Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0 (#8508)

Bumps
[sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python)
from 2.1.1 to 3.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/gh-action-sigstore-python/releases">sigstore/gh-action-sigstore-python's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<h3>Added</h3>
<ul>
<li><code>inputs</code> now allows recursive globbing with
<code>**</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/106">#106</a>)</li>
</ul>
<h3>Removed</h3>
<ul>
<li>The following settings have been removed: <code>fulcio-url</code>,
<code>rekor-url</code>,
<code>ctfe</code>, <code>rekor-root-pubkey</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</li>
<li>The following output settings have been removed:
<code>signature</code>,
<code>certificate</code>, <code>bundle</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/146">#146</a>)</li>
</ul>
<h3>Changed</h3>
<ul>
<li>
<p><code>inputs</code> is now parsed according to POSIX shell lexing
rules, improving
the action's consistency when used with filenames containing whitespace
or other significant characters
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/104">#104</a>)</p>
</li>
<li>
<p><code>inputs</code> is now optional <em>if</em>
<code>release-signing-artifacts</code> is true
<em>and</em> the action's event is a <code>release</code> event. In this
case, the action
takes no explicit inputs, but signs the source archives already attached
to the associated release
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/110">#110</a>)</p>
</li>
<li>
<p>The default suffix has changed from <code>.sigstore</code> to
<code>.sigstore.json</code>,
per Sigstore's client specification
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p>
</li>
<li>
<p><code>release-signing-artifacts</code> now defaults to
<code>true</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/142">#142</a>)</p>
</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>
<p>The <code>release-signing-artifacts</code> setting no longer causes a
hard error
when used under the incorrect event
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/103">#103</a>)</p>
</li>
<li>
<p>Various deprecations present in <code>sigstore-python</code>'s 2.x
series have been
resolved
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p>
</li>
<li>
<p>This workflow now supports CI runners that use PEP 668 to constrain
global
package prefixes
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/145">#145</a>)</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md">sigstore/gh-action-sigstore-python's
changelog</a>.</em></p>
<blockquote>
<h2>[3.0.0]</h2>
<h3>Added</h3>
<ul>
<li><code>inputs</code> now allows recursive globbing with
<code>**</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/106">#106</a>)</li>
</ul>
<h3>Removed</h3>
<ul>
<li>The following settings have been removed: <code>fulcio-url</code>,
<code>rekor-url</code>,
<code>ctfe</code>, <code>rekor-root-pubkey</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</li>
<li>The following output settings have been removed:
<code>signature</code>,
<code>certificate</code>, <code>bundle</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/146">#146</a>)</li>
</ul>
<h3>Changed</h3>
<ul>
<li>
<p><code>inputs</code> is now parsed according to POSIX shell lexing
rules, improving
the action's consistency when used with filenames containing whitespace
or other significant characters
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/104">#104</a>)</p>
</li>
<li>
<p><code>inputs</code> is now optional <em>if</em>
<code>release-signing-artifacts</code> is true
<em>and</em> the action's event is a <code>release</code> event. In this
case, the action
takes no explicit inputs, but signs the source archives already attached
to the associated release
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/110">#110</a>)</p>
</li>
<li>
<p>The default suffix has changed from <code>.sigstore</code> to
<code>.sigstore.json</code>,
per Sigstore's client specification
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p>
</li>
<li>
<p><code>release-signing-artifacts</code> now defaults to
<code>true</code>
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/142">#142</a>)</p>
</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>
<p>The <code>release-signing-artifacts</code> setting no longer causes a
hard error
when used under the incorrect event
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/103">#103</a>)</p>
</li>
<li>
<p>Various deprecations present in <code>sigstore-python</code>'s 2.x
series have been
resolved
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/140">#140</a>)</p>
</li>
<li>
<p>This workflow now supports CI runners that use PEP 668 to constrain
global
package prefixes
(<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/pull/145">#145</a>)</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/f514d46b907ebcd5bedc05145c03b69c1edd8b46"><code>f514d46</code></a>
Prep 3.0.0 (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/143">#143</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/da238ad4806ad4bceff0a421e715ba34c3c4f962"><code>da238ad</code></a>
Cleanup workflows (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/148">#148</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/551a497f0abe7bcba261fd45a195f3d17eebb0c0"><code>551a497</code></a>
action: remove old output settings (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/146">#146</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/16fbe9a8d335cfde2d487c8c459707abdd1c3704"><code>16fbe9a</code></a>
action: flip <code>release-signing-artifacts</code> (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/142">#142</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/1ddeb829cc81aadc391a78096478d61db0dee7e6"><code>1ddeb82</code></a>
action: use a venv to prevent PEP 668 errors (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/145">#145</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/94661007ff419d4795b935732494905162e79738"><code>9466100</code></a>
requirements: sigstore ~3.0 (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/140">#140</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/26de7459ab0625282c11ecbcf6e65941b2886b09"><code>26de745</code></a>
schedule-selftest: reduce nagging (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/134">#134</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/4dde77f8178a041d4cd24f34a5624231b525513d"><code>4dde77f</code></a>
build(deps): bump the actions group with 1 update (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/111">#111</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/08a568c3d1b0d7483cb913510a741887d37c57e0"><code>08a568c</code></a>
Allow empty inputs with release artifacts (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/110">#110</a>)</li>
<li><a
href="https://github.com/sigstore/gh-action-sigstore-python/commit/8579d4832209d59081f278b17073a30dffc5da9a"><code>8579d48</code></a>
build(deps): bump the actions group with 1 update (<a
href="https://redirect.github.com/sigstore/gh-action-sigstore-python/issues/107">#107</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sigstore/gh-action-sigstore-python&package-manager=github_actions&previous-version=2.1.1&new-version=3.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/ci-cd.yml

@@ -406,7 +406,7 @@ jobs:
       uses: pypa/gh-action-pypi-publish@release/v1
 
     - name: Sign the dists with Sigstore
-      uses: sigstore/gh-action-sigstore-python@v2.1.1
+      uses: sigstore/gh-action-sigstore-python@v3.0.0
       with:
         inputs: >-
           ./dist/*.tar.gz