Reimplement in Python

Primarily to facilitate better error handling.

Author: andreaso

.github/workflows/linter.yaml

@@ -12,13 +12,45 @@ on:
 
 permissions:
   contents: read
-  statuses: write
 
 jobs:
-  lint:
+  python:
+    name: Python
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os:
+          - ubuntu-20.04
+          - ubuntu-22.04
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Setup Python virtualenv
+        run: |
+          python3 -m venv .venv
+          .venv/bin/pip install --upgrade pip setuptools
+          .venv/bin/pip install ruff mypy types-requests
+
+      - name: Check ruff formating
+        run: .venv/bin/ruff format --diff vault_oidc_ssh_cert_action.py
+
+      - name: Check ruff linting
+        run: .venv/bin/ruff check vault_oidc_ssh_cert_action.py
+
+      - name: Check type hints
+        run: .venv/bin/mypy --strict vault_oidc_ssh_cert_action.py
+
+  super:
     name: Super-Linter
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      statuses: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -29,6 +61,10 @@ jobs:
         uses: super-linter/super-linter/slim@v6
         env:
           VALIDATE_ALL_CODEBASE: true
-          VALIDATE_SHELL_SHFMT: false
+          VALIDATE_PYTHON_BLACK: false
+          VALIDATE_PYTHON_FLAKE8: false
+          VALIDATE_PYTHON_ISORT: false
+          VALIDATE_PYTHON_MYPY: false
+          VALIDATE_PYTHON_PYLINT: false
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,3 +1,6 @@
 *~
 \#*#
 .#*
+
+*.pyc
+.venv/

README.md

@@ -19,7 +19,7 @@ jobs:
       - name: Generate SSH client certificate
         if: github.ref == 'refs/heads/main'
         id: ssh_cert
-        uses: andreaso/vault-oidc-ssh-cert-action@v0.10
+        uses: andreaso/vault-oidc-ssh-cert-action@v0.11
         with:
           vault_server: https://vault.example.com:8200
           oidc_backend_path: github-oidc

action.yaml

@@ -27,59 +27,26 @@ inputs:
 outputs:
   cert_path:
     description: Full path to the generated SSH certificate
-    value: ${{ steps.generator.outputs.cert_path }}
+    value: ${{ steps.run_action.outputs.cert_path }}
   key_path:
     description: Full path to the corresponding private SSH key
-    value: ${{ steps.generator.outputs.key_path }}
+    value: ${{ steps.run_action.outputs.key_path }}
 
 runs:
   using: composite
   steps:
-    - name: Determine JWT audience
-      id: determine
-      run: |
-        import os
-        from urllib.parse import urlparse
-        aud = os.environ["JWT_AUDIENCE"].strip()
-        if not aud:
-            url = os.environ["VAULT_SERVER"]
-            fqdn = urlparse(url).netloc.split(":")[0]
-            aud = fqdn
-        with open(os.environ["GITHUB_OUTPUT"], "a") as ghof:
-            ghof.write(f"audience={aud}\n")
+    - name: Run Action
+      id: run_action
       shell: python
+      run: |
+        import vault_oidc_ssh_cert_action
+        vault_oidc_ssh_cert_action.run()
       env:
+        PYTHONPATH: ${{ github.action_path }}
         JWT_AUDIENCE: ${{ inputs.jwt_audience }}
-        VAULT_SERVER: ${{ inputs.vault_server }}
-
-    - name: Use GitHub OIDC to authenticate towards Vault
-      id: vault_auth
-      shell: bash
-      run: "${ACTION_PATH}/github-vault-auth"
-      env:
-        ACTION_PATH: ${{ github.action_path }}
-        AUDIENCE: ${{ steps.determine.outputs.audience }}
-        BACKEND: ${{ inputs.oidc_backend_path }}
-        ROLE: ${{ inputs.oidc_role }}
-        VAULT_SERVER: ${{ inputs.vault_server }}
-
-    - name: Generate and sign SSH client certificate
-      id: generator
-      shell: bash
-      run: "${ACTION_PATH}/generate-and-sign"
-      env:
-        ACTION_PATH: ${{ github.action_path }}
-        VAULT_SERVER: ${{ inputs.vault_server }}
-        VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
-        SSH_BACKEND: ${{ inputs.ssh_backend_path }}
+        OIDC_BACKEND_PATH: ${{ inputs.oidc_backend_path }}
+        OIDC_ROLE: ${{ inputs.oidc_role }}
+        SSH_BACKEND_PATH: ${{ inputs.ssh_backend_path }}
         SSH_ROLE: ${{ inputs.ssh_role }}
-        TMPDIR: ${{ runner.temp }}
-
-    - name: Revoke Vault token
-      if: success() || steps.generator.conclusion == 'failure'
-      shell: bash
-      run: |
-        curl --fail --silent --show-error --tlsv1.3 --header "X-Vault-Token: ${VAULT_TOKEN}" --data "" "${VAULT_SERVER%/}/v1/auth/token/revoke-self"
-      env:
         VAULT_SERVER: ${{ inputs.vault_server }}
-        VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
+        TMPDIR: ${{ runner.temp }}