inputs now allows recursive globbing with **
(#106)
Removed
The following settings have been removed: fulcio-url, rekor-url,
ctfe, rekor-root-pubkey
(#140)
The following output settings have been removed: signature,
certificate, bundle
(#146)
Changed
inputs is now parsed according to POSIX shell lexing rules, improving
the action's consistency when used with filenames containing whitespace
or other significant characters
(#104)
inputs is now optional ifrelease-signing-artifacts is true
and the action's event is a release event. In this case, the action
takes no explicit inputs, but signs the source archives already attached
to the associated release
(#110)
The default suffix has changed from .sigstore to .sigstore.json,
per Sigstore's client specification
(#140)
release-signing-artifacts now defaults to true
(#142)
Fixed
The release-signing-artifacts setting no longer causes a hard error
when used under the incorrect event
(#103)
Various deprecations present in sigstore-python's 2.x series have been
resolved
(#140)
This workflow now supports CI runners that use PEP 668 to constrain global
package prefixes
(#145)
inputs now allows recursive globbing with **
(#106)
Removed
The following settings have been removed: fulcio-url, rekor-url,
ctfe, rekor-root-pubkey
(#140)
The following output settings have been removed: signature,
certificate, bundle
(#146)
Changed
inputs is now parsed according to POSIX shell lexing rules, improving
the action's consistency when used with filenames containing whitespace
or other significant characters
(#104)
inputs is now optional ifrelease-signing-artifacts is true
and the action's event is a release event. In this case, the action
takes no explicit inputs, but signs the source archives already attached
to the associated release
(#110)
The default suffix has changed from .sigstore to .sigstore.json,
per Sigstore's client specification
(#140)
release-signing-artifacts now defaults to true
(#142)
Fixed
The release-signing-artifacts setting no longer causes a hard error
when used under the incorrect event
(#103)
Various deprecations present in sigstore-python's 2.x series have been
resolved
(#140)
This workflow now supports CI runners that use PEP 668 to constrain global
package prefixes
(#145)
The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.
ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows.
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the actions group with 3 updates: sigstore/gh-action-sigstore-python, softprops/action-gh-release and actions/upload-artifact.
Updates
sigstore/gh-action-sigstore-python
from 2.1.1 to 3.0.0Release notes
Sourced from sigstore/gh-action-sigstore-python's releases.
... (truncated)
Changelog
Sourced from sigstore/gh-action-sigstore-python's changelog.
... (truncated)
Commits
f514d46
Prep 3.0.0 (#143)da238ad
Cleanup workflows (#148)551a497
action: remove old output settings (#146)16fbe9a
action: fliprelease-signing-artifacts
(#142)1ddeb82
action: use a venv to prevent PEP 668 errors (#145)9466100
requirements: sigstore ~3.0 (#140)26de745
schedule-selftest: reduce nagging (#134)4dde77f
build(deps): bump the actions group with 1 update (#111)08a568c
Allow empty inputs with release artifacts (#110)8579d48
build(deps): bump the actions group with 1 update (#107)Updates
softprops/action-gh-release
from 1 to 2Release notes
Sourced from softprops/action-gh-release's releases.
Changelog
Sourced from softprops/action-gh-release's changelog.
Commits
a74c6b7
update changelogb909f76
update dist/index.jse49d08f
chore(deps): bump glob from 8.0.3 to 10.4.2f12ad25
chore(deps): bump@octokit/plugin-throttling
from 4.3.2 to 9.3.07039a82
chore: release 2.0.6f9c2b6c
chore: update deps and run build73738a6
chore(deps): bump node dep and@types/node
a500a35
Bump ts-jest from 29.0.3 to 29.1.4 (#459)69320db
update changelog9771ccf
update changelog rebuild distUpdates
actions/upload-artifact
from 3 to 4Release notes
Sourced from actions/upload-artifact's releases.
Commits
0b2256b
Merge pull request #584 from actions/robherley/bump-pkgs488dcef
licensed cache04c51f5
ncc32a9e27
bump@actions/artifact
and npm audit552bf37
new version79616d2
Merge pull request #565 from actions/eggyhead/use-artifact-v2.1.66546280
updating package versionc004fb4
Merge branch 'main' into eggyhead/use-artifact-v2.1.690aba49
updating toolkit artifact dependency to 2.1.6b06cde3
Merge pull request #563 from actions/eggyhead/release-4.3.2You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show