Add rekor-version argument (#228)

Author: jku

.github/workflows/selftest.yml

@@ -150,6 +150,13 @@ jobs:
           inputs: ./test/artifact.txt
           staging: true
           internal-be-careful-debug: true
+      - name: Sign artifact with non-default rekor-version and publish signature
+        uses: ./
+        with:
+          inputs: ./test/artifact2.txt
+          staging: true
+          rekor-version: 1
+          internal-be-careful-debug: true
       - name: Check outputs
         run: |
           [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1

action.py

@@ -151,6 +151,19 @@ def _fatal_help(msg):
 
 if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
     sigstore_global_args.append("--staging")
+    rekor_version_default = "2"
+else:
+    rekor_version_default = "1"
+
+rekor_version_env = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_VERSION")
+if rekor_version_env == "":
+    rekor_version = rekor_version_default
+elif rekor_version_env in ["1", "2"]:
+    rekor_version = rekor_version_env
+else:
+    _fatal_help(f"'{rekor_version_env}' is not a valid rekor-version")
+
+sigstore_sign_args.extend(["--rekor-version", rekor_version])
 
 verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
 if enable_verify and not verify_cert_identity:

action.yml

@@ -32,6 +32,14 @@ inputs:
     description: "the custom OpenID Connect client secret to use during OAuth2"
     required: false
     default: ""
+  rekor-version:
+    description: |
+      The Rekor transparency log instance version used during signing. Valid values are [1, 2].
+      Verifying clients must be compatible with the used Rekor version.
+
+      Default rekor-version is 1, except when `staging` is enabled: then default rekor-version is 2.
+    required: false
+    default: ""
   staging:
     description: "use sigstore's staging instances, instead of the default production instances"
     required: false
@@ -92,6 +100,7 @@ runs:
         GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
+        GHA_SIGSTORE_PYTHON_REKOR_VERSION: "${{ inputs.rekor-version }}"
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"