CI: prepare for CI testing (#1)

woodruffw · web-flow · commit 06ad64664a1c · 2025-11-21T17:28:25.000-05:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,31 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: setup uv
+        uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
+
+      - run: make test
diff --git a/Makefile b/Makefile
@@ -11,3 +11,7 @@ lint:
 fix:
 	uvx ruff format
 	uvx ruff check --fix
+
+.PHONY: test
+test:
+	uvx --with=requests --with-requirements=action.py pytest -s -o log_cli=true -o log_cli_level=DEBUG test.py
diff --git a/action.py b/action.py
@@ -6,9 +6,11 @@
 # ]
 # ///
 
+import base64
 import logging
 import os
 import shlex
+from glob import glob
 from pathlib import Path
 
 from pypi_attestations import Attestation, Distribution
@@ -23,11 +25,11 @@ def _get_input(name: str) -> str | None:
     """
     Get an action input from the environment, or `None` if not set.
     """
-    env = f"ATTEST_ACTION_INPUT_{name.upper()}"
+    env = f"ATTEST_ACTION_INPUT_{name.upper().replace('-', '_')}"
     return os.getenv(env)
 
 
-def _get_path_patterns() -> list[str]:
+def _get_path_patterns() -> set[str]:
     """
     Retrieve and normalize the 'paths' input.
 
@@ -44,28 +46,29 @@ def _get_path_patterns() -> list[str]:
         raise RuntimeError("No paths provided in 'paths' input")
 
     # Normalize `foo/` to `foo/*`
-    paths = [str(Path(p) / "*") if Path(p).is_dir() else p for p in paths]
+    paths = [str(Path(p) / "*") if p.endswith(("/", "\\")) else p for p in paths]
 
-    return paths
+    return set(paths)
 
 
-def _unroll_files(patterns: list[str]) -> list[Path]:
+def _unroll_files(patterns: set[str]) -> set[Path]:
     """
     Given one or more path patterns (which may include glob patterns), unroll and
     return all matching files.
     """
 
-    files = []
+    files = set()
 
     for pattern in patterns:
-        for path in Path().glob(pattern):
+        for path in glob(pattern):
+            path = Path(path)
             if path.is_file():
-                files.append(path)
+                files.add(path)
 
     return files
 
 
-def _collect_dists(patterns: list[str]) -> list[tuple[Path, Distribution]]:
+def _collect_dists(patterns: set[str]) -> list[tuple[Path, Distribution]]:
     """
     Given one or more path patterns (which may include glob patterns), collect and
     return all Python distributions found at those paths.
@@ -146,7 +149,12 @@ def main() -> None:
 
     dists = _collect_dists(path_patterns)
 
-    id_token = _get_id_token()
+    if id_token := _get_input("id-token"):
+        id_token = base64.b64decode(id_token).decode("utf-8")
+        id_token = oidc.IdentityToken(raw_token=id_token)
+    else:
+        id_token = _get_id_token()
+
     overwrite = _get_input("overwrite") == "true"
 
     _attest(dists, id_token, overwrite=overwrite)
diff --git a/action.yml b/action.yml
@@ -11,6 +11,15 @@ inputs:
     description: Whether to overwrite existing attestations if they already exist.
     required: false
     default: "false"
+  id-token:
+    description: >
+      An OIDC identity token to use for signing attestations. If not provided,
+      the ambient token will be used.
+
+      **IMPORTANT**: This input is an implementation detail. End users should
+      never need to set it.
+    required: false
+    default: ""
 
