add list support for subjectPath input (#51)

* add list support for subjectPath input Signed-off-by: Brian DeHamer <bdehamer@github.com> * bump package version to 1.1.0 Signed-off-by: Brian DeHamer <bdehamer@github.com> --------- Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-05-06 08:32:02 -07:00
parent 74e71f701d
commit 94082a9d2e
9 changed files with 1544 additions and 24 deletions
--- a/.github/linters/.eslintrc.yml
+++ b/.github/linters/.eslintrc.yml
@@ -41,6 +41,8 @@ rules:
    'eslint-comments/no-unused-disable': 'off',
    'i18n-text/no-en': 'off',
    'import/no-namespace': 'off',
+    'import/no-unresolved':
+      ['error', { 'ignore': ['csv-parse/sync']}],
    'no-console': 'off',
    'no-unused-vars': 'off',
    'prettier/prettier': 'error',
--- a/README.md
+++ b/README.md
@@ -21,8 +21,8 @@ initiated.
 Attestations can be verified using the [`attestation` command in the GitHub
 CLI][5].

-See [Using artifact attestations to establish provenance for builds][9]
-for more information on artifact attestations.
+See [Using artifact attestations to establish provenance for builds][9] for more
+information on artifact attestations.

 ## Usage

@@ -64,7 +64,8 @@ See [action.yml](action.yml)
 - uses: actions/attest@v1
  with:
    # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest".
+    # specify exactly one of "subject-path" or "subject-digest". May contain
+    # a glob pattern or list of paths.
    subject-path:

    # SHA256 digest of the subject for for the attestation. Must be in the form
@@ -233,4 +234,5 @@ jobs:
  https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
 [7]: https://jsonlines.org/
 [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
-[9]: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
+[9]:
+  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
--- a/tests/subject.test.ts
+++ b/tests/subject.test.ts
@@ -142,6 +142,7 @@ describe('subjectFromInputs', () => {
      // Add files for glob testing
      for (let i = 0; i < 3; i++) {
        await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
+        await fs.writeFile(path.join(dir, `other-${i}`), content)
      }
    })

@@ -201,5 +202,91 @@ describe('subjectFromInputs', () => {
        })
      })
    })
+
+    describe('when a comma-separated list is supplied', () => {
+      beforeEach(async () => {
+        process.env['INPUT_SUBJECT-PATH'] =
+          `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
+      })
+
+      it('returns the multiple subjects', async () => {
+        const subjects = await subjectFromInputs()
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-1',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
+
+    describe('when a multi-line list is supplied', () => {
+      beforeEach(async () => {
+        process.env['INPUT_SUBJECT-PATH'] =
+          `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
+      })
+
+      it('returns the multiple subjects', async () => {
+        const subjects = await subjectFromInputs()
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
+
+    describe('when a multi-line glob list is supplied', () => {
+      beforeEach(async () => {
+        process.env['INPUT_SUBJECT-PATH'] =
+          `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
+      })
+
+      it('returns the multiple subjects', async () => {
+        const subjects = await subjectFromInputs()
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(6)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-1',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+
+        expect(subjects).toContainEqual({
+          name: 'other-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'other-1',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'other-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
  })
 })
--- a/action.yml
+++ b/action.yml
@@ -9,7 +9,8 @@ inputs:
  subject-path:
    description: >
      Path to the artifact serving as the subject of the attestation. Must
-      specify exactly one of "subject-path" or "subject-digest".
+      specify exactly one of "subject-path" or "subject-digest". May contain a
+      glob pattern or list of paths.
    required: false
  subject-digest:
    description: >
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/licenses.txt
+++ b/dist/licenses.txt
@@ -1511,6 +1511,31 @@ IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


