Release 3.1 (#14)

(sigstore#134):
* schedule-selftest: reduce nagging
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#140):
* requirements: sigstore ~3.0
* selftest: update filenames
* action: update another path
* action: remove deprecated settings
* README: remove old docs
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#145):
* action: use a venv to prevent PEP 668 errors
* action: use sys.executable
* fight with Windows
* setup: minimum Python is 3.8 (This has been true for a while)
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#142):
* action: flip `release-signing-artifacts`
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#146):
* action: remove old output settings
* selftest: remove old test ref
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

Cleanup workflows (sigstore#148):
* Workflows: remove default input arg from action call
* workflows: Remove unnecessary selftest

release-signing-artifacts defaults to "true" so the removed test now
duplicates the previous test.

We could try testing the release-signing-artifacts == "false" but that's
a bit trickier since it could only be done in a release event...

* workflows: Drop recently removed job from needs-list
---------
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Prep 3.0.0 (sigstore#143):
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#152):
* build(deps): bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 in the actions group
---------
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

(sigstore#154):
* Fix remaining reference to 2.1.1 in README
---------
Signed-off-by: Stefanie Molin <24376333+stefmolin@users.noreply.github.com>

(sigstore#151):
* Enable debugging also if ACTIONS_STEP_DEBUG==true
---------
Co-authored-by: rindeal <dev.rindeal@gmail.com>
Co-authored-by: William Woodruff <william@trailofbits.com>

Upgrade Dependencies:
* Update requirements.txt - upgrade sigstore 3.1, upgrade requests 2.32
---------
Signed-off-by: DK96-OS <69859316+DK96-OS@users.noreply.github.com>

.github/workflows/release.yml

@@ -23,4 +23,3 @@ jobs:
         id: sigstore-python
         with:
           inputs: action.yml action.py
-          release-signing-artifacts: true

.github/workflows/schedule-selftest.yml

@@ -37,10 +37,10 @@ jobs:
           EOF
 
       - name: Open issue
-        uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0
+        uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1
         with:
           title: "[CI] Self-test failure"
           # created in the previous step
           content-filepath: /tmp/issue.md
           labels: bug
-          assignees: woodruffw,tetsuo-cpp,tnytown
+          assignees: woodruffw

.github/workflows/selftest.yml

@@ -19,6 +19,8 @@ jobs:
           - ubuntu-latest
           - macos-latest
           - windows-latest
+          # TODO: Can be removed when 24.04 becomes ubuntu-latest.
+          - ubuntu-24.04
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
@@ -36,40 +38,31 @@ jobs:
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
-  selftest-whitespace:
+  selftest-runner-python:
     strategy:
       matrix:
         os:
           - ubuntu-latest
-          - macos-latest
-          - windows-latest
+          # TODO: Can be removed when 24.04 becomes ubuntu-latest.
+          - ubuntu-24.04
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        if: ${{ matrix.os != 'ubuntu-latest' }}
-        with:
-          python-version: "3.x"
       - name: Sign artifact and publish signature
         uses: ./
         id: sigstore-python
         with:
-          inputs: |
-            ./test/artifact.txt
-            ./test/white\ space.txt
-            ./test/"more white space.txt"
+          inputs: ./test/artifact.txt
           internal-be-careful-debug: true
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/white\ space.txt ]] || exit 1
-          [[ -f ./test/more\ white\ space.txt ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
-  selftest-release-signing-artifacts-no-op:
+  selftest-whitespace:
     strategy:
       matrix:
         os:
@@ -88,15 +81,17 @@ jobs:
         uses: ./
         id: sigstore-python
         with:
-          inputs: ./test/artifact.txt
-          # The trigger for this test is not a release, so this has no effect
-          # (but does not break the workflow either).
-          release-signing-artifacts: true
+          inputs: |
+            ./test/artifact.txt
+            ./test/white\ space.txt
+            ./test/"more white space.txt"
           internal-be-careful-debug: true
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/white\ space.txt ]] || exit 1
+          [[ -f ./test/more\ white\ space.txt ]] || exit 1
 
