Merge pull request #297 from trail-of-forks/ww/bump-pypi-attestations

requirements: bump pypi-attestations to 0.0.15
2024-11-07 00:00:24 +01:00 · 2024-11-06 17:53:10 -05:00 · 2024-11-06 20:01:10 +01:00 · 2024-11-06 13:43:44 -05:00 · 2024-11-06 16:24:24 +01:00 · 2024-11-06 16:20:12 +01:00
6 changed files with 50 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -279,7 +279,7 @@ are released under the [BSD 3-clause license](LICENSE.md).


 [🧪 GitHub Actions CI/CD workflow tests badge]:
-https://github.com/pypa/gh-action-pypi-publish/actions/workflows/self-smoke-test-action.yml/badge.svg?branch=unstable%2Fv1&event=push
+https://github.com/pypa/gh-action-pypi-publish/actions/workflows/build-and-push-docker-image.yml/badge.svg?branch=unstable%2Fv1&event=push
 [GHA workflow runs list]:
 https://github.com/pypa/gh-action-pypi-publish/actions/workflows/self-smoke-test-action.yml?query=branch%3Aunstable%2Fv1

--- a/action.yml
+++ b/action.yml
@ -130,24 +130,44 @@ runs:
      PR_REF: ${{ github.event.pull_request.head.ref }}
      PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
      PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}
-  - name: Check out action repo
-    uses: actions/checkout@v4
+  - name: Discover pre-installed Python
+    id: pre-installed-python
+    run: |
+      # 🔎 Discover pre-installed Python
+      echo "python-path=$(command -v python3 || :)" | tee -a "${GITHUB_OUTPUT}"
+    shell: bash
+  - name: Install Python 3
+    if: steps.pre-installed-python.outputs.python-path == ''
+    id: new-python
+    uses: actions/setup-python@v5
    with:
-      path: action-repo
-      ref: ${{ steps.set-repo-and-ref.outputs.ref }}
-      repository: ${{ steps.set-repo-and-ref.outputs.repo }}
+      python-version: 3.x
  - name: Create Docker container action
    run: |
      # Create Docker container action
-      python create-docker-action.py
+      ${{
+        steps.pre-installed-python.outputs.python-path == ''
+        && steps.new-python.outputs.python-path
+        || steps.pre-installed-python.outputs.python-path
+      }} '${{ github.action_path }}/create-docker-action.py'
    env:
      REF: ${{ steps.set-repo-and-ref.outputs.ref }}
      REPO: ${{ steps.set-repo-and-ref.outputs.repo }}
      REPO_ID: ${{ steps.set-repo-and-ref.outputs.repo-id }}
    shell: bash
-    working-directory: action-repo
  - name: Run Docker container
-    uses: ./action-repo/.github/actions/run-docker-container
+    # The generated trampoline action must exist in the allowlisted
+    # runner-defined working directory so it can be referenced by the
+    # relative path starting with `./`.
+    #
+    # This mutates the end-user's workspace slightly but uses a path
+    # that is unlikely to clash with somebody else's use.
+    #
+    # We cannot use randomized paths because the composite action
+    # syntax does not allow accessing variables in `uses:`. This
+    # means that we end up having to hardcode this path both here and
+    # in `create-docker-action.py`.
+    uses: ./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container
    with:
      user: ${{ inputs.user }}
      password: ${{ inputs.password }}
--- a/attestations.py
+++ b/attestations.py
@ -54,6 +54,7 @@ def debug(msg: str):
 def collect_dists(packages_dir: Path) -> list[Path]:
    # Collect all sdists and wheels.
    dist_paths = [sdist.resolve() for sdist in packages_dir.glob('*.tar.gz')]
+    dist_paths.extend(sdist.resolve() for sdist in packages_dir.glob('*.zip'))
    dist_paths.extend(whl.resolve() for whl in packages_dir.glob('*.whl'))

    # Make sure everything that looks like a dist actually is one.
--- a/create-docker-action.py
+++ b/create-docker-action.py
@ -10,10 +10,12 @@ REPO = os.environ['REPO']
 REPO_ID = os.environ['REPO_ID']
 REPO_ID_GH_ACTION = '178055147'

