uhubctl location and port are relative to the runner/host

README.md

@@ -38,10 +38,26 @@ performing the signing action.
 
 **NOTE: The action will turn off the port on the USB hub when it is done processing**
 
-To enable this feature, use inputs uhub_location **and** uhub_port. To
+To enable this feature, set `uhub_control` to `true`. As this is controlling
-determine the proper values for these, it is best to consult [uhubctl
+physical hardware, you will also need a runner set with a max concurrency of 1
-documentation](https://github.com/mvp/uhubctl?tab=readme-ov-file#usage) and
+and a unique label, used as the `runs-on` attribute of the build. For example:
-run some command line tests. Updating the previous example:
+
+```yaml
+name: Sign
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest-with-hsm
+```
+
+The runner will also need to set environment variables `UHUB_PORT` and
+`UHUB_LOCATION` as appropriate. To determine the proper values for these, it is
+best to consult [uhubctl
+documentation](https://github.com/mvp/uhubctl?tab=readme-ov-file#usage) and run
+some command line tests. Updating the previous example:
 
 ```yaml
       - name: Sign
@@ -51,6 +67,5 @@ run some command line tests. Updating the previous example:
           pin: ${{ secrets.HSM_USER_PIN }}
           files: ???
           public_key: 'https://emil.lerch.org/serverpublic.pem'
-          uhub_location: "1-1.3"
+          uhub_control: 'true'
-          uhub_port: "4"
 ```

action.yml

@@ -15,12 +15,10 @@ inputs:
   public_key:
     description: 'URL to PEM format public key. Specify only if uploading to sigstore'
     required: false
-  uhub_location:
+  uhub_control:
-    description: 'If HSM is attached to software controlled power hub, location of hub (-l parameter of uhubctl)'
+    description: 'If HSM is attached to software controlled power hub, setting this to "true" will power on the HSM during operation'
-    required: false
+    required: true
-  uhub_port:
+    default: "false"
-    description: 'If HSM is attached to software controlled power hub, port to power on, then off (-p parameter of uhubctl)'
-    required: false
 runs:
   using: 'docker'
   image: 'Dockerfile'

entrypoint.sh

@@ -1,10 +1,16 @@
 #!/bin/sh
 
-if [ -n "${INPUT_UHUB_LOCATION}" ] && [ -n "${INPUT_UHUB_PORT}" ]; then
+# There is no concurrency control here. We are relying on the fact that
-  uhubctl -a off -p "${INPUT_UHUB_PORT}" -l "${INPUT_UHUB_LOCATION}" # Off seems to be reflected immediately
+# the runner on the host is set to a max capacity of 1
+if [ "${INPUT_UHUB_CONTROL}" != "false" ]; then
+  if [ -z "${UHUB_LOCATION}" ] || [ -z "${UHUB_PORT}" ]; then
+    echo "error: UHUB control requested, but runner has not been configured with UHUB_LOCATION and UHUB_PORT environment variables"
+    exit 255
+  fi
+  uhubctl -a off -p "${UHUB_PORT}" -l "${UHUB_LOCATION}" # Off seems to be reflected immediately
   # Capture the number of hidraw devices with the port off
   devs="$(find /dev -maxdepth 1 -name 'hi*' |wc -l)"
-  uhubctl -a on -p "${INPUT_UHUB_PORT}" -l "${INPUT_UHUB_LOCATION}"
+  uhubctl -a on -p "${UHUB_PORT}" -l "${UHUB_LOCATION}"
   retries=0
   while [ "$(find /dev -maxdepth 1 -name 'hi*' |wc -l)" = "$devs" ] && [ $retries -lt 10 ]; do
     # Generally takes a few seconds to settle in
@@ -16,11 +22,6 @@ if [ -n "${INPUT_UHUB_LOCATION}" ] && [ -n "${INPUT_UHUB_PORT}" ]; then
     echo "device is not available. Aborting"
     exit 1
   fi
-else
-  if [ -n "${INPUT_UHUB_LOCATION}" ] || [ -n "${INPUT_UHUB_PORT}" ]; then
-    echo "if UHUB functionality is desired, both uhub_location and uhub_port must be specified"
-    exit 1
-  fi
 fi
 
 dir="$(dirname "${INPUT_FILES}")"
@@ -74,7 +75,7 @@ done <<ALLFILES_INPUT
 $all_files
 ALLFILES_INPUT
 
-if [ -n "${INPUT_UHUB_LOCATION}" ] && [ -n "${INPUT_UHUB_PORT}" ]; then
+if [ "${INPUT_UHUB_CONTROL}" != "false" ]; then
   # Turn off the port when we're done
-  uhubctl -a off -p "${INPUT_UHUB_PORT}" -l "${INPUT_UHUB_LOCATION}"
+  uhubctl -a off -p "${UHUB_PORT}" -l "${UHUB_LOCATION}"
 fi