From 1ddeb829cc81aadc391a78096478d61db0dee7e6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 4 Jul 2024 08:04:47 -0400 Subject: [PATCH] action: use a venv to prevent PEP 668 errors (#145) * action: use a venv to prevent PEP 668 errors Signed-off-by: William Woodruff * action: use sys.executable Signed-off-by: William Woodruff * fight with Windows Signed-off-by: William Woodruff * setup: minimum Python is 3.8 This has been true for a while. Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 24 ++++++++++++++++++++++++ action.py | 4 ++-- action.yml | 6 +++++- setup/setup.bash | 25 +++++++++++++++++++++---- 4 files changed, 52 insertions(+), 7 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 38b20ab..f2edc93 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -19,6 +19,8 @@ jobs: - ubuntu-latest - macos-latest - windows-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: @@ -38,6 +40,28 @@ jobs: run: | [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + selftest-runner-python: + strategy: + matrix: + os: + - ubuntu-latest + # TODO: Can be removed when 24.04 becomes ubuntu-latest. + - ubuntu-24.04 + runs-on: ${{ matrix.os }} + if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork + steps: + - uses: actions/checkout@v4 + - name: Sign artifact and publish signature + uses: ./ + id: sigstore-python + with: + inputs: ./test/artifact.txt + internal-be-careful-debug: true + - name: Check outputs + shell: bash + run: | + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + selftest-whitespace: strategy: matrix: diff --git a/action.py b/action.py index 09e961f..1cd38fc 100755 --- a/action.py +++ b/action.py @@ -86,12 +86,12 @@ def _download_ref_asset(ext): def _sigstore_sign(global_args, sign_args): - return ["python", "-m", "sigstore", *global_args, "sign", *sign_args] + return [sys.executable, "-m", "sigstore", *global_args, "sign", *sign_args] def _sigstore_verify(global_args, verify_args): return [ - "python", + sys.executable, "-m", "sigstore", *global_args, diff --git a/action.yml b/action.yml index 7dc3faa..d765d61 100644 --- a/action.yml +++ b/action.yml @@ -83,6 +83,7 @@ runs: using: "composite" steps: - name: Set up sigstore-python + id: setup run: | # NOTE: Sourced, not executed as a script. source "${GITHUB_ACTION_PATH}/setup/setup.bash" @@ -93,10 +94,13 @@ runs: - name: Run sigstore-python id: sigstore-python run: | - ${GITHUB_ACTION_PATH}/action.py "${GHA_SIGSTORE_PYTHON_INPUTS}" + "${VENV_PYTHON_PATH}" \ + "${GITHUB_ACTION_PATH}/action.py" \ + "${GHA_SIGSTORE_PYTHON_INPUTS}" env: # The year is 2023, and nonsense like this is still necessary on Windows. PYTHONUTF8: "1" + VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}" GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}" GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}" GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}" diff --git a/setup/setup.bash b/setup/setup.bash index ba5891e..62ece86 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -35,7 +35,7 @@ if [[ "${0}" == "${BASH_SOURCE[0]}" ]]; then die "Internal error: setup harness was executed instead of being sourced?" fi -# Check the Python version, making sure it's new enough (3.7+) +# Check the Python version, making sure it's new enough (3.8+) # The installation step immediately below will technically catch this, # but doing it explicitly gives us the opportunity to produce a better # error message. @@ -43,8 +43,25 @@ vers=$(python -V | cut -d ' ' -f2) maj_vers=$(cut -d '.' -f1 <<< "${vers}") min_vers=$(cut -d '.' -f2 <<< "${vers}") -[[ "${maj_vers}" == "3" && "${min_vers}" -ge 7 ]] || die "Bad Python version: ${vers}" +[[ "${maj_vers}" == "3" && "${min_vers}" -ge 8 ]] || die "Bad Python version: ${vers}" -python -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" +# If the user didn't explicitly configure a Python version with +# `actions/setup-python`, then we might be using the distribution's Python and +# therefore be subject to PEP 668. We use a virtual environment unconditionally +# to prevent that kind of confusion. +python -m venv "${GITHUB_ACTION_PATH}/.action-env" -debug "sigstore-python: $(python -m sigstore --version)" +# Annoying: Windows venvs use a different structure, for unknown reasons. +if [[ -d "${GITHUB_ACTION_PATH}/.action-env/bin" ]]; then + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/bin/python" +else + VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/Scripts/python" +fi + +"${VENV_PYTHON_PATH}" -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" + +debug "sigstore-python: $("${VENV_PYTHON_PATH}" -m sigstore --version)" + +# Finally, propagate VENV_PYTHON_PATH so we can actually kick-start +# the extension from it. +echo "venv-python-path=${VENV_PYTHON_PATH}" >> "${GITHUB_OUTPUT}"