 outputs: {}
 
@@ -26,3 +35,5 @@ runs:
       shell: bash
       env:
         ATTEST_ACTION_INPUT_PATHS: ${{ inputs.paths }}
+        ATTEST_ACTION_INPUT_OVERWRITE: ${{ inputs.overwrite }}
+        ATTEST_ACTION_INPUT_ID_TOKEN: ${{ inputs.id-token }}
diff --git a/test.py b/test.py
@@ -0,0 +1,207 @@
+import logging
+import subprocess
+import time
+from pathlib import Path
+
+import pytest
+import requests
+from pypi_attestations import Attestation, GitHubPublisher
+from sigstore import oidc
+
+import action
+
+logger = logging.getLogger(__name__)
+
+
+@pytest.fixture(scope="session")
+def id_token() -> oidc.IdentityToken:
+    def _id_token() -> oidc.IdentityToken | None:
+        # GitHub loves to cache things it has no business caching.
+        result = subprocess.run(
+            [
+                "git",
+                "ls-remote",
+                "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon",
+                "refs/heads/current-token",
+            ],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        ref = result.stdout.split()[0]
+
+        resp = requests.get(
+            f"https://raw.githubusercontent.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/{ref}/oidc-token.txt",
+        )
+        resp.raise_for_status()
+        id_token = resp.text.strip()
+        try:
+            return oidc.IdentityToken(id_token)
+        except Exception:
+            return None
+
+    # Try up to 10 times to get a valid token, waiting 3 seconds between attempts.
+    for n in range(10):
+        token = _id_token()
+        if token is not None:
+            return token
+        else:
+            logger.warning(f"Waiting for valid OIDC identity token, try {n}...")
+        time.sleep(3)
+
+    raise RuntimeError("Failed to obtain OIDC identity token for tests")
+
+
+@pytest.fixture
+def sampleproject(tmp_path: Path) -> Path:
+    """
+    Create a sample Python project with a distribution file.
+    """
+
+    project_dir = tmp_path / "sampleproject"
+    project_dir.mkdir()
+
+    pyproject = project_dir / "pyproject.toml"
+    pyproject.write_text("""
+name = "astral-sh-attest-action-test-sampleproject"
+version = "0.1.0"
+description = "Who's wants to know?"
+requires-python = ">=3.10"
+""")
+
+    hello_py = project_dir / "hello.py"
+    hello_py.write_text("""
+def main():
+    print("Hello, world!")
+""")
+
+    return project_dir
+
+
+def test_get_input(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_FOO", "expected")
+
+    assert action._get_input("foo") == "expected"
+
+
+def test_get_path_patterns(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_PATHS", "dist/* another/** third/")
+
+    patterns = action._get_path_patterns()
+    assert patterns == {"dist/*", "another/**", "third/*"}
+
+    # Deduplicates patterns / files.
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_PATHS", "dist/* dist/* another/")
+    patterns = action._get_path_patterns()
+    assert patterns == {"dist/*", "another/*"}
+
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_PATHS", "a a b b c")
+    patterns = action._get_path_patterns()
+    assert patterns == {"a", "b", "c"}
+
+
+def test_attest(sampleproject: Path, id_token: oidc.IdentityToken) -> None:
+    subprocess.run(["uv", "build"], cwd=sampleproject, check=True)
+    dist_dir = sampleproject / "dist"
+
+    patterns = {str(dist_dir / "*")}
+
+    dists = action._collect_dists(patterns)
+    assert len(dists) == 2  # sdist and wheel
+
+    action._attest(
+        dists,
+        id_token,
+        overwrite=False,
+    )
+
+    for dist_path, _ in dists:
+        attestation_path = dist_path.with_name(f"{dist_path.name}.publish.attestation")
+        assert attestation_path.exists()
+
+
+def test_attest_overwrite_fails(
+    sampleproject: Path,
+    id_token: oidc.IdentityToken,
+) -> None:
+    subprocess.run(["uv", "build"], cwd=sampleproject, check=True)
+    dist_dir = sampleproject / "dist"
+
+    patterns = {str(dist_dir / "*")}
+
+    dists = action._collect_dists(patterns)
+    assert len(dists) == 2  # sdist and wheel
+
+    action._attest(
+        dists,
+        id_token,
+        overwrite=False,
+    )
+
+    with pytest.raises(RuntimeError, match="Attestation file already exists"):
+        action._attest(
+            dists,
+            id_token,
+            overwrite=False,
+        )
+
+
+def test_attest_overwrite_succeeds(
+    sampleproject: Path,
+    id_token: oidc.IdentityToken,
+) -> None:
+    subprocess.run(["uv", "build"], cwd=sampleproject, check=True)
+    dist_dir = sampleproject / "dist"
+
+    patterns = {str(dist_dir / "*")}
+
+    dists = action._collect_dists(patterns)
+    assert len(dists) == 2  # sdist and wheel
+
+    action._attest(
+        dists,
+        id_token,
+        overwrite=False,
+    )
+
+    # This should succeed without error.
+    action._attest(
+        dists,
+        id_token,
+        overwrite=True,
+    )
+
+
+def test_attest_verify(
+    sampleproject: Path,
+    id_token: oidc.IdentityToken,
+) -> None:
+    subprocess.run(["uv", "build"], cwd=sampleproject, check=True)
+    dist_dir = sampleproject / "dist"
+
+    patterns = {str(dist_dir / "*")}
+
+    dists = action._collect_dists(patterns)
+    assert len(dists) == 2  # sdist and wheel
+
+    action._attest(
+        dists,
+        id_token,
+        overwrite=False,
+    )
+
+    for dist_path, dist in dists:
+        attestation_path = dist_path.with_name(f"{dist_path.name}.publish.attestation")
+        assert attestation_path.exists()
+
+        attestation = Attestation.model_validate_json(attestation_path.read_bytes())
+        identity = GitHubPublisher(
+            repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon",
+            workflow="extremely-dangerous-oidc-beacon.yml",
+        )
+
+        attestation.verify(
+            identity=identity,
+            dist=dist,
+            offline=True,
+        )
