Prepare 3.1.0 release (#230)

jku · web-flow · commit f83232617323 · 2025-10-21T10:22:17.000+03:00
Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,29 @@ All versions prior to 3.0.0 are untracked.
 
 ## [Unreleased]
 
+## [3.1.0]
+
+`gh-action-sigstore-python` is now compatible with [Rekor v2](https://blog.sigstore.dev/rekor-v2-ga/)
+transparency log (but produced signature bundles still contain Rekor v1 entries by default).
+
+### Changed
+
+* The action now uses sigstore-python 4.1. All other dependencies are also updated
+  ([#220](https://github.com/sigstore/gh-action-sigstore-python/pull/220))
+
+### Fixed
+
+* Fixed incompatibility with Python 3.14 by upgrading dependencies
+  ([#225](https://github.com/sigstore/gh-action-sigstore-python/pull/225))
+
+### Added
+
+* `rekor-version` argument was added to control the Rekor transparency log
+  version when signing. The default version in the gh-action-sigstore-python
+  3.x series will remain 1 (except when using `staging: true`).
+  ([#228](https://github.com/sigstore/gh-action-sigstore-python/pull/228))
+
+
 ## [3.0.1]
 
 ### Changed
diff --git a/README.md b/README.md
@@ -36,7 +36,7 @@ jobs:
           persist-credentials: false
       - name: install
         run: python -m pip install .
-      - uses: sigstore/gh-action-sigstore-python@v3.0.1
+      - uses: sigstore/gh-action-sigstore-python@v3.1.0
         with:
           inputs: file.txt
 ```
@@ -60,15 +60,15 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t
 To sign one or more files:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file0.txt file1.txt file2.txt
 ```
 
 The `inputs` argument also supports file globbing:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: ./path/to/inputs/*.txt
 ```
@@ -77,7 +77,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using
 POSIX shell lexing rules:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: |
       ./path/to/inputs/*.txt
@@ -97,7 +97,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci
 workflow will use the credentials found in the GitHub Actions environment.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     identity-token: ${{ IDENTITY_TOKEN  }} # assigned elsewhere
@@ -113,7 +113,7 @@ Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     oidc-client-id: alternative-sigstore-id
@@ -129,7 +129,7 @@ Connect Server during OAuth2.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     oidc-client-secret: alternative-sigstore-secret
@@ -145,7 +145,7 @@ instead of the default production instances.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     staging: true
@@ -168,7 +168,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     verify: true
@@ -191,7 +191,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`.
 Supplying it without `verify-oidc-issuer` will produce an error.
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     verify: true
@@ -216,7 +216,7 @@ Supplying it without `verify-cert-identity` will produce an error.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     verify: true
@@ -238,7 +238,7 @@ workflow artifact retention period is used.
 Example:
 
 ```yaml
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     upload-signing-artifacts: true
@@ -265,7 +265,7 @@ permissions:
 
 # ...
 
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
   with:
     inputs: file.txt
     release-signing-artifacts: true
@@ -281,7 +281,7 @@ permissions:
 # ...
 
 # no explicit settings needed, signs all pre-existing release artifacts
-- uses: sigstore/gh-action-sigstore-python@v3.0.1
+- uses: sigstore/gh-action-sigstore-python@v3.1.0
 ```
 
 ### Internal options
@@ -305,7 +305,7 @@ permissions:
   Example:
 
   ```yaml
-  - uses: sigstore/gh-action-sigstore-python@v3.0.1
+  - uses: sigstore/gh-action-sigstore-python@v3.1.0
     with:
       inputs: file.txt
       internal-be-careful-debug: true
