chore: prep 3.0.1 (#183)

Author: woodruffw

CHANGELOG.md

@@ -8,9 +8,20 @@ All versions prior to 3.0.0 are untracked.
 
 ## [Unreleased]
 
+## [3.0.1]
+
 ### Changed
 
 * The minimum Python version supported by this action is now 3.9
+  ([#155](https://github.com/sigstore/gh-action-sigstore-python/pull/155))
+* The action's Python dependencies are now fully pinned to specific versions
+  ([#165](https://github.com/sigstore/gh-action-sigstore-python/pull/165))
+
+### Fixed
+
+* The `rfc3161-client` dependency has been upgrades to `1.0.3` to resolve
+  a security vulnerability
+  ([#182](https://github.com/sigstore/gh-action-sigstore-python/pull/182))
 
 ## [3.0.0]
 

README.md

@@ -5,7 +5,7 @@ gh-action-sigstore-python
 [![Self-test](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml/badge.svg)](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml)
 
 This GitHub Action uses [`sigstore-python`](https://github.com/sigstore/sigstore-python)
-to generate Sigstore signatures. `gh-action-sigstore-python` is the easiest way to [integrate Sigstore into your CI system](https://docs.sigstore.dev/quickstart/quickstart-ci/) and can be used for not only Python projects, but projects in other languages as well.  
+to generate Sigstore signatures. `gh-action-sigstore-python` is the easiest way to [integrate Sigstore into your CI system](https://docs.sigstore.dev/quickstart/quickstart-ci/) and can be used for not only Python projects, but projects in other languages as well.
 
 > [!IMPORTANT]
 > Are you publishing a package to PyPI? If so, you **do not need this action**:
@@ -36,7 +36,7 @@ jobs:
           persist-credentials: false
       - name: install
         run: python -m pip install .
-      - uses: sigstore/[email protected].0
+      - uses: sigstore/[email protected].1
         with:
           inputs: file.txt
 ```
@@ -60,15 +60,15 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t
 To sign one or more files:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file0.txt file1.txt file2.txt
 ```
 
 The `inputs` argument also supports file globbing:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: ./path/to/inputs/*.txt
 ```
@@ -77,7 +77,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using
 POSIX shell lexing rules:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: |
       ./path/to/inputs/*.txt
@@ -97,7 +97,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci
 workflow will use the credentials found in the GitHub Actions environment.
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     identity-token: ${{ IDENTITY_TOKEN  }} # assigned elsewhere
@@ -113,7 +113,7 @@ Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     oidc-client-id: alternative-sigstore-id
@@ -129,7 +129,7 @@ Connect Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     oidc-client-secret: alternative-sigstore-secret
@@ -145,7 +145,7 @@ instead of the default production instances.
 Example:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     staging: true
@@ -168,7 +168,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     verify: true
@@ -191,7 +191,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`.
 Supplying it without `verify-oidc-issuer` will produce an error.
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     verify: true
@@ -216,7 +216,7 @@ Supplying it without `verify-cert-identity` will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     verify: true
@@ -238,7 +238,7 @@ workflow artifact retention period is used.
 Example:
 
 ```yaml
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     upload-signing-artifacts: true
@@ -265,7 +265,7 @@ permissions:
 
 # ...
 
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
   with:
     inputs: file.txt
     release-signing-artifacts: true
@@ -281,7 +281,7 @@ permissions:
 # ...
 
 # no explicit settings needed, signs all pre-existing release artifacts
-- uses: sigstore/[email protected].0
+- uses: sigstore/[email protected].1
 ```
 
 ### Internal options
@@ -305,7 +305,7 @@ permissions:
   Example:
 
   ```yaml
-  - uses: sigstore/[email protected].0
+  - uses: sigstore/[email protected].1
     with:
       inputs: file.txt
       internal-be-careful-debug: true