selftest: add checks to selftest-glob (#75)

Author: woodruffw

.github/workflows/selftest.yml

@@ -94,6 +94,60 @@ jobs:
           inputs: ./test/*.txt
           staging: true
           internal-be-careful-debug: true
+      - name: Check outputs
+        run: |
+          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
+
+  selftest-xfail-glob-input-expansion:
+    runs-on: ubuntu-latest
+    env:
+      TEST_DIR: test
+    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifacts and publish signatures
+        continue-on-error: true
+        uses: ./
+        id: sigstore-python
+        with:
+          # This should fail since we should never directly expand ${TEST_DIR};
+          # the user should have to pre-expand it for us.
+          inputs: ./${TEST_DIR}/*.txt
+          staging: true
+          internal-be-careful-debug: true
+      - name: Check failure
+        env:
+          XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }}
+          JOB_NAME: ${{ github.job }}
+        run: |
+          echo "xfail ${JOB_NAME}: ${XFAIL}"
+
+          [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; }
+
+  selftest-glob-multiple:
+    runs-on: ubuntu-latest
+    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifacts and publish signatures
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact*.txt ./test/another*.txt ./test/subdir/*.txt
+          staging: true
+          internal-be-careful-debug: true
+      - name: Check outputs
+        run: |
+          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
+          [[ -f ./test/another1.txt.sigstore ]] || exit 1
+          [[ -f ./test/another2.txt.sigstore ]] || exit 1
+          [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1
+          [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1
+          [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1
 
   selftest-upload-artifacts:
     runs-on: ubuntu-latest
@@ -234,6 +288,7 @@ jobs:
       - selftest-xfail-invalid-inputs
       - selftest-staging
       - selftest-glob
+      - selftest-glob-multiple
       - selftest-upload-artifacts
       - selftest-custom-paths
       - selftest-verify

README.md

@@ -66,6 +66,10 @@ The `inputs` argument also supports file globbing:
     inputs: ./path/to/inputs/*.txt
 ```
 
+> [!NOTE]\
+> In versions of this action before 2.0.0, the `inputs` setting allowed for shell expansion.
+> This was unintentional, and was removed with 2.0.0.
+
 ### `identity-token`
 
 **Default**: Empty (the GitHub Actions credential will be used)

action.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python
 
 # Copyright 2022 The Sigstore Authors
 #
@@ -201,7 +201,15 @@ def _fatal_help(msg):
     if input_.startswith("-"):
         _fatal_help(f"input {input_} looks like a flag")
 
-    files = [Path(f).resolve() for f in glob(input_)]
+    # NOTE: We use a set here to deduplicate inputs, in case a glob expands
+    # to the same input multiple times.
+    files = {Path(f).resolve() for f in glob(input_)}
+
+    # Prevent empty glob expansions, rather than silently allowing them.
+    # Either behavior is technically correct but an empty glob indicates
+    # user confusion, so we fail for them.
+    if not files:
+        _fatal_help(f"input {input_} doesn't expand to one or more filenames")
 
     for file_ in files:
         if not file_.is_file():

test/another1.txt

@@ -0,0 +1 @@
+Another input.

test/another2.txt

@@ -0,0 +1 @@
+Yet another input.