From b2aa80d7c11d1e02428bde72dc58a9d94029d41b Mon Sep 17 00:00:00 2001
From: Emil Lerch <emil@lerch.org>
Date: Thu, 10 Jul 2025 17:14:56 -0700
Subject: [PATCH] uhubctl location and port are relative to the runner/host

---
 README.md     | 27 +++++++++++++++++++++------
 action.yml    | 10 ++++------
 entrypoint.sh | 21 +++++++++++----------
 3 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 3cfa919..acd6930 100644
--- a/README.md
+++ b/README.md
@@ -38,10 +38,26 @@ performing the signing action.
 
 **NOTE: The action will turn off the port on the USB hub when it is done processing**
 
-To enable this feature, use inputs uhub_location **and** uhub_port. To
-determine the proper values for these, it is best to consult [uhubctl
-documentation](https://github.com/mvp/uhubctl?tab=readme-ov-file#usage) and
-run some command line tests. Updating the previous example:
+To enable this feature, set `uhub_control` to `true`. As this is controlling
+physical hardware, you will also need a runner set with a max concurrency of 1
+and a unique label, used as the `runs-on` attribute of the build. For example:
+
+```yaml
+name: Sign
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest-with-hsm
+```
+
+The runner will also need to set environment variables `UHUB_PORT` and
+`UHUB_LOCATION` as appropriate. To determine the proper values for these, it is
+best to consult [uhubctl
+documentation](https://github.com/mvp/uhubctl?tab=readme-ov-file#usage) and run
+some command line tests. Updating the previous example:
 
 ```yaml
       - name: Sign
@@ -51,6 +67,5 @@ run some command line tests. Updating the previous example:
           pin: ${{ secrets.HSM_USER_PIN }}
           files: ???
           public_key: 'https://emil.lerch.org/serverpublic.pem'
-          uhub_location: "1-1.3"
-          uhub_port: "4"
+          uhub_control: 'true'
 ```
diff --git a/action.yml b/action.yml
index 60c7010..0d5fb75 100644
--- a/action.yml
+++ b/action.yml
@@ -15,12 +15,10 @@ inputs:
   public_key:
     description: 'URL to PEM format public key. Specify only if uploading to sigstore'
     required: false
-  uhub_location:
-    description: 'If HSM is attached to software controlled power hub, location of hub (-l parameter of uhubctl)'
-    required: false
-  uhub_port:
-    description: 'If HSM is attached to software controlled power hub, port to power on, then off (-p parameter of uhubctl)'
-    required: false
+  uhub_control:
+    description: 'If HSM is attached to software controlled power hub, setting this to "true" will power on the HSM during operation'
+    required: true
+    default: "false"
 runs:
   using: 'docker'
   image: 'Dockerfile'
diff --git a/entrypoint.sh b/entrypoint.sh
index 7958871..37000ce 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,10 +1,16 @@
 #!/bin/sh
 
-if [ -n "${INPUT_UHUB_LOCATION}" ] && [ -n "${INPUT_UHUB_PORT}" ]; then
-  uhubctl -a off -p "${INPUT_UHUB_PORT}" -l "${INPUT_UHUB_LOCATION}" # Off seems to be reflected immediately
+# There is no concurrency control here. We are relying on the fact that
+# the runner on the host is set to a max capacity of 1
+if [ "${INPUT_UHUB_CONTROL}" != "false" ]; then
+  if [ -z "${UHUB_LOCATION}" ] || [ -z "${UHUB_PORT}" ]; then
+    echo "error: UHUB control requested, but runner has not been configured with UHUB_LOCATION and UHUB_PORT environment variables"
+    exit 255
+  fi
+  uhubctl -a off -p "${UHUB_PORT}" -l "${UHUB_LOCATION}" # Off seems to be reflected immediately
   # Capture the number of hidraw devices with the port off
   devs="$(find /dev -maxdepth 1 -name 'hi*' |wc -l)"
-  uhubctl -a on -p "${INPUT_UHUB_PORT}" -l "${INPUT_UHUB_LOCATION}"
+  uhubctl -a on -p "${UHUB_PORT}" -l "${UHUB_LOCATION}"
   retries=0
   while [ "$(find /dev -maxdepth 1 -name 'hi*' |wc -l)" = "$devs" ] && [ $retries -lt 10 ]; do
     # Generally takes a few seconds to settle in
@@ -16,11 +22,6 @@ if [ -n "${INPUT_UHUB_LOCATION}" ] && [ -n "${INPUT_UHUB_PORT}" ]; then
     echo "device is not available. Aborting"
     exit 1
   fi
-else
-  if [ -n "${INPUT_UHUB_LOCATION}" ] || [ -n "${INPUT_UHUB_PORT}" ]; then
-    echo "if UHUB functionality is desired, both uhub_location and uhub_port must be specified"
-    exit 1
-  fi
 fi
 
 dir="$(dirname "${INPUT_FILES}")"
@@ -74,7 +75,7 @@ done <<ALLFILES_INPUT
 $all_files
 ALLFILES_INPUT
 
-if [ -n "${INPUT_UHUB_LOCATION}" ] && [ -n "${INPUT_UHUB_PORT}" ]; then
+if [ "${INPUT_UHUB_CONTROL}" != "false" ]; then
   # Turn off the port when we're done
-  uhubctl -a off -p "${INPUT_UHUB_PORT}" -l "${INPUT_UHUB_LOCATION}"
+  uhubctl -a off -p "${UHUB_PORT}" -l "${UHUB_LOCATION}"
 fi