action: accommodate Windows (#72)

woodruffw · web-flow · commit 0f34eb3f2518 · 2023-08-07T12:04:54.000+10:00
* action: accommodate Windows Signed-off-by: William Woodruff <william@trailofbits.com> * selftest: macOS, Windows Signed-off-by: William Woodruff <william@trailofbits.com> * selftest: explicit python version Needed for macOS, Windows (probably) Signed-off-by: William Woodruff <william@trailofbits.com> * action: force bash for action.py invocation as well Signed-off-by: William Woodruff <william@trailofbits.com> * Revert "action: force bash for action.py invocation as well" This reverts commit 1c3a332. * action: Windows force UTF-8 Signed-off-by: William Woodruff <william@trailofbits.com> * action: hackety hack Signed-off-by: William Woodruff <william@trailofbits.com> * action: random delim Signed-off-by: William Woodruff <william@trailofbits.com> * action: oops Signed-off-by: William Woodruff <william@trailofbits.com> * selftest: shell: bash Signed-off-by: William Woodruff <william@trailofbits.com> * ci: loosen python constraint Signed-off-by: William Woodruff <william@trailofbits.com> * action: use os.urandom Signed-off-by: William Woodruff <william@trailofbits.com> * action: document random delimiter Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,6 +13,6 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.7"
+          python-version: "3.x"
       - name: lint
         run: make lint
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
@@ -13,16 +13,27 @@ permissions:
 
 jobs:
   selftest:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
       - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        if: ${{ matrix.os != 'ubuntu-latest' }}
+        with:
+          python-version: "3.x"
       - name: Sign artifact and publish signature
         uses: ./
         id: sigstore-python
         with:
           inputs: ./test/artifact.txt
       - name: Check outputs
+        shell: bash
         run: |
           [[ -f ./test/artifact.txt.sigstore ]] || exit 1
 
diff --git a/action.py b/action.py
@@ -280,16 +280,16 @@ def _fatal_help(msg):
 with Path(_github_env).open("a") as gh_env:
     # Multiline values must match the following syntax:
     #
-    # {name}<<{delimiter}
-    # {value}
-    # {delimiter}
-    gh_env.write(
-        "GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS<<EOF"
-        + os.linesep
-        + os.linesep.join(signing_artifact_paths)
-        + os.linesep
-        + "EOF"
-    )
+    #  {name}<<{delimiter}
+    #  {value}
+    #  {delimiter}
+    #
+    # We use a random delimiter to avoid potential conflicts with our input;
+    # see: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
+    delim = os.urandom(16).hex()
+    print(f"GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS<<{delim}", file=gh_env)
+    print("\n".join(signing_artifact_paths), file=gh_env)
+    print(delim, file=gh_env)
 
 
 # If signing didn't fail, then we check the verification status, if present.
diff --git a/action.yml b/action.yml
@@ -101,14 +101,16 @@ runs:
     - name: Set up sigstore-python
       run: |
         # NOTE: Sourced, not executed as a script.
-        source "${{ github.action_path }}/setup/setup.bash"
+        source "${GITHUB_ACTION_PATH}/setup/setup.bash"
       shell: bash
 
     - name: Run sigstore-python
       id: sigstore-python
       run: |
-        ${{ github.action_path }}/action.py "${{ inputs.inputs }}"
+        ${GITHUB_ACTION_PATH}/action.py "${GHA_SIGSTORE_PYTHON_INPUTS}"
       env:
+        # The year is 2023, and nonsense like this is still necessary on Windows.
+        PYTHONUTF8: "1"
         GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
         GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}"
         GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}"
@@ -125,6 +127,7 @@ runs:
         GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS: "${{ inputs.release-signing-artifacts }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
+        GHA_SIGSTORE_PYTHON_INPUTS: "${{ inputs.inputs }}"
       shell: bash
 
     - uses: actions/upload-artifact@v3