+ACTION_SHELL_CHECKOUT_PATH = pathlib.Path(__file__).parent.resolve()
+

 def set_image(ref: str, repo: str, repo_id: str) -> str:
    if repo_id == REPO_ID_GH_ACTION:
-        return '../../../Dockerfile'
+        return str(ACTION_SHELL_CHECKOUT_PATH / 'Dockerfile')
    docker_ref = ref.replace('/', '-')
    return f'docker://ghcr.io/{repo}:{docker_ref}'

@ -70,6 +72,20 @@ action = {
    },
 }

-action_path = pathlib.Path('.github/actions/run-docker-container/action.yml')
+# The generated trampoline action must exist in the allowlisted
+# runner-defined working directory so it can be referenced by the
+# relative path starting with `./`.
+#
+# This mutates the end-user's workspace slightly but uses a path
+# that is unlikely to clash with somebody else's use.
+#
+# We cannot use randomized paths because the composite action
+# syntax does not allow accessing variables in `uses:`. This
+# means that we end up having to hardcode this path both here and
+# in `action.yml`.
+action_path = pathlib.Path(
+    '.github/.tmp/.generated-actions/'
+    'run-pypi-publish-in-docker-container/action.yml',
+)
 action_path.parent.mkdir(parents=True, exist_ok=True)
 action_path.write_text(json.dumps(action, ensure_ascii=False), encoding='utf-8')
--- a/requirements/runtime.in
+++ b/requirements/runtime.in
@ -10,7 +10,7 @@ id ~= 1.0
 requests

 # NOTE: Used to generate attestations.
-pypi-attestations ~= 0.0.13
+pypi-attestations ~= 0.0.15
 sigstore ~= 3.5.1

 # NOTE: Used to detect the PyPI package name from the distribution files
--- a/requirements/runtime.txt
+++ b/requirements/runtime.txt
@ -93,7 +93,7 @@ pyjwt==2.8.0
    # via sigstore
 pyopenssl==24.1.0
    # via sigstore
-pypi-attestations==0.0.13
+pypi-attestations==0.0.15
    # via -r runtime.in
 python-dateutil==2.9.0.post0
    # via betterproto
Author	SHA1	Message	Date
Sviatoslav Sydorenko (Святослав Сидоренко)	15c56dba36	Merge pull request #297 from trail-of-forks/ww/bump-pypi-attestations requirements: bump pypi-attestations to 0.0.15	2024-11-07 00:00:24 +01:00
William Woodruff	fe8d1484ba	requirements: bump pypi-attestations to 0.0.15 Signed-off-by: William Woodruff <william@trailofbits.com>	2024-11-06 17:53:10 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)	1f5d4ec244	Merge pull request #295 from trail-of-forks/ww/fix-sdist-collection	2024-11-06 20:01:10 +01:00
William Woodruff	fec2f0c0ce	attestations: collect *.zip sdists as well Signed-off-by: William Woodruff <william@trailofbits.com>	2024-11-06 13:43:44 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)	a8b73a6d88	Merge pull request #294 from webknjaz/bugfixes/optional-python	2024-11-06 16:24:24 +01:00
Sviatoslav Sydorenko	9b4dfb0c84	✨ Pre-install Python if there's none This is not usually the case for GitHub-hosted Runners but it might happen with self-hosted runners. Fixes #289.	2024-11-06 16:20:12 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)	0a87186d5f	Merge pull request #293 from webknjaz/bugfixes/uncheckout-intermediate-action	2024-11-06 15:50:37 +01:00
Sviatoslav Sydorenko	dfcfeca43e	🧪 Use prefetched action to make trampoline Previously, the action repository was being cloned from the remote twice, unnecessarily. This patch eliminates this step and uses the copy that was checked out on job start. The generated trampoline action is still copied into the allowlisted working directory so it can be referenced by the relative path starting with `./`. It is now output under `./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container` which mutates the end-user's workspace slightly but uses a path that is unlikely to clash with somebody else's use. Unfortunately, we cannot use randomized paths because the composite action syntax does not allow accessing variables in `uses:`. Fixes #292.	2024-11-06 15:47:43 +01:00
Sviatoslav Sydorenko	0d02f372c3	📝💅 Update the CI/CD badge in README This is a follow-up for #230, which renamed the workflow filename.	2024-11-05 22:29:18 +01:00