prepare for CI testing

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

.github/workflows/test.yml

@@ -0,0 +1,50 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+env:
+  STAGING_PYX_UPLOAD_URL: https://astral-sh-staging-api.pyx.dev/v1/upload/pyx-auth-action/main
+  PYX_API_URL: https://astral-sh-staging-api.pyx.dev
+
+jobs:
+  id-token:
+    name: "Obtain cursed OIDC token"
+    runs-on: ubuntu-latest
+    permissions: {}
+    outputs:
+      id-token: ${{ steps.beacon.outputs.id-token }}
+
+    steps:
+      - name: Obtain cursed OIDC token
+        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
+
+      - name: Set output
+        id: beacon
+        run: |
+          echo "id-token=$(cat ./oidc-token.txt)" >> ${GITHUB_OUTPUT}
+
+  all-tests-pass:
+    name: "Ensure all selftests pass"
+    if: always()
+
+    needs:
+      - id-token
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Ensure all selftests passed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}

action.py

@@ -23,7 +23,7 @@ def _get_input(name: str) -> str | None:
     """
     Get an action input from the environment, or `None` if not set.
     """
-    env = f"ATTEST_ACTION_INPUT_{name.upper()}"
+    env = f"ATTEST_ACTION_INPUT_{name.upper().replace('-', '_')}"
     return os.getenv(env)
 
 
@@ -146,7 +146,11 @@ def main() -> None:
 
     dists = _collect_dists(path_patterns)
 
-    id_token = _get_id_token()
+    if id_token := _get_input("id-token"):
+        id_token = oidc.IdentityToken(raw_token=id_token)
+    else:
+        id_token = _get_id_token()
+
     overwrite = _get_input("overwrite") == "true"
 
     _attest(dists, id_token, overwrite=overwrite)

action.yml

@@ -11,6 +11,15 @@ inputs:
     description: Whether to overwrite existing attestations if they already exist.
     required: false
     default: "false"
+  id-token:
+    description: >
+      An OIDC identity token to use for signing attestations. If not provided,
+      the ambient token will be used.
+
+      **IMPORTANT**: This input is an implementation detail. End users should
+      never need to set it.
+    required: false
+    default: ""
 
 outputs: {}
 
@@ -26,3 +35,5 @@ runs:
       shell: bash
       env:
         ATTEST_ACTION_INPUT_PATHS: ${{ inputs.paths }}
+        ATTEST_ACTION_INPUT_OVERWRITE: ${{ inputs.overwrite }}
+        ATTEST_ACTION_INPUT_ID_TOKEN: ${{ inputs.id-token }}