sigstore · woodruffw · Jul 15, 2024 · Jun 17, 2024 · Jun 17, 2024 · Jun 17, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,64 @@
+# Changelog
+
+All notable changes to `gh-action-sigstore-python` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+All versions prior to 3.0.0 are untracked.
+
+## [Unreleased]
+
+## [3.0.0]
+
+### Added
+
+* `inputs` now allows recursive globbing with `**`
+  ([#106](https://github.com/sigstore/gh-action-sigstore-python/pull/106))
+
+### Removed
+
+* The following settings have been removed: `fulcio-url`, `rekor-url`,
+  `ctfe`, `rekor-root-pubkey`
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+* The following output settings have been removed: `signature`,
+  `certificate`, `bundle`
+  ([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146))
+
+
+### Changed
+
+* `inputs` is now parsed according to POSIX shell lexing rules, improving
+  the action's consistency when used with filenames containing whitespace
+  or other significant characters
+  ([#104](https://github.com/sigstore/gh-action-sigstore-python/pull/104))
+
+* `inputs` is now optional *if* `release-signing-artifacts` is true
+  *and* the action's event is a `release` event. In this case, the action
+  takes no explicit inputs, but signs the source archives already attached
+  to the associated release
+  ([#110](https://github.com/sigstore/gh-action-sigstore-python/pull/110))
+
+* The default suffix has changed from `.sigstore` to `.sigstore.json`,
+  per Sigstore's client specification
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+
+* `release-signing-artifacts` now defaults to `true`
+  ([#142](https://github.com/sigstore/gh-action-sigstore-python/pull/142))
+
+### Fixed
+
+* The `release-signing-artifacts` setting no longer causes a hard error
+  when used under the incorrect event
+  ([#103](https://github.com/sigstore/gh-action-sigstore-python/pull/103))
+
+* Various deprecations present in `sigstore-python`'s 2.x series have been
+  resolved
+  ([#140](https://github.com/sigstore/gh-action-sigstore-python/pull/140))
+
+* This workflow now supports CI runners that use PEP 668 to constrain global
+  package prefixes
+  ([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145))
+
+
+[Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: install
         run: python -m pip install .
-      - uses: sigstore/gh-action-sigstore-python@v2.1.1
+      - uses: sigstore/gh-action-sigstore-python@v3.0.0
         with:
           inputs: file.txt
 ```
@@ -53,15 +53,15 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t
 To sign one or more files:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file0.txt file1.txt file2.txt
 ```
 
 The `inputs` argument also supports file globbing:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: ./path/to/inputs/*.txt
 ```
@@ -70,7 +70,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using
 POSIX shell lexing rules:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: |
       ./path/to/inputs/*.txt
@@ -90,7 +90,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci
 workflow will use the credentials found in the GitHub Actions environment.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     identity-token: ${{ IDENTITY_TOKEN  }} # assigned elsewhere
@@ -106,7 +106,7 @@ Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     oidc-client-id: alternative-sigstore-id
@@ -122,7 +122,7 @@ Connect Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     oidc-client-secret: alternative-sigstore-secret
@@ -138,7 +138,7 @@ instead of the default production instances.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     staging: true
@@ -161,7 +161,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     verify: true
@@ -184,7 +184,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`.
 Supplying it without `verify-oidc-issuer` will produce an error.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     verify: true
@@ -209,7 +209,7 @@ Supplying it without `verify-cert-identity` will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     verify: true
@@ -231,7 +231,7 @@ workflow artifact retention period is used.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     upload-signing-artifacts: true
@@ -258,7 +258,7 @@ permissions:
 
 # ...
 
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
+- uses: sigstore/gh-action-sigstore-python@v3.0.0
   with:
     inputs: file.txt
     release-signing-artifacts: true
@@ -298,7 +298,7 @@ permissions:
   Example:
 
   ```yaml
-  - uses: sigstore/gh-action-sigstore-python@v2.1.1
+  - uses: sigstore/gh-action-sigstore-python@v3.0.0
     with:
       inputs: file.txt
       internal-be-careful-debug: true