v3.1.0

gh-action-sigstore-python is now compatible with Rekor v2
transparency log (but produced signature bundles still contain Rekor v1 entries by default).

Changed

• The action now uses sigstore-python 4.1. All other dependencies are also updated
  (#220)

Fixed

• Fixed incompatibility with Python 3.14 by upgrading dependencies
  (#225)

Added

• rekor-version argument was added to control the Rekor transparency log
  version when signing. The default version in the gh-action-sigstore-python
  3.x series will remain 1 (except when using staging: true).
  (#228)

v3.0.1

Changed

• The minimum Python version supported by this action is now 3.9
  (#155)
• The action's Python dependencies are now fully pinned to specific versions
  (#165)

Fixed

• The rfc3161-client dependency has been upgraded to 1.0.3 to resolve
  a security vulnerability
  (#182)

v3.0.0

Added

• inputs now allows recursive globbing with **
  (#106)

Removed

• The following settings have been removed: fulcio-url, rekor-url,
  ctfe, rekor-root-pubkey
  (#140)
• The following output settings have been removed: signature,
  certificate, bundle
  (#146)

Changed

• inputs is now parsed according to POSIX shell lexing rules, improving
  the action's consistency when used with filenames containing whitespace
  or other significant characters
  (#104)

• inputs is now optional if release-signing-artifacts is true
  and the action's event is a release event. In this case, the action
  takes no explicit inputs, but signs the source archives already attached
  to the associated release
  (#110)

• The default suffix has changed from .sigstore to .sigstore.json,
  per Sigstore's client specification
  (#140)

• release-signing-artifacts now defaults to true
  (#142)

Fixed

• The release-signing-artifacts setting no longer causes a hard error
  when used under the incorrect event
  (#103)

• Various deprecations present in sigstore-python's 2.x series have been
  resolved
  (#140)

• This workflow now supports CI runners that use PEP 668 to constrain global
  package prefixes
  (#145)

v2.1.2rc1

What's Changed

• CI: add dependabot config by @woodruffw in #101
• build(deps): bump the actions group with 4 updates by @dependabot in #102

New Contributors

• @dependabot made their first contribution in #102

Full Changelog: v2.1.1...v2.1.2rc1

v2.1.1

What's Changed

• requirements: pin sigstore-rekor-types subdep by @woodruffw in #95
• requirements: bump sigstore-python by @woodruffw in #97
• Prep 2.1.1 by @tetsuo-cpp in #98

Full Changelog: v2.1.0...v2.1.1

v2.1.0

What's Changed

• requirements: sigstore ~= 2.0 by @woodruffw in #81
• README: prep 2.1.0 by @woodruffw in #82

Full Changelog: v2.0.1...v2.1.0

v2.0.1

What's Changed

• feat: more debugging, version printing by @woodruffw in #68
• selftest: add checks to selftest-glob by @woodruffw in #75
• README: prep 2.0.1 by @woodruffw in #78

Full Changelog: v2.0.0...v2.0.1

v2.0.0

What's Changed

• action, selftest: deprecate bundle-only: false by @tnytown in #65
• action: handle slashes in ref names by @woodruffw in #63
• schedule-selftest.yml workflow by @tnytown in #66
• action: accommodate Windows by @woodruffw in #72
• README: prep 2.0.0 by @woodruffw in #73

Full Changelog: v1.2.3...v2.0.0

Release 1.2.3

What's Changed

• action: deduplicate release artifact upload by @tnytown in #60
• Prep 1.2.3 by @tetsuo-cpp in #61

Full Changelog: v1.2.2...v1.2.3

Release 1.2.2

What's Changed

• action: upload artifact being signed for by @tnytown in #55
• action: stringify file_ by @tnytown in #57
• lint action.py with mypy by @tnytown in #58
• README: prep 1.2.2 by @woodruffw in #59

Full Changelog: v1.2.1...v1.2.2