Attach signing artifacts to GitHub releases if running in a release workflow (#14)

tetsuo-cpp · woodruffw · web-flow · commit b8b477c202a8 · 2022-08-01T13:21:03.000-04:00
* Expose the signature and certificate outputs as workflow artifacts

* Put each path on a newline

* Cleanup

* Support `--certificate` and `--signature` flags

* Don't write artifact paths if `--no-default-files` has been provided

* Attach signing artifacts to GitHub releases if running in a release workflow

* Fix GH Action name

* Change the trigger from tag pushes to release creation

* action: setting for release artifacts

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* README: document `release-signing-artifacts` setting

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

Co-authored-by: William Woodruff &lt;william@trailofbits.com&gt;
diff --git a/README.md b/README.md
@@ -298,6 +298,31 @@ Example:
     upload-signing-artifacts: true
 ```
 
+### `release-signing-artifacts`
+
+**Default**: `false`
+
+The `release-signing-artifacts` setting controls whether or not `sigstore-python`
+uploads signing artifacts to the release that triggered this run.
+
+By default, no release assets are uploaded.
+
+Requires the [`contents: write` permission](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
+
+Example:
+
+```yaml
+permissions:
+  contents: write
+
+# ...
+
+- uses: trailofbits/gh-action-sigstore-python@v0.0.2
+  with:
+    inputs: file.txt
+    release-signing-artifacts: true
+```
+
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>
diff --git a/action.yml b/action.yml
@@ -58,6 +58,10 @@ inputs:
     description: "upload all signing artifacts as workflow artifacts"
     required: false
     default: false
+  release-signing-artifacts:
+    description: "attach all signing artifacts as release assets"
+    required: false
+    default: false
   internal-be-careful-debug:
     description: "run with debug logs (default false)"
     required: false
@@ -93,7 +97,12 @@ runs:
       shell: bash
 
     - uses: actions/upload-artifact@v3
-      if: ${{ inputs.upload-signing-artifacts == 'true' }}
+      if: inputs.upload-signing-artifacts == 'true'
       with:
         name: "signing-artifacts-${{ github.job }}"
         path: "${{ env.GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS }}"
+
+    - uses: softprops/action-gh-release@v1
+      if: inputs.release-signing-artifacts == 'true' && github.event_name == 'release' && github.event.action == 'created'
+      with:
+        files: "${{ env.GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS }}"
