Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0 (#47)
Bumps [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python) from 2.1.1 to 3.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sigstore/gh-action-sigstore-python/releases">sigstore/gh-action-sigstore-python's releases</a>.</em></p> <blockquote> <h2>v3.0.0</h2> <h3>Added</h3> <ul> <li><code>inputs</code> now allows recursive globbing with <code>**</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/106">#106</a>)</li> </ul> <h3>Removed</h3> <ul> <li>The following settings have been removed: <code>fulcio-url</code>, <code>rekor-url</code>, <code>ctfe</code>, <code>rekor-root-pubkey</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</li> <li>The following output settings have been removed: <code>signature</code>, <code>certificate</code>, <code>bundle</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/146">#146</a>)</li> </ul> <h3>Changed</h3> <ul> <li> <p><code>inputs</code> is now parsed according to POSIX shell lexing rules, improving the action's consistency when used with filenames containing whitespace or other significant characters (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/104">#104</a>)</p> </li> <li> <p><code>inputs</code> is now optional <em>if</em> <code>release-signing-artifacts</code> is true <em>and</em> the action's event is a <code>release</code> event. In this case, the action takes no explicit inputs, but signs the source archives already attached to the associated release (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/110">#110</a>)</p> </li> <li> <p>The default suffix has changed from <code>.sigstore</code> to <code>.sigstore.json</code>, per Sigstore's client specification (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p> </li> <li> <p><code>release-signing-artifacts</code> now defaults to <code>true</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/142">#142</a>)</p> </li> </ul> <h3>Fixed</h3> <ul> <li> <p>The <code>release-signing-artifacts</code> setting no longer causes a hard error when used under the incorrect event (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/103">#103</a>)</p> </li> <li> <p>Various deprecations present in <code>sigstore-python</code>'s 2.x series have been resolved (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p> </li> <li> <p>This workflow now supports CI runners that use PEP 668 to constrain global package prefixes (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/145">#145</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md">sigstore/gh-action-sigstore-python's changelog</a>.</em></p> <blockquote> <h2>[3.0.0]</h2> <h3>Added</h3> <ul> <li><code>inputs</code> now allows recursive globbing with <code>**</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/106">#106</a>)</li> </ul> <h3>Removed</h3> <ul> <li>The following settings have been removed: <code>fulcio-url</code>, <code>rekor-url</code>, <code>ctfe</code>, <code>rekor-root-pubkey</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</li> <li>The following output settings have been removed: <code>signature</code>, <code>certificate</code>, <code>bundle</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/146">#146</a>)</li> </ul> <h3>Changed</h3> <ul> <li> <p><code>inputs</code> is now parsed according to POSIX shell lexing rules, improving the action's consistency when used with filenames containing whitespace or other significant characters (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/104">#104</a>)</p> </li> <li> <p><code>inputs</code> is now optional <em>if</em> <code>release-signing-artifacts</code> is true <em>and</em> the action's event is a <code>release</code> event. In this case, the action takes no explicit inputs, but signs the source archives already attached to the associated release (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/110">#110</a>)</p> </li> <li> <p>The default suffix has changed from <code>.sigstore</code> to <code>.sigstore.json</code>, per Sigstore's client specification (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p> </li> <li> <p><code>release-signing-artifacts</code> now defaults to <code>true</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/142">#142</a>)</p> </li> </ul> <h3>Fixed</h3> <ul> <li> <p>The <code>release-signing-artifacts</code> setting no longer causes a hard error when used under the incorrect event (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/103">#103</a>)</p> </li> <li> <p>Various deprecations present in <code>sigstore-python</code>'s 2.x series have been resolved (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p> </li> <li> <p>This workflow now supports CI runners that use PEP 668 to constrain global package prefixes (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/145">#145</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/f514d46b907ebcd5bedc05145c03b69c1edd8b46"><code>f514d46</code></a> Prep 3.0.0 (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/143">#143</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/da238ad4806ad4bceff0a421e715ba34c3c4f962"><code>da238ad</code></a> Cleanup workflows (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/148">#148</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/551a497f0abe7bcba261fd45a195f3d17eebb0c0"><code>551a497</code></a> action: remove old output settings (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/146">#146</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/16fbe9a8d335cfde2d487c8c459707abdd1c3704"><code>16fbe9a</code></a> action: flip <code>release-signing-artifacts</code> (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/142">#142</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/1ddeb829cc81aadc391a78096478d61db0dee7e6"><code>1ddeb82</code></a> action: use a venv to prevent PEP 668 errors (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/145">#145</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/94661007ff419d4795b935732494905162e79738"><code>9466100</code></a> requirements: sigstore ~3.0 (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/140">#140</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/26de7459ab0625282c11ecbcf6e65941b2886b09"><code>26de745</code></a> schedule-selftest: reduce nagging (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/134">#134</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/4dde77f8178a041d4cd24f34a5624231b525513d"><code>4dde77f</code></a> build(deps): bump the actions group with 1 update (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/111">#111</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/08a568c3d1b0d7483cb913510a741887d37c57e0"><code>08a568c</code></a> Allow empty inputs with release artifacts (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/110">#110</a>)</li> <li><a href="https://github.com/sigstore/gh-action-sigstore-python/commit/8579d4832209d59081f278b17073a30dffc5da9a"><code>8579d48</code></a> build(deps): bump the actions group with 1 update (<a href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/107">#107</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sigstore/gh-action-sigstore-python&package-manager=github_actions&previous-version=2.1.1&new-version=3.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Loading branch information