I suppose an argument could be made to pin these exactly as well (==2.1.0) -- but I'm not sure about it and that sounds like a potential separate issue.

Yeah, I've gone back and forth on that -- on one hand the workflow should probably as hermetic/reproducible as possible, and on the other doing an exact pin means that every single sigstore-python release needs to be accompanied by a workflow release (eliminating the value of us using semver).

I don't have any strong opinions here, though -- if best practice on GHA is to make workflows hermetic, then we should do that 🙂

I think as long as there's enough information to determine what version was used in a given action run, it would be preferable for this to be unpinned or loosely pinned.

Makes sense. We currently list the version as part of pip's output during the workflow's setup, but I can also make it more prominent/a dedicated output somewhere as well.

I've made the sigstore-python version a bit more prominent, example here: https://github.com/sigstore/gh-action-sigstore-python/actions/runs/7201147355/job/19616624805#step:4:125