Add support for a custom ZIP URL.

README.md

@@ -102,6 +102,10 @@ Yes, this action specifically supports [plugin release confirmation](https://dev
 
 Set the `timeout-minutes` directive to a little higher than the `timeout` input of the action, which is 60 minutes by default. This allows some leeway for generating the attestation if you confirm your release right before the timeout is reached. 70 is a reasonable value.
 
+## Does this work for hosts other than WordPress.org?
+
+Yes, this action supports hosts other than WordPress.org in case you want to generate an attestation for a ZIP file that you deploy elsewhere.
+
 ## How do I verify a plugin that publishes attestations?
 
 You need to know either the name of the repo that the plugin was built from, for example `johnbillion/query-monitor`, or the name of the owner, for example `johnbillion`.

action.yml

@@ -6,6 +6,10 @@ branding:
   color: green
 
 inputs:
+  zip-path:
+    description: The local path to the plugin ZIP file.
+    required: true
+    type: string
   plugin:
     description: The plugin slug
     required: false
@@ -16,15 +20,16 @@ inputs:
     required: false
     type: string
     default: ${{ github.ref_name }}
-  zip-path:
-    description: The path to the plugin zip file
-    required: true
-    type: string
   timeout:
     description: The maximum time in minutes to wait for the plugin zip to become available on WordPress.org
     required: false
     type: number
     default: 60
+  zip-url:
+    description: Optional. The URL where the plugin ZIP file is hosted (for platforms other than WordPress.org).
+    required: false
+    type: string
+    default: 'https://downloads.wordpress.org/plugin/%plugin%.%version%.zip'
   dry-run:
     description: Set this to true to skip generating the actual attestation
     required: false
@@ -39,22 +44,32 @@ runs:
         echo '${{ toJSON(inputs) }}'
       shell: bash
 
-    # This fetches the zipped plugin from w.org. The zip might not exist yet if the plugin uses release confirmation
-    # and the release hasn't been confirmed. This will retry until the zip is available or the timeout is reached.
-    - name: Fetch ZIP from WordPress.org
+    # This fetches the zipped plugin from the plugin directory. The ZIP might not exist yet if the plugin uses release confirmation
+    # and the release hasn't been confirmed. This will retry until the ZIP is available or the timeout is reached.
+    - name: Fetch ZIP from the plugin directory
+      env:
+        PLUGIN: ${{ inputs.plugin }}
+        VERSION: ${{ inputs.version }}
+        ZIP_URL: ${{ inputs.zip-url }}
+        TIMEOUT: ${{ inputs.timeout }}
       run: | #shell
-        zipurl="https://downloads.wordpress.org/plugin/${{ inputs.plugin }}.${{ inputs.version }}.zip"
+        zipurl="$ZIP_URL"
+        zipurl=${zipurl//%plugin%/$PLUGIN}
+        zipurl=${zipurl//%version%/$VERSION}
+
+        echo PLUGIN_HOST="$(echo "$zipurl" | awk -F/ '{print $3}')" >> "$GITHUB_ENV"
+
         echo "Fetching plugin ZIP from $zipurl ..."
         elapsed=0
         sleep=20
         per_minute=$((60 / $sleep))
-        max_retries=$(( ${{ inputs.timeout }} * $per_minute ))
+        max_retries=$(( ${TIMEOUT} * $per_minute ))
 
         while [ $elapsed -lt $max_retries ]; do
           # Perform a HEAD request to check if the ZIP is available
           status_code=$(curl -s -o /dev/null -w "%{http_code}" -I "$zipurl")
           if [ "$status_code" -eq 200 ]; then
-            curl -s -o "${{ inputs.plugin }}.zip" "$zipurl"
+            curl -s -o "${PLUGIN}.zip" "$zipurl"
             break
           else
             echo "Plugin ZIP not available yet (HTTP status $status_code), retrying in $sleep seconds..."
@@ -64,7 +79,7 @@ runs:
         done
 
         if [ $elapsed -ge $max_retries ]; then
-          echo "Error: ${{ inputs.timeout }} minute timeout reached. Plugin ZIP not available."
+          echo "Error: ${TIMEOUT} minute timeout reached. Plugin ZIP not available."
           exit 1
         fi
       shell: bash