Prep for 0.3.0 (#40)

* README: prep 0.3.0

Signed-off-by: William Woodruff <[email protected]>

* requirements: sigstore==0.10.0

Signed-off-by: William Woodruff <[email protected]>

* action: upgrade `sigstore` CLI usage

Signed-off-by: William Woodruff <[email protected]>

* README: tweak descriptions

Signed-off-by: William Woodruff <[email protected]>

* action: lintage

Signed-off-by: William Woodruff <[email protected]>

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

README.md

@@ -5,7 +5,7 @@ gh-action-sigstore-python
 [![Self-test](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml/badge.svg)](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml)
 
 A GitHub Action that uses [`sigstore-python`](https://github.com/sigstore/sigstore-python)
-to sign Python packages.
+to generate Sigstore signatures.
 
 ## Index
 
@@ -23,24 +23,22 @@ Simply add `sigstore/gh-action-sigstore-python` to one of your workflows:
 jobs:
   selftest:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v3
       - name: install
         run: python -m pip install .
-      - uses: sigstore/gh-action-sigstore-python@v0.2.0
+      - uses: sigstore/gh-action-sigstore-python@v0.3.0
         with:
           inputs: file.txt
 ```
 
-Your workflow must have permission to request the OIDC token to authenticate with. This can be done
-by having a top-level `permission` setting for your workflow.
+Note: Your workflow **must** have permission to request the OIDC token to authenticate with.
+This can be done by setting `id-token: write` on your job (as above) or workflow.
 
-```yaml
-permissions:
-  id-token: write
-```
-
-More information about permission settings can be found [here](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings).
+More information about permission settings can be found
+[here](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings).
 
 ## Configuration
 
@@ -55,15 +53,15 @@ provided.
 To sign one or more files:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file0.txt file1.txt file2.txt
 ```
 
 The `inputs` argument also supports file globbing:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: ./path/to/inputs/*.txt
 ```
@@ -76,7 +74,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci
 workflow will use the credentials found in the GitHub Actions environment.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     identity-token: ${{ IDENTITY_TOKEN  }} # assigned elsewhere
@@ -92,7 +90,7 @@ Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     oidc-client-id: alternative-sigstore-id
@@ -108,7 +106,7 @@ Connect Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     oidc-client-secret: alternative-sigstore-secret
@@ -124,7 +122,7 @@ when signing multiple input files.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     signature: custom-signature-filename.sig
@@ -133,7 +131,7 @@ Example:
 However, this example is invalid:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file0.txt file1.txt file2.txt
     signature: custom-signature-filename.sig
@@ -149,7 +147,7 @@ work when signing multiple input files.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     certificate: custom-certificate-filename.crt
@@ -158,7 +156,7 @@ Example:
 However, this example is invalid:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file0.txt file1.txt file2.txt
     certificate: custom-certificate-filename.crt
@@ -174,7 +172,7 @@ from. This setting cannot be used in combination with the `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     fulcio-url: https://fulcio.sigstage.dev
@@ -190,7 +188,7 @@ cannot be used in combination with the `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     rekor-url: https://rekor.sigstage.dev
@@ -206,7 +204,7 @@ in combination with the `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     ctfe: ./path/to/ctfe.pub
@@ -222,7 +220,7 @@ be used in combination with `staging` setting.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     ctfe: ./path/to/rekor.pub
@@ -238,7 +236,7 @@ instead of the default production instances.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     staging: true
@@ -261,7 +259,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     verify: true
@@ -284,7 +282,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`.
 Supplying it without `verify-oidc-issuer` will produce an error.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     verify: true
@@ -309,7 +307,7 @@ Supplying it without `verify-cert-identity` will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     verify: true
@@ -331,7 +329,7 @@ workflow artifact retention period is used.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     upload-signing-artifacts: true
@@ -356,7 +354,7 @@ permissions:
 
 # ...
 
-- uses: sigstore/gh-action-sigstore-python@v0.2.0
+- uses: sigstore/gh-action-sigstore-python@v0.3.0
   with:
     inputs: file.txt
     release-signing-artifacts: true
@@ -383,7 +381,7 @@ permissions:
   Example:
 
   ```yaml
-  - uses: sigstore/gh-action-sigstore-python@v0.2.0
+  - uses: sigstore/gh-action-sigstore-python@v0.3.0
     with:
       inputs: file.txt
       internal-be-careful-debug: true

action.py

@@ -53,12 +53,20 @@ def _log(msg):
     print(msg, file=sys.stderr)
 
 
-def _sigstore_sign(*args):
-    return ["python", "-m", "sigstore", "sign", *args]
+def _sigstore_sign(global_args, sign_args):
+    return ["python", "-m", "sigstore", *global_args, "sign", *sign_args]
 
 
-def _sigstore_verify(*args):
-    return ["python", "-m", "sigstore", "verify", *args]
+def _sigstore_verify(global_args, verify_args):
+    return [
+        "python",
+        "-m",
+        "sigstore",
+        *global_args,
+        "verify",
+        "identity",
+        *verify_args,
+    ]
 
 
 def _warning(msg):
@@ -73,6 +81,7 @@ def _fatal_help(msg):
 inputs = sys.argv[1].split()
 
 # The arguments we pass into `sigstore-python` get built up in these lists.
+sigstore_global_args = []
 sigstore_sign_args = []
 sigstore_verify_args = []
 
@@ -127,20 +136,18 @@ def _fatal_help(msg):
 
 rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL")
 if rekor_url != "":
-    sigstore_sign_args.extend(["--rekor-url", rekor_url])
-    sigstore_verify_args.extend(["--rekor-url", rekor_url])
+    sigstore_global_args.extend(["--rekor-url", rekor_url])
 
 ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE")
 if ctfe != "":
     sigstore_sign_args.extend(["--ctfe", ctfe])
 
 rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY")
 if rekor_root_pubkey != "":
-    sigstore_sign_args.extend(["--rekor-root-pubkey", rekor_root_pubkey])
+    sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey])
 
 if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
-    sigstore_sign_args.append("--staging")
-    sigstore_verify_args.append("--staging")
+    sigstore_global_args.append("--staging")
 
 verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
 if enable_verify and not verify_cert_identity:
@@ -180,7 +187,7 @@ def _fatal_help(msg):
 _debug(f"signing: sigstore-python {[str(a) for a in sigstore_sign_args]}")
 
 sign_status = subprocess.run(
-    _sigstore_sign(*sigstore_sign_args),
+    _sigstore_sign(sigstore_global_args, sigstore_sign_args),
     text=True,
     stdout=subprocess.PIPE,
     stderr=subprocess.STDOUT,
@@ -199,7 +206,7 @@ def _fatal_help(msg):
     _debug(f"verifying: sigstore-python {[str(a) for a in sigstore_verify_args]}")
 
     verify_status = subprocess.run(
-        _sigstore_verify(*sigstore_verify_args),
+        _sigstore_verify(sigstore_global_args, sigstore_verify_args),
         text=True,
         stdout=subprocess.PIPE,
         stderr=subprocess.STDOUT,

requirements.txt

@@ -1 +1 @@
-sigstore==0.9.0
+sigstore==0.10.0