diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d57ce9f..3183fc3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,4 +24,3 @@ jobs: with: inputs: action.yml action.py release-signing-artifacts: true - bundle-only: true diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 573a69e..6bcede1 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -23,8 +23,6 @@ jobs: inputs: ./test/artifact.txt - name: Check outputs run: | - [[ -f ./test/artifact.txt.sig ]] || exit 1 - [[ -f ./test/artifact.txt.crt ]] || exit 1 [[ -f ./test/artifact.txt.sigstore ]] || exit 1 selftest-xfail-invalid-inputs: @@ -67,8 +65,6 @@ jobs: staging: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sig ]] || exit 1 - [[ -f ./test/artifact.txt.crt ]] || exit 1 [[ -f ./test/artifact.txt.sigstore ]] || exit 1 selftest-glob: @@ -102,8 +98,6 @@ jobs: - name: Verify presence of uploaded files run: | [[ -f ./artifact.txt ]] || exit 1 - [[ -f ./artifact.txt.sig ]] || exit 1 - [[ -f ./artifact.txt.crt ]] || exit 1 [[ -f ./artifact.txt.sigstore ]] || exit 1 working-directory: ./test/uploaded diff --git a/README.md b/README.md index 986ec30..f6b9bfc 100644 --- a/README.md +++ b/README.md @@ -388,29 +388,6 @@ permissions: release-signing-artifacts: true ``` -### `bundle-only` - -**Default**: `false` - -The `bundle-only` setting controls whether or not `sigstore-python` uploads `.crt` -or `.sig` artifacts. - -This setting affects the behavior of the `upload-signing-artifacts` and `release-signing-artifacts` -settings. If neither of those settings are specified, this setting has no effect. - -By default, `.crt` and `.sig` artifacts are uploaded. If enabled, only the `.sigstore` -signing artifact is uploaded. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.3 - with: - inputs: file.txt - upload-signing-artifacts: true - bundle-only: true -``` - ### Internal options
⚠️ Internal options ⚠️ diff --git a/action.py b/action.py index a791b02..3999362 100755 --- a/action.py +++ b/action.py @@ -190,7 +190,6 @@ def _fatal_help(msg): if artifact is not None: inputs.append(artifact) -bundle_only = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE_ONLY") == "true" for input_ in inputs: # Forbid things that look like flags. This isn't a security boundary; just # a way to prevent (less motivated) users from breaking the action on themselves. @@ -206,10 +205,6 @@ def _fatal_help(msg): # Also upload artifact being signed for. signing_artifact_paths.append(str(file_)) - if not bundle_only and "--certificate" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.crt") - if not bundle_only and "--signature" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.sig") if "--bundle" not in sigstore_sign_args: signing_artifact_paths.append(f"{file_}.sigstore") diff --git a/action.yml b/action.yml index af447ee..e3af429 100644 --- a/action.yml +++ b/action.yml @@ -90,13 +90,6 @@ inputs: description: "attach all signing artifacts as release assets" required: false default: false - bundle-only: - description: | - upload only the Sigstore bundle - - has no effect if `upload-signing-artifacts` or `release-signing-artifacts` is not enabled - required: false - default: false internal-be-careful-debug: description: "run with debug logs (default false)" required: false @@ -131,7 +124,6 @@ runs: GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}" GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}" GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS: "${{ inputs.release-signing-artifacts }}" - GHA_SIGSTORE_PYTHON_BUNDLE_ONLY: "${{ inputs.bundle-only }}" GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}" shell: bash