-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not all inputs are signed starting with 2.0.0 #74
Comments
Looks like maybe related to the action.yml change in #72? Does |
Thanks for the report! Yeah, #72 might be the regression point here -- I'm taking a look now. |
Hmm, I'm having trouble reproducing this: #75 adds another self-test that ensures we expand multiple globs correctly, and it looks like we do. I'll keep experimenting there, but could you confirm that ...so it's possible it's ending up in some implicit subdirectory. |
Oh, I think I see what happened here: when we were expanding So yeah, this is an unintended regression, although it's a regression on a behavior we didn't quite intend in the first place 🙂 -- I need to think a bit about whether we should accommodate this or not. |
Thanks for digging into this. Sounds good. I'm perfectly happy with the answer of "don't do that" if that's what you decide. |
Yeah, I think unfortunately we'll need to preserve this new behavior: I can't think of an easy way off the top of my head to keep the old shell expansion behavior without inadvertently allowing people to inject shell commands into the expansion as well. As a workaround, I think the Sorry again for the breakage, and thank you so much for reporting it so quickly! I'm going to add a note to the |
That was my concern as well once I had seen what had changed. #72 seems to be a change for the better to avoid the shell injection.
Clever! Thank you. I suspect this'll work too. I'm good if you want to close this issue. |
Thanks! I'll close this with the |
The changes in #75 will fully resolve this: I've documented the behavior change, added a backstop test, and have made |
Description
I recently updated from 1.2.3 to 2.0.0 and noticed not all of the inputs are being signed.
I'd have expected the pywemo-1.2.1.tar.gz and pywemo-1.2.1-py3-none-any.whl file from
./${DIST_ARTIFACT}/*
to have been signed too. I've attached the signing-artifacts-sigstore.zip and the dist-ubuntu-latest-3.8.zip (./${DIST_ARTIFACT}/
) build artifacts.I wonder if something changed recently with environment variable expansion, or globbing, for the inputs? This workflow had been working with version 1.2.3.
The text was updated successfully, but these errors were encountered: