
           inputs: action.yml action.py
           release-signing-artifacts: true
+          bundle-only: true
diff --git a/README.md b/README.md
@@ -388,6 +388,29 @@ permissions:
     release-signing-artifacts: true
 ```
 
+### `bundle-only`
+
+**Default**: `false`
+
+The `bundle-only` setting controls whether or not `sigstore-python` uploads `.crt`
+or `.sig` artifacts.
+
+This setting affects the behavior of the `upload-signing-artifacts` and `release-signing-artifacts`
+settings. If neither of those settings are specified, this setting has no effect.
+
+By default, `.crt` and `.sig` artifacts are uploaded. If enabled, only the `.sigstore`
+signing artifact is uploaded.
+
+Example:
+
+```yaml
+- uses: sigstore/gh-action-sigstore-python@v1.1.0
+  with:
+    inputs: file.txt
+    upload-signing-artifacts: true
+    bundle-only: true
+```
+
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>
diff --git a/action.py b/action.py
@@ -188,6 +188,7 @@ def _fatal_help(msg):
             signing_artifact_paths.append(artifact)
             inputs.append(artifact)
 
+bundle_only = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE_ONLY") == "true"
 for input_ in inputs:
     # Forbid things that look like flags. This isn't a security boundary; just
     # a way to prevent (less motivated) users from breaking the action on themselves.
@@ -199,9 +200,9 @@ def _fatal_help(msg):
     for file_ in files:
         if not file_.is_file():
             _fatal_help(f"input {file_} does not look like a file")
-        if "--certificate" not in sigstore_sign_args:
+        if not bundle_only and "--certificate" not in sigstore_sign_args:
             signing_artifact_paths.append(f"{file_}.crt")
-        if "--signature" not in sigstore_sign_args:
+        if not bundle_only and "--signature" not in sigstore_sign_args:
             signing_artifact_paths.append(f"{file_}.sig")
         if "--bundle" not in sigstore_sign_args:
             signing_artifact_paths.append(f"{file_}.sigstore")
diff --git a/action.yml b/action.yml
@@ -90,6 +90,13 @@ inputs:
     description: "attach all signing artifacts as release assets"
     required: false
     default: false
+  bundle-only:
+    description: |
+      upload only the Sigstore bundle
+
+      has no effect if `upload-signing-artifacts` or `release-signing-artifacts` is not enabled
+    required: false
+    default: false
   internal-be-careful-debug:
     description: "run with debug logs (default false)"
     required: false
@@ -124,6 +131,7 @@ runs:
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
         GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS: "${{ inputs.release-signing-artifacts }}"
+        GHA_SIGSTORE_PYTHON_BUNDLE_ONLY: "${{ inputs.bundle-only }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash
 