   selftest-xfail-invalid-inputs:
     runs-on: ubuntu-latest
@@ -140,7 +135,7 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
   selftest-glob:
     runs-on: ubuntu-latest
@@ -156,9 +151,9 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1
 
   selftest-xfail-glob-input-expansion:
     runs-on: ubuntu-latest
@@ -200,14 +195,14 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
-          [[ -f ./test/another1.txt.sigstore ]] || exit 1
-          [[ -f ./test/another2.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/another1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/another2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1
 
   selftest-upload-artifacts:
     runs-on: ubuntu-latest
@@ -229,30 +224,9 @@ jobs:
       - name: Verify presence of uploaded files
         run: |
           [[ -f ./artifact.txt ]] || exit 1
-          [[ -f ./artifact.txt.sigstore ]] || exit 1
+          [[ -f ./artifact.txt.sigstore.json ]] || exit 1
         working-directory: ./test/uploaded
 
-  selftest-custom-paths:
-    runs-on: ubuntu-latest
-    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
-    steps:
-      - uses: actions/checkout@v4
-      - name: Sign artifact and publish signature
-        uses: ./
-        id: sigstore-python
-        with:
-          inputs: ./test/artifact.txt
-          signature: ./test/custom_signature.sig
-          certificate: ./test/custom_certificate.crt
-          bundle: ./test/custom_bundle.sigstore
-          staging: true
-          internal-be-careful-debug: true
-      - name: Check outputs
-        run: |
-          [[ -f ./test/custom_signature.sig ]] || exit 1
-          [[ -f ./test/custom_certificate.crt ]] || exit 1
-          [[ -f ./test/custom_bundle.sigstore ]] || exit 1
-
   selftest-verify:
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
@@ -346,13 +320,11 @@ jobs:
     needs:
       - selftest
       - selftest-whitespace
-      - selftest-release-signing-artifacts-no-op
       - selftest-xfail-invalid-inputs
       - selftest-staging
       - selftest-glob
       - selftest-glob-multiple
       - selftest-upload-artifacts
-      - selftest-custom-paths
       - selftest-verify
       - selftest-xfail-verify-missing-options
       - selftest-identity-token

CHANGELOG.md

@@ -0,0 +1,64 @@
+# Changelog
+
+All notable changes to `gh-action-sigstore-python` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+All versions prior to 3.0.0 are untracked.
+
+## [Unreleased]
+
+## [3.0.0]
+
+### Added
+
+* `inputs` now allows recursive globbing with `**`
+  ([#106](https://github.com/sigstore/gh-action-sigstore-python/pull/106))
+
+### Removed
+
+* The following settings have been removed: `fulcio-url`, `rekor-url`,
+  `ctfe`, `rekor-root-pubkey`
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+* The following output settings have been removed: `signature`,
+  `certificate`, `bundle`
+  ([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146))
+
+
+### Changed
+
+* `inputs` is now parsed according to POSIX shell lexing rules, improving
+  the action's consistency when used with filenames containing whitespace
+  or other significant characters
+  ([#104](https://github.com/sigstore/gh-action-sigstore-python/pull/104))
+
+* `inputs` is now optional *if* `release-signing-artifacts` is true
+  *and* the action's event is a `release` event. In this case, the action
+  takes no explicit inputs, but signs the source archives already attached
+  to the associated release
+  ([#110](https://github.com/sigstore/gh-action-sigstore-python/pull/110))
+
+* The default suffix has changed from `.sigstore` to `.sigstore.json`,
+  per Sigstore's client specification
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+
+* `release-signing-artifacts` now defaults to `true`
+  ([#142](https://github.com/sigstore/gh-action-sigstore-python/pull/142))
+
+### Fixed
+
+* The `release-signing-artifacts` setting no longer causes a hard error
+  when used under the incorrect event
+  ([#103](https://github.com/sigstore/gh-action-sigstore-python/pull/103))
+
+* Various deprecations present in `sigstore-python`'s 2.x series have been
+  resolved
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+
+* This workflow now supports CI runners that use PEP 668 to constrain global
+  package prefixes
+  ([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145))
+
+
+[Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0