chore(deps): bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0

[dependabot[bot]]

Bumps sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0.

Release notes

Sourced from sigstore/gh-action-sigstore-python's releases.

v3.0.0

Added

• inputs now allows recursive globbing with ** (#106)

Removed

• The following settings have been removed: fulcio-url, rekor-url, ctfe, rekor-root-pubkey (#140)
• The following output settings have been removed: signature, certificate, bundle (#146)

Changed

• inputs is now parsed according to POSIX shell lexing rules, improving the action's consistency when used with filenames containing whitespace or other significant characters (#104)

• inputs is now optional if release-signing-artifacts is true and the action's event is a release event. In this case, the action takes no explicit inputs, but signs the source archives already attached to the associated release (#110)

• The default suffix has changed from .sigstore to .sigstore.json, per Sigstore's client specification (#140)

• release-signing-artifacts now defaults to true (#142)

Fixed

• The release-signing-artifacts setting no longer causes a hard error when used under the incorrect event (#103)

• Various deprecations present in sigstore-python's 2.x series have been resolved (#140)

• This workflow now supports CI runners that use PEP 668 to constrain global package prefixes (#145)

... (truncated)

Changelog

Sourced from sigstore/gh-action-sigstore-python's changelog.

[3.0.0]

Added

• inputs now allows recursive globbing with ** (#106)

Removed

• The following settings have been removed: fulcio-url, rekor-url, ctfe, rekor-root-pubkey (#140)
• The following output settings have been removed: signature, certificate, bundle (#146)

Changed

• inputs is now parsed according to POSIX shell lexing rules, improving the action's consistency when used with filenames containing whitespace or other significant characters (#104)

• inputs is now optional if release-signing-artifacts is true and the action's event is a release event. In this case, the action takes no explicit inputs, but signs the source archives already attached to the associated release (#110)

• The default suffix has changed from .sigstore to .sigstore.json, per Sigstore's client specification (#140)

• release-signing-artifacts now defaults to true (#142)

Fixed

• The release-signing-artifacts setting no longer causes a hard error when used under the incorrect event (#103)

• Various deprecations present in sigstore-python's 2.x series have been resolved (#140)

• This workflow now supports CI runners that use PEP 668 to constrain global package prefixes (#145)

... (truncated)

Commits

• f514d46 Prep 3.0.0 (#143)
• da238ad Cleanup workflows (#148)
• 551a497 action: remove old output settings (#146)
• 16fbe9a action: flip release-signing-artifacts (#142)
• 1ddeb82 action: use a venv to prevent PEP 668 errors (#145)
• 9466100 requirements: sigstore ~3.0 (#140)
• 26de745 schedule-selftest: reduce nagging (#134)
• 4dde77f build(deps): bump the actions group with 1 update (#111)
• 08a568c Allow empty inputs with release artifacts (#110)
• 8579d48 build(deps): bump the actions group with 1 update (#107)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)