sigstore · jku · Jul 4, 2024 · Jul 3, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
@@ -19,6 +19,8 @@ jobs:
           - ubuntu-latest
           - macos-latest
           - windows-latest
+          # TODO: Can be removed when 24.04 becomes ubuntu-latest.
+          - ubuntu-24.04
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
@@ -38,6 +40,28 @@ jobs:
         run: |
           [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
+  selftest-runner-python:
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+          # TODO: Can be removed when 24.04 becomes ubuntu-latest.
+          - ubuntu-24.04
+    runs-on: ${{ matrix.os }}
+    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
+    steps:
+      - uses: actions/checkout@v4
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          internal-be-careful-debug: true
+      - name: Check outputs
+        shell: bash
+        run: |
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+
   selftest-whitespace:
     strategy:
       matrix:

diff --git a/action.py b/action.py
@@ -86,12 +86,12 @@ def _download_ref_asset(ext):
 
 
 def _sigstore_sign(global_args, sign_args):
-    return ["python", "-m", "sigstore", *global_args, "sign", *sign_args]
+    return [sys.executable, "-m", "sigstore", *global_args, "sign", *sign_args]
 
 
 def _sigstore_verify(global_args, verify_args):
     return [
-        "python",
+        sys.executable,
         "-m",
         "sigstore",
         *global_args,

diff --git a/action.yml b/action.yml
@@ -83,6 +83,7 @@ runs:
   using: "composite"
   steps:
     - name: Set up sigstore-python
+      id: setup
       run: |
         # NOTE: Sourced, not executed as a script.
         source "${GITHUB_ACTION_PATH}/setup/setup.bash"
@@ -93,10 +94,13 @@ runs:
     - name: Run sigstore-python
       id: sigstore-python
       run: |
-        ${GITHUB_ACTION_PATH}/action.py "${GHA_SIGSTORE_PYTHON_INPUTS}"
+        "${VENV_PYTHON_PATH}" \
+          "${GITHUB_ACTION_PATH}/action.py" \
+          "${GHA_SIGSTORE_PYTHON_INPUTS}"
       env:
         # The year is 2023, and nonsense like this is still necessary on Windows.
         PYTHONUTF8: "1"
+        VENV_PYTHON_PATH: "${{ steps.setup.outputs.venv-python-path }}"
         GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
         GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}"
         GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}"

diff --git a/setup/setup.bash b/setup/setup.bash
@@ -35,16 +35,33 @@ if [[ "${0}" == "${BASH_SOURCE[0]}" ]]; then
   die "Internal error: setup harness was executed instead of being sourced?"
 fi
 
-# Check the Python version, making sure it's new enough (3.7+)
+# Check the Python version, making sure it's new enough (3.8+)
 # The installation step immediately below will technically catch this,
 # but doing it explicitly gives us the opportunity to produce a better
 # error message.
 vers=$(python -V | cut -d ' ' -f2)
 maj_vers=$(cut -d '.' -f1 <<< "${vers}")
 min_vers=$(cut -d '.' -f2 <<< "${vers}")
 
-[[ "${maj_vers}" == "3" && "${min_vers}" -ge 7 ]] || die "Bad Python version: ${vers}"
+[[ "${maj_vers}" == "3" && "${min_vers}" -ge 8 ]] || die "Bad Python version: ${vers}"
 
-python -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt"
+# If the user didn't explicitly configure a Python version with
+# `actions/setup-python`, then we might be using the distribution's Python and
+# therefore be subject to PEP 668. We use a virtual environment unconditionally
+# to prevent that kind of confusion.
+python -m venv "${GITHUB_ACTION_PATH}/.action-env"
 
-debug "sigstore-python: $(python -m sigstore --version)"
+# Annoying: Windows venvs use a different structure, for unknown reasons.
+if [[ -d "${GITHUB_ACTION_PATH}/.action-env/bin" ]]; then
+  VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/bin/python"
+else
+  VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/Scripts/python"
+fi
+
+"${VENV_PYTHON_PATH}" -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt"
+
+debug "sigstore-python: $("${VENV_PYTHON_PATH}" -m sigstore --version)"
+
+# Finally, propagate VENV_PYTHON_PATH so we can actually kick-start
+# the extension from it.
+echo "venv-python-path=${VENV_PYTHON_PATH}" >> "${GITHUB_OUTPUT}"