All notable changes to gh-action-sigstore-python will be documented in this file.
The format is based on Keep a Changelog.
All versions prior to 3.0.0 are untracked.
gh-action-sigstore-python now manages the used Python version internally, improving reliability.
gh-action-sigstore-python is now compatible with Rekor v2
transparency log (but produced signature bundles still contain Rekor v1 entries by default).
- The action now uses sigstore-python 4.1. All other dependencies are also updated (#220)
- Fixed incompatibility with Python 3.14 by upgrading dependencies (#225)
rekor-versionargument was added to control the Rekor transparency log version when signing. The default version in the gh-action-sigstore-python 3.x series will remain 1 (except when usingstaging: true). (#228)
- The minimum Python version supported by this action is now 3.9 (#155)
- The action's Python dependencies are now fully pinned to specific versions (#165)
- The
rfc3161-clientdependency has been upgrades to1.0.3to resolve a security vulnerability (#182)
inputsnow allows recursive globbing with**(#106)
- The following settings have been removed:
fulcio-url,rekor-url,ctfe,rekor-root-pubkey(#140) - The following output settings have been removed:
signature,certificate,bundle(#146)
-
inputsis now parsed according to POSIX shell lexing rules, improving the action's consistency when used with filenames containing whitespace or other significant characters (#104) -
inputsis now optional ifrelease-signing-artifactsis true and the action's event is areleaseevent. In this case, the action takes no explicit inputs, but signs the source archives already attached to the associated release (#110) -
The default suffix has changed from
.sigstoreto.sigstore.json, per Sigstore's client specification (#140) -
release-signing-artifactsnow defaults totrue(#142)