Sourced fromsigstore/gh-action-sigstore-python's releases.

v3.0.0

Added

• inputs now allows recursive globbing with**(#106)

Removed

• The following settings have been removed:fulcio-url,rekor-url,ctfe,rekor-root-pubkey(#140)
• The following output settings have been removed:signature,certificate,bundle(#146)

Changed

• inputs is now parsed according to POSIX shell lexing rules, improvingthe action's consistency when used with filenames containing whitespaceor other significant characters(#104)

• inputs is now optionalifrelease-signing-artifacts is trueand the action's event is arelease event. In this case, the actiontakes no explicit inputs, but signs the source archives already attachedto the associated release(#110)

• The default suffix has changed from.sigstore to.sigstore.json,per Sigstore's client specification(#140)

• release-signing-artifacts now defaults totrue(#142)

Fixed

• Therelease-signing-artifacts setting no longer causes a hard errorwhen used under the incorrect event(#103)

• Various deprecations present insigstore-python's 2.x series have beenresolved(#140)

• This workflow now supports CI runners that use PEP 668 to constrain globalpackage prefixes(#145)

... (truncated)

Sourced fromsigstore/gh-action-sigstore-python's changelog.

[3.0.0]

Added

• inputs now allows recursive globbing with**(#106)

Removed

• The following settings have been removed:fulcio-url,rekor-url,ctfe,rekor-root-pubkey(#140)
• The following output settings have been removed:signature,certificate,bundle(#146)

Changed

• inputs is now parsed according to POSIX shell lexing rules, improvingthe action's consistency when used with filenames containing whitespaceor other significant characters(#104)

• inputs is now optionalifrelease-signing-artifacts is trueand the action's event is arelease event. In this case, the actiontakes no explicit inputs, but signs the source archives already attachedto the associated release(#110)

• The default suffix has changed from.sigstore to.sigstore.json,per Sigstore's client specification(#140)

• release-signing-artifacts now defaults totrue(#142)

Fixed

• Therelease-signing-artifacts setting no longer causes a hard errorwhen used under the incorrect event(#103)

• Various deprecations present insigstore-python's 2.x series have beenresolved(#140)

• This workflow now supports CI runners that use PEP 668 to constrain globalpackage prefixes(#145)

... (truncated)

• f514d46 Prep 3.0.0 (#143)
• da238ad Cleanup workflows (#148)
• 551a497 action: remove old output settings (#146)
• 16fbe9a action: fliprelease-signing-artifacts (#142)
• 1ddeb82 action: use a venv to prevent PEP 668 errors (#145)
• 9466100 requirements: sigstore ~3.0 (#140)
• 26de745 schedule-selftest: reduce nagging (#134)
• 4dde77f build(deps): bump the actions group with 1 update (#111)
• 08a568c Allow empty inputs with release artifacts (#110)
• 8579d48 build(deps): bump the actions group with 1 update (#107)
• Additional commits viewable incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)