+csv-parse
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2010 Adaltas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 debug
 MIT
 (The MIT License)
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,18 +1,19 @@
 {
  "name": "actions/attest",
-  "version": "1.0.0",
+  "version": "1.1.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "actions/attest",
-      "version": "1.0.0",
+      "version": "1.1.0",
      "license": "MIT",
      "dependencies": {
        "@actions/attest": "^1.2.1",
        "@actions/core": "^1.10.1",
        "@actions/glob": "^0.4.0",
-        "@sigstore/oci": "^0.3.0"
+        "@sigstore/oci": "^0.3.0",
+        "csv-parse": "^5.5.5"
      },
      "devDependencies": {
        "@sigstore/mock": "^0.7.2",
@@ -3099,6 +3100,11 @@
        "node": ">= 8"
      }
    },
+    "node_modules/csv-parse": {
+      "version": "5.5.5",
+      "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-5.5.5.tgz",
+      "integrity": "sha512-erCk7tyU3yLWAhk6wvKxnyPtftuy/6Ak622gOO7BCJ05+TYffnPCJF905wmOQm+BpkX54OdAl8pveJwUdpnCXQ=="
+    },
    "node_modules/damerau-levenshtein": {
      "version": "1.0.8",
      "resolved": "https://registry.npmjs.org/damerau-levenshtein/-/damerau-levenshtein-1.0.8.tgz",
@@ -10843,6 +10849,11 @@
        "which": "^2.0.1"
      }
    },
+    "csv-parse": {
+      "version": "5.5.5",
+      "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-5.5.5.tgz",
+      "integrity": "sha512-erCk7tyU3yLWAhk6wvKxnyPtftuy/6Ak622gOO7BCJ05+TYffnPCJF905wmOQm+BpkX54OdAl8pveJwUdpnCXQ=="
+    },
    "damerau-levenshtein": {
      "version": "1.0.8",
      "resolved": "https://registry.npmjs.org/damerau-levenshtein/-/damerau-levenshtein-1.0.8.tgz",
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "actions/attest",
  "description": "Generate signed attestations for workflow artifacts",
-  "version": "1.0.0",
+  "version": "1.1.0",
  "author": "",
  "private": true,
  "homepage": "https://github.com/actions/attest",
@@ -72,7 +72,8 @@
    "@actions/attest": "^1.2.1",
    "@actions/core": "^1.10.1",
    "@actions/glob": "^0.4.0",
-    "@sigstore/oci": "^0.3.0"
+    "@sigstore/oci": "^0.3.0",
+    "csv-parse": "^5.5.5"
  },
  "devDependencies": {
    "@sigstore/mock": "^0.7.2",
--- a/src/subject.ts
+++ b/src/subject.ts
@@ -1,6 +1,7 @@
 import * as core from '@actions/core'
 import * as glob from '@actions/glob'
 import crypto from 'crypto'
+import { parse } from 'csv-parse/sync'
 import fs from 'fs'
 import path from 'path'

@@ -44,14 +45,23 @@ const getSubjectFromPath = async (
  subjectPath: string,
  subjectName?: string
 ): Promise<Subject[]> => {
-  /* eslint-disable-next-line github/no-then */
-  const files = await glob.create(subjectPath).then(async g => g.glob())
+  const subjects: Subject[] = []

-  const subjects = files.map(async file => {
-    const name = subjectName || path.parse(file).base
-    const digest = await digestFile(DIGEST_ALGORITHM, file)
-    return { name, digest: { [DIGEST_ALGORITHM]: digest } }
-  })
+  // Parse the list of subject paths
+  const subjectPaths = parseList(subjectPath)
+
+  for (const subPath of subjectPaths) {
+    // Expand the globbed path to a list of files
+    /* eslint-disable-next-line github/no-then */
+    const files = await glob.create(subPath).then(async g => g.glob())
+
+    for (const file of files) {
+      const name = subjectName || path.parse(file).base
+      const digest = await digestFile(DIGEST_ALGORITHM, file)
+
+      subjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
+    }
+  }

  if (subjects.length === 0) {
    throw new Error(`Could not find subject at path ${subjectPath}`)
@@ -94,3 +104,20 @@ const digestFile = async (
      .once('finish', () => resolve(hash.read()))
  })
 }
+
+const parseList = (input: string): string[] => {
+  const res: string[] = []
+
+  const records: string[][] = parse(input, {
+    columns: false,
+    relaxQuotes: true,
+    relaxColumnCount: true,
+    skipEmptyLines: true
+  })
+
+  for (const record of records) {
+    res.push(...record)
+  }
+
+  return res.filter(item => item).map(pat => pat.trim())
+}