Creating attestation for zip in releases #14
Comments
|
What is your error message? |
|
action-wordpress-plugin-attestation/action.yml Lines 9 to 12 in 260e74a Try |
|
I'm not getting an error, but it stops on creating the attestation: Run johnbillion/[email protected]
Run zipurl="$ZIP_URL"
Fetching plugin ZIP from https://github.com/soderlind/zip-test/releases/download/1.0.0/abc11.zip ...
Plugin ZIP not available yet (HTTP status 404), retrying in 20 seconds...
Plugin ZIP not available yet (HTTP status 404), retrying in 20 seconds...
Plugin ZIP not available yet (HTTP status 404), retrying in 20 seconds...
Plugin ZIP not available yet (HTTP status 404), retrying in 20 seconds... |
|
btw, made the repo public |
No! Try |
|
Nah.. when I use As per the documentation, I should use |
|
Sent a PR ... |
|
If you look at the workflow run at https://github.com/soderlind/zip-test/actions/runs/12819130119/job/35746152419, you'll see that the url to the zip is correct and that the zip exist. btw, I also tried to do this in two separate jobs, the first created the release, the seconnd tried to create the attestation. |
|
You need both. Please see the PR. |
|
Merged, and running now: https://github.com/soderlind/zip-test/actions/runs/12819516574/job/35747313133 |
|
🚀 GitHub redirects to a signed URL: This attestation action needs a HTTP/200 response code. That is a problem. |
|
Yep, I see that. Ok, back to the GitHub doc :) |
|
Also when using the GitHub API, you'll get an URL like the one I got ( The easy fix is to allow 302 in |
|
Thank you @szepeviktor, your latest PR fixed this :) https://github.com/soderlind/zip-test/attestations/4475034 |
|
For you, who wonder, this is the working GitHub Action: name: Manually Build Release Zip
on:
workflow_dispatch:
inputs:
tag:
description: 'Release tag (e.g. v1.0.0)'
required: true
type: string
zip:
description: 'Output zip filename (e.g. my-plugin.zip)'
required: true
type: string
jobs:
create-release:
name: Create Release Package
runs-on: ubuntu-latest
permissions:
attestations: write
contents: write
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build plugin # Remove or modify this step as needed
run: |
composer install --no-dev
- name: Create zip archive
uses: thedoctor0/[email protected]
with:
type: 'zip'
filename: ${{ github.event.inputs.zip }}
exclusions: '*.git* .editorconfig composer* *.md vendor/*/test* vendor/*/docs'
- name: Upload to release
id: upload
uses: softprops/action-gh-release@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
files: ${{ github.event.inputs.zip }}
tag_name: ${{ github.event.inputs.tag }}
- name: Get final asset URL
id: asset_url
run: |
URL="$(curl -s -I -o /dev/null -w "%{redirect_url}" "${{ fromJson(steps.upload.outputs.assets)[0].browser_download_url }}")"
echo "final_url=${URL}" >> "${GITHUB_OUTPUT}"
- name: Generate attestation
uses: johnbillion/[email protected]
with:
zip-path: ${{ github.event.inputs.zip }}
zip-url: ${{ steps.asset_url.outputs.final_url }}
|
|
It looks like I should update this action so Curl follows redirects. Does that make sense? Then you wouldn't need your prior step to fetch the final URL. |
|
I think having the final URL is a security concern. |
Do you see any reason why this isn't working?:
The text was updated successfully, but these errors were encountered: