Skip to content

Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0#1289

Merged
elopez merged 1 commit intomasterfrom
dependabot/github_actions/sigstore/gh-action-sigstore-python-3.0.0
Jul 16, 2024
Merged

Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0#1289
elopez merged 1 commit intomasterfrom
dependabot/github_actions/sigstore/gh-action-sigstore-python-3.0.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Jul 15, 2024

Bumps sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0.

Release notes

Sourced from sigstore/gh-action-sigstore-python's releases.

v3.0.0

Added

  • inputs now allows recursive globbing with ** (#106)

Removed

  • The following settings have been removed: fulcio-url, rekor-url, ctfe, rekor-root-pubkey (#140)
  • The following output settings have been removed: signature, certificate, bundle (#146)

Changed

  • inputs is now parsed according to POSIX shell lexing rules, improving the action's consistency when used with filenames containing whitespace or other significant characters (#104)

  • inputs is now optional if release-signing-artifacts is true and the action's event is a release event. In this case, the action takes no explicit inputs, but signs the source archives already attached to the associated release (#110)

  • The default suffix has changed from .sigstore to .sigstore.json, per Sigstore's client specification (#140)

  • release-signing-artifacts now defaults to true (#142)

Fixed

  • The release-signing-artifacts setting no longer causes a hard error when used under the incorrect event (#103)

  • Various deprecations present in sigstore-python's 2.x series have been resolved (#140)

  • This workflow now supports CI runners that use PEP 668 to constrain global package prefixes (#145)

... (truncated)

Changelog

Sourced from sigstore/gh-action-sigstore-python's changelog.

[3.0.0]

Added

  • inputs now allows recursive globbing with ** (#106)

Removed

  • The following settings have been removed: fulcio-url, rekor-url, ctfe, rekor-root-pubkey (#140)
  • The following output settings have been removed: signature, certificate, bundle (#146)

Changed

  • inputs is now parsed according to POSIX shell lexing rules, improving the action's consistency when used with filenames containing whitespace or other significant characters (#104)

  • inputs is now optional if release-signing-artifacts is true and the action's event is a release event. In this case, the action takes no explicit inputs, but signs the source archives already attached to the associated release (#110)

  • The default suffix has changed from .sigstore to .sigstore.json, per Sigstore's client specification (#140)

  • release-signing-artifacts now defaults to true (#142)

Fixed

  • The release-signing-artifacts setting no longer causes a hard error when used under the incorrect event (#103)

  • Various deprecations present in sigstore-python's 2.x series have been resolved (#140)

  • This workflow now supports CI runners that use PEP 668 to constrain global package prefixes (#145)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0
1a0c51a 
Bumps [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python) from 2.1.1 to 3.0.0.
- [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases)
- [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md)
- [Commits](sigstore/gh-action-sigstore-python@v2.1.1...v3.0.0)

---
updated-dependencies:
- dependency-name: sigstore/gh-action-sigstore-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested a review from elopez as a code owner July 15, 2024 21:15
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jul 15, 2024
@dependabot dependabot bot requested review from arcz and gustavo-grieco as code owners July 15, 2024 21:15
@elopez elopez merged commit 7bbfd68 into master Jul 16, 2024
@elopez elopez deleted the dependabot/github_actions/sigstore/gh-action-sigstore-python-3.0.0 branch July 16, 2024 08:16
@BrewTestBot BrewTestBot mentioned this pull request Jul 16, 2024
Merged
datradito pushed a commit to datradito/echidna-mcp that referenced this pull request Dec 29, 2025
@dependabot
Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0 (crytic#1289
3d400f2 
)

Bumps [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python) from 2.1.1 to 3.0.0.
- [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases)
- [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md)
- [Commits](sigstore/gh-action-sigstore-python@v2.1.1...v3.0.0)

---
updated-dependencies:
- dependency-name: sigstore/gh-action-sigstore-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elopez elopez elopez approved these changes

@gustavo-grieco gustavo-grieco Awaiting requested review from gustavo-grieco gustavo-grieco is a code owner

@arcz arcz Awaiting requested review from arcz arcz is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elopez