Release 3.1

.github/workflows/release.yml

@@ -23,4 +23,3 @@ jobs:
         id: sigstore-python
         with:
           inputs: action.yml action.py
-          release-signing-artifacts: true

.github/workflows/schedule-selftest.yml

@@ -37,10 +37,10 @@ jobs:
           EOF
 
       - name: Open issue
-        uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0
+        uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1
         with:
           title: "[CI] Self-test failure"
           # created in the previous step
           content-filepath: /tmp/issue.md
           labels: bug
-          assignees: woodruffw,tetsuo-cpp,tnytown
+          assignees: woodruffw

.github/workflows/selftest.yml

@@ -19,6 +19,8 @@ jobs:
           - ubuntu-latest
           - macos-latest
           - windows-latest
+          # TODO: Can be removed when 24.04 becomes ubuntu-latest.
+          - ubuntu-24.04
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
@@ -36,40 +38,31 @@ jobs:
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
-  selftest-whitespace:
+  selftest-runner-python:
     strategy:
       matrix:
         os:
           - ubuntu-latest
-          - macos-latest
-          - windows-latest
+          # TODO: Can be removed when 24.04 becomes ubuntu-latest.
+          - ubuntu-24.04
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        if: ${{ matrix.os != 'ubuntu-latest' }}
-        with:
-          python-version: "3.x"
       - name: Sign artifact and publish signature
         uses: ./
         id: sigstore-python
         with:
-          inputs: |
-            ./test/artifact.txt
-            ./test/white\ space.txt
-            ./test/"more white space.txt"
+          inputs: ./test/artifact.txt
           internal-be-careful-debug: true
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/white\ space.txt ]] || exit 1
-          [[ -f ./test/more\ white\ space.txt ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
-  selftest-release-signing-artifacts-no-op:
+  selftest-whitespace:
     strategy:
       matrix:
         os:
@@ -88,15 +81,17 @@ jobs:
         uses: ./
         id: sigstore-python
         with:
-          inputs: ./test/artifact.txt
-          # The trigger for this test is not a release, so this has no effect
-          # (but does not break the workflow either).
-          release-signing-artifacts: true
+          inputs: |
+            ./test/artifact.txt
+            ./test/white\ space.txt
+            ./test/"more white space.txt"
           internal-be-careful-debug: true
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/white\ space.txt ]] || exit 1
+          [[ -f ./test/more\ white\ space.txt ]] || exit 1
 
   selftest-xfail-invalid-inputs:
     runs-on: ubuntu-latest
@@ -140,7 +135,7 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
   selftest-glob:
     runs-on: ubuntu-latest
@@ -156,9 +151,9 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1
 
   selftest-xfail-glob-input-expansion:
     runs-on: ubuntu-latest
@@ -200,14 +195,14 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
-          [[ -f ./test/another1.txt.sigstore ]] || exit 1
-          [[ -f ./test/another2.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/another1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/another2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1
 
   selftest-upload-artifacts:
     runs-on: ubuntu-latest
@@ -229,30 +224,9 @@ jobs:
       - name: Verify presence of uploaded files
         run: |
           [[ -f ./artifact.txt ]] || exit 1
-          [[ -f ./artifact.txt.sigstore ]] || exit 1
+          [[ -f ./artifact.txt.sigstore.json ]] || exit 1
         working-directory: ./test/uploaded
 
-  selftest-custom-paths:
-    runs-on: ubuntu-latest
-    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
-    steps:
-      - uses: actions/checkout@v4
-      - name: Sign artifact and publish signature
-        uses: ./
-        id: sigstore-python
-        with:
-          inputs: ./test/artifact.txt
-          signature: ./test/custom_signature.sig
-          certificate: ./test/custom_certificate.crt
-          bundle: ./test/custom_bundle.sigstore
-          staging: true
-          internal-be-careful-debug: true
-      - name: Check outputs
-        run: |
-          [[ -f ./test/custom_signature.sig ]] || exit 1
-          [[ -f ./test/custom_certificate.crt ]] || exit 1
-          [[ -f ./test/custom_bundle.sigstore ]] || exit 1
-
   selftest-verify:
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
@@ -346,13 +320,11 @@ jobs:
     needs:
       - selftest
       - selftest-whitespace
-      - selftest-release-signing-artifacts-no-op
       - selftest-xfail-invalid-inputs
       - selftest-staging
       - selftest-glob
       - selftest-glob-multiple
       - selftest-upload-artifacts
-      - selftest-custom-paths
       - selftest-verify
       - selftest-xfail-verify-missing-options
       - selftest-identity-token

CHANGELOG.md

@@ -0,0 +1,64 @@
+# Changelog
+
+All notable changes to `gh-action-sigstore-python` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+All versions prior to 3.0.0 are untracked.
+
+## [Unreleased]
+
+## [3.0.0]
+
+### Added
+
+* `inputs` now allows recursive globbing with `**`
+  ([#106](https://github.com/sigstore/gh-action-sigstore-python/pull/106))
+
+### Removed
+
+* The following settings have been removed: `fulcio-url`, `rekor-url`,
+  `ctfe`, `rekor-root-pubkey`
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+* The following output settings have been removed: `signature`,
+  `certificate`, `bundle`
+  ([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146))
+
+
+### Changed
+
+* `inputs` is now parsed according to POSIX shell lexing rules, improving
+  the action's consistency when used with filenames containing whitespace
+  or other significant characters
+  ([#104](https://github.com/sigstore/gh-action-sigstore-python/pull/104))
+
+* `inputs` is now optional *if* `release-signing-artifacts` is true
+  *and* the action's event is a `release` event. In this case, the action
+  takes no explicit inputs, but signs the source archives already attached
+  to the associated release
+  ([#110](https://github.com/sigstore/gh-action-sigstore-python/pull/110))
+
+* The default suffix has changed from `.sigstore` to `.sigstore.json`,
+  per Sigstore's client specification
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+
+* `release-signing-artifacts` now defaults to `true`
+  ([#142](https://github.com/sigstore/gh-action-sigstore-python/pull/142))
+
+### Fixed
+
+* The `release-signing-artifacts` setting no longer causes a hard error
+  when used under the incorrect event
+  ([#103](https://github.com/sigstore/gh-action-sigstore-python/pull/103))
+
+* Various deprecations present in `sigstore-python`'s 2.x series have been
+  resolved
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+
+* This workflow now supports CI runners that use PEP 668 to constrain global
+  package prefixes
+  ([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145))
+
+
+[Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0