requirements: sigstore ~3.0 #140
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
|
Looks good now. Key changes:
|
|
(NB: This doesn't enable the DSSE parts of sigstore-python, which are in 3.x. Enabling those with appropriate settings will probably require more design thought.) |
|
FTR, the 2.x stream prints out deprecation warnings that would be fixed in 3.x per my understanding: /home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
not_valid_after = self.__cached_signing_certificate.cert.not_valid_after
/home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
not_valid_after = self.__cached_signing_certificate.cert.not_valid_after
/home/runner/.local/lib/python3.10/site-packages/sigstore/sign.py:141: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.
not_valid_after = self.__cached_signing_certificate.cert.not_valid_afterPerhaps, mention this in the change log as well? |
|
Hmm, it's actually strange that those are in 2.x -- the 2.x series of sigstore-python should be using a sufficiently new version of But yeah, if you're seeing them with one but not the other, I'll include it in the release notes 🙂 |
|
I haven't tried. Just checked that you changed corresponding line in v3. |
|
Thanks both! I'll prep the changelog and release today. (Longer-term, the value of this action is now a bit murky, since GitHub has attestation support directly built in with official actions. But that can be a separate discussion...) |
DK96-OS
added a commit
to DK96-OS/gh-action-sigstore-python
that referenced
this pull request
Dec 3, 2024
(sigstore#134): * schedule-selftest: reduce nagging --------- Signed-off-by: William Woodruff <william@trailofbits.com> (sigstore#140): * requirements: sigstore ~3.0 * selftest: update filenames * action: update another path * action: remove deprecated settings * README: remove old docs --------- Signed-off-by: William Woodruff <william@trailofbits.com> (sigstore#145): * action: use a venv to prevent PEP 668 errors * action: use sys.executable * fight with Windows * setup: minimum Python is 3.8 (This has been true for a while) --------- Signed-off-by: William Woodruff <william@trailofbits.com> (sigstore#142): * action: flip `release-signing-artifacts` --------- Signed-off-by: William Woodruff <william@trailofbits.com> (sigstore#146): * action: remove old output settings * selftest: remove old test ref --------- Signed-off-by: William Woodruff <william@trailofbits.com> Cleanup workflows (sigstore#148): * Workflows: remove default input arg from action call * workflows: Remove unnecessary selftest release-signing-artifacts defaults to "true" so the removed test now duplicates the previous test. We could try testing the release-signing-artifacts == "false" but that's a bit trickier since it could only be done in a release event... * workflows: Drop recently removed job from needs-list --------- Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> Prep 3.0.0 (sigstore#143): --------- Signed-off-by: William Woodruff <william@trailofbits.com> (sigstore#152): * build(deps): bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 in the actions group --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (sigstore#154): * Fix remaining reference to 2.1.1 in README --------- Signed-off-by: Stefanie Molin <24376333+stefmolin@users.noreply.github.com> (sigstore#151): * Enable debugging also if ACTIONS_STEP_DEBUG==true --------- Co-authored-by: rindeal <dev.rindeal@gmail.com> Co-authored-by: William Woodruff <william@trailofbits.com> Upgrade Dependencies: * Update requirements.txt - upgrade sigstore 3.1, upgrade requests 2.32 --------- Signed-off-by: DK96-OS <69859316+DK96-OS@users.noreply.github.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The 3.x series is out. Let's see what breaks!