test better

Signed-off-by: William Woodruff <william@astral.sh>

Author: woodruffw

.github/workflows/test.yml

@@ -14,27 +14,7 @@ concurrency:
 permissions: {}
 
 jobs:
-  id-token:
-    name: "Obtain cursed OIDC token"
-    runs-on: ubuntu-latest
-    outputs:
-      id-token: ${{ steps.beacon.outputs.id-token }}
-
-    steps:
-      - name: Obtain cursed OIDC token
-        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
-
-      - name: Set output
-        id: beacon
-        # Note: base64 encode the token to avoid GitHub's ridiculous output value
-        # filtering behavior.
-        run: |
-          token=$(base64 < ./oidc-token.txt)
-          echo "id-token=${token}" >> ${GITHUB_OUTPUT}
-
-  attest-basic:
-    name: "Selftest: basic attestation generation"
-    needs: [id-token]
+  test:
     runs-on: ubuntu-latest
 
     permissions:
@@ -45,37 +25,4 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Get pypa/sampleproject
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          repository: pypa/sampleproject
-          path: sampleproject
-          persist-credentials: false
-
-      - name: setup uv
-        uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
-
-      - name: Build sampleproject distributions
-        working-directory: sampleproject
-        run: uv build
-
-      - name: Run attest-action
-        uses: ./
-        with:
-          paths: sampleproject/dist/
-          id-token: ${{ needs.id-token.outputs.id-token }}
-
-  all-tests-pass:
-    name: "Ensure all selftests pass"
-    if: always()
-
-    needs:
-      - attest-basic
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Ensure all selftests passed
-        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: make test

Makefile

@@ -11,3 +11,7 @@ lint:
 fix:
 	uvx ruff format
 	uvx ruff check --fix
+
+.PHONY: test
+test:
+	uvx --with=requests --with-requirements=action.py pytest test.py

action.py

@@ -10,6 +10,7 @@
 import logging
 import os
 import shlex
+from glob import glob
 from pathlib import Path
 
 from pypi_attestations import Attestation, Distribution
@@ -28,7 +29,7 @@ def _get_input(name: str) -> str | None:
     return os.getenv(env)
 
 
-def _get_path_patterns() -> list[str]:
+def _get_path_patterns() -> set[str]:
     """
     Retrieve and normalize the 'paths' input.
 
@@ -45,28 +46,29 @@ def _get_path_patterns() -> list[str]:
         raise RuntimeError("No paths provided in 'paths' input")
 
     # Normalize `foo/` to `foo/*`
-    paths = [str(Path(p) / "*") if Path(p).is_dir() else p for p in paths]
+    paths = [str(Path(p) / "*") if p.endswith(("/", "\\")) else p for p in paths]
 
-    return paths
+    return set(paths)
 
 
-def _unroll_files(patterns: list[str]) -> list[Path]:
+def _unroll_files(patterns: set[str]) -> set[Path]:
     """
     Given one or more path patterns (which may include glob patterns), unroll and
     return all matching files.
     """
 
-    files = []
+    files = set()
 
     for pattern in patterns:
-        for path in Path().glob(pattern):
+        for path in glob(pattern):
+            path = Path(path)
             if path.is_file():
-                files.append(path)
+                files.add(path)
 
     return files
 
 
-def _collect_dists(patterns: list[str]) -> list[tuple[Path, Distribution]]:
+def _collect_dists(patterns: set[str]) -> list[tuple[Path, Distribution]]:
     """
     Given one or more path patterns (which may include glob patterns), collect and
     return all Python distributions found at those paths.

test.py

@@ -0,0 +1,88 @@
+import subprocess
+import uuid
+from pathlib import Path
+
+import pytest
+import requests
+from sigstore import oidc
+
+import action
+
+
+@pytest.fixture(scope="session")
+def id_token() -> oidc.IdentityToken:
+    resp = requests.get(
+        "https://raw.githubusercontent.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/refs/heads/current-token/oidc-token.txt",
+        params={"cachebuster": uuid.uuid4().hex},
+    )
+    resp.raise_for_status()
+    id_token = resp.text.strip()
+    return oidc.IdentityToken(id_token)
+
+
+@pytest.fixture
+def sampleproject(tmp_path: Path) -> Path:
+    """
+    Create a sample Python project with a distribution file.
+    """
+
+    project_dir = tmp_path / "sampleproject"
+    project_dir.mkdir()
+
+    pyproject = project_dir / "pyproject.toml"
+    pyproject.write_text("""
+name = "astral-sh-attest-action-test-sampleproject"
+version = "0.1.0"
+description = "Who's wants to know?"
+requires-python = ">=3.10"
+""")
+
+    hello_py = project_dir / "hello.py"
+    hello_py.write_text("""
+def main():
+    print("Hello, world!")
+""")
+
+    return project_dir
+
+
+def test_get_input(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_FOO", "expected")
+
+    assert action._get_input("foo") == "expected"
+
+
+def test_get_path_patterns(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_PATHS", "dist/* another/** third/")
+
+    patterns = action._get_path_patterns()
+    assert patterns == {"dist/*", "another/**", "third/*"}
+
+    # Deduplicates patterns / files.
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_PATHS", "dist/* dist/* another/")
+    patterns = action._get_path_patterns()
+    assert patterns == {"dist/*", "another/*"}
+
+    monkeypatch.setenv("ATTEST_ACTION_INPUT_PATHS", "a a b b c")
+    patterns = action._get_path_patterns()
+    assert patterns == {"a", "b", "c"}
+
+
+def test_attest(sampleproject: Path, id_token: oidc.IdentityToken) -> None:
+    subprocess.run(["uv", "build"], cwd=sampleproject, check=True)
+    dist_dir = sampleproject / "dist"
+
+    patterns = {str(dist_dir / "*")}
+
+    dists = action._collect_dists(patterns)
+    assert len(dists) == 2  # sdist and wheel
+
+    action._attest(
+        dists,
+        id_token,
+        overwrite=False,
+    )
+
+    for dist_path, _ in dists:
+        attestation_path = dist_path.with_name(f"{dist_path.name}.publish.attestation")
+        assert attestation_path.exists()