Skip to content

Commit

Permalink
Prep 3.0.0 (#143)
Browse files Browse the repository at this point in the history
  • Loading branch information
woodruffw authored Jul 15, 2024
1 parent da238ad commit f514d46
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 14 deletions.
64 changes: 64 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Changelog

All notable changes to `gh-action-sigstore-python` will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

All versions prior to 3.0.0 are untracked.

## [Unreleased]

## [3.0.0]

### Added

* `inputs` now allows recursive globbing with `**`
([#106](https://github.com/sigstore/gh-action-sigstore-python/pull/106))

### Removed

* The following settings have been removed: `fulcio-url`, `rekor-url`,
`ctfe`, `rekor-root-pubkey`
([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
* The following output settings have been removed: `signature`,
`certificate`, `bundle`
([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146))


### Changed

* `inputs` is now parsed according to POSIX shell lexing rules, improving
the action's consistency when used with filenames containing whitespace
or other significant characters
([#104](https://github.com/sigstore/gh-action-sigstore-python/pull/104))

* `inputs` is now optional *if* `release-signing-artifacts` is true
*and* the action's event is a `release` event. In this case, the action
takes no explicit inputs, but signs the source archives already attached
to the associated release
([#110](https://github.com/sigstore/gh-action-sigstore-python/pull/110))

* The default suffix has changed from `.sigstore` to `.sigstore.json`,
per Sigstore's client specification
([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))

* `release-signing-artifacts` now defaults to `true`
([#142](https://github.com/sigstore/gh-action-sigstore-python/pull/142))

### Fixed

* The `release-signing-artifacts` setting no longer causes a hard error
when used under the incorrect event
([#103](https://github.com/sigstore/gh-action-sigstore-python/pull/103))

* Various deprecations present in `sigstore-python`'s 2.x series have been
resolved
([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))

* This workflow now supports CI runners that use PEP 668 to constrain global
package prefixes
([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145))


[Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD
[3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0
28 changes: 14 additions & 14 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
- uses: actions/checkout@v3
- name: install
run: python -m pip install .
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
```
Expand All @@ -53,15 +53,15 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t
To sign one or more files:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file0.txt file1.txt file2.txt
```

The `inputs` argument also supports file globbing:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: ./path/to/inputs/*.txt
```
Expand All @@ -70,7 +70,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using
POSIX shell lexing rules:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: |
./path/to/inputs/*.txt
Expand All @@ -90,7 +90,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci
workflow will use the credentials found in the GitHub Actions environment.

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere
Expand All @@ -106,7 +106,7 @@ Server during OAuth2.
Example:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
oidc-client-id: alternative-sigstore-id
Expand All @@ -122,7 +122,7 @@ Connect Server during OAuth2.
Example:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
oidc-client-secret: alternative-sigstore-secret
Expand All @@ -138,7 +138,7 @@ instead of the default production instances.
Example:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
staging: true
Expand All @@ -161,7 +161,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error.
Example:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
verify: true
Expand All @@ -184,7 +184,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`.
Supplying it without `verify-oidc-issuer` will produce an error.

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
verify: true
Expand All @@ -209,7 +209,7 @@ Supplying it without `verify-cert-identity` will produce an error.
Example:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
verify: true
Expand All @@ -231,7 +231,7 @@ workflow artifact retention period is used.
Example:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
upload-signing-artifacts: true
Expand All @@ -258,7 +258,7 @@ permissions:
# ...
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
release-signing-artifacts: true
Expand Down Expand Up @@ -298,7 +298,7 @@ permissions:
Example:

```yaml
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: file.txt
internal-be-careful-debug: true
Expand Down

0 comments on commit f514d46

Please sign in to comment.