Make CI run and test Windows deps on model signing (#86)

For future PRs (as they require more playing with GHA to fix):
- support Windows deps on SLSA
- support Windows deps on unit tests (for signing)
- minimize dependencies
- add unit tests for SLSA

Signed-off-by: Mihai Maruseac <[email protected]>

.github/workflows/scripts/venv_activate.sh

@@ -1,4 +1,13 @@
 #!/bin/bash
 
 # shellcheck source=/dev/null
-source venv/bin/activate || source venv/Scripts/activate
+if [[ -f venv/bin/activate ]]; then
+  source venv/bin/activate
+elif [[ -f venv/Scripts/activate ]]; then
+  source venv/Scripts/activate
+else
+  echo "Cannot activate venv sandbox. Failing"
+  exit 1
+fi
+
+echo "Successfully activated venv sandbox. Python is at `which python`"

.github/workflows/unit_tests.yml

@@ -29,15 +29,16 @@ jobs:
           model_signing/install/requirements_test_${{ runner.os }}.txt
     - name: Install dependencies
       run: |
-        set -euo pipefail
-        bash .github/workflows/scripts/venv_setup.sh
+        set -exuo pipefail
+        python -m venv venv
+        .github/workflows/scripts/venv_activate.sh
         python -m pip install --require-hashes -r model_signing/install/requirements_${{ runner.os }}.txt
         python -m pip install --require-hashes -r model_signing/install/requirements_test_${{ runner.os }}.txt
     - name: Run unit tests
       run: |
         set -euo pipefail
-        bash .github/workflows/scripts/venv_activate.sh
+        .github/workflows/scripts/venv_activate.sh
         # NOTE: option --full-trace may be useful for troubleshooting.
         # TODO(#68): Remove the need to create this folder.
         mkdir testdata
-        pytest -v .
+        pytest -v .

.github/workflows/validate_deps.yml

@@ -15,11 +15,11 @@ defaults:
 jobs:
   model-signing:
     name: Test model signing dependencies
-    runs-on: ${{ runner.os }}}
+    runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false # Don't cancel other jobs if one fails
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
@@ -29,8 +29,9 @@ jobs:
         cache-dependency-path: model_signing/install/requirements_${{ runner.os }}.txt
     - name: Install dependencies
       run: |
-        set -euo pipefail
-        bash .github/workflows/scripts/venv_setup.sh
+        set -exuo pipefail
+        python -m venv venv
+        .github/workflows/scripts/venv_activate.sh
         python -m pip install --require-hashes -r model_signing/install/requirements_${{ runner.os }}.txt
 
   slsa-for-ml:
@@ -45,6 +46,7 @@ jobs:
         cache-dependency-path: slsa_for_models/install/requirements_${{ runner.os }}.txt
     - name: Install dependencies
       run: |
-        set -euo pipefail
-        bash .github/workflows/scripts/venv_setup.sh
+        set -exuo pipefail
+        python -m venv venv
+        .github/workflows/scripts/venv_activate.sh
         python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ runner.os }}.txt