Merge pull request #760 from sigstore/update-post11

Update post 0.11.0 release

Author: loosebazooka

build-logic/publishing/build.gradle.kts

@@ -10,6 +10,6 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.10.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.11.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1")
 }

gradle.properties

@@ -7,4 +7,4 @@ group=dev.sigstore
 # remember to also update version in
 # - SigstoreSignExtension.kt
 # - build-logic/publishing/build.gradle.kts 
-version=0.11.0
+version=0.12.0

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -44,7 +44,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("0.11.0")
+        sigstoreJavaVersion.convention("0.12.0")
         (this as ExtensionAware).extensions.create<OidcClientExtension>(
             "oidcClient",
             project.objects,

sigstore-maven-plugin/README.md

@@ -1,19 +1,21 @@
-sigstore-maven-plugin
-=====================
+# sigstore-maven-plugin
 
 [![Maven Central](https://img.shields.io/maven-central/v/dev.sigstore/sigstore-maven-plugin.svg?label=Maven%20Central)](https://central.sonatype.com/artifact/dev.sigstore/sigstore-maven-plugin)
 
-This is a Maven plugin that can be used to use the "keyless" signing paradigm supported by Sigstore.
-This plugin is still in early phases, then has known limitations described below.
+A Maven plugin for signing artifacts with Sigstore
 
-sign
-----
+
+## Requirements
+
+* Java 11 (https://github.com/sigstore/sigstore-java requires Java 11)
+
+## Minimal usage
 
 ```xml
       <plugin>
         <groupId>dev.sigstore</groupId>
         <artifactId>sigstore-maven-plugin</artifactId>
-        <version>0.4.0</version>
+        <version>0.11.0</version>
         <executions>
           <execution>
             <id>sign</id>
@@ -25,9 +27,22 @@ sign
       </plugin>
 ```
 
+### GitHub Actions OIDC support
+
+In order for the required environment variables to be available, the workflow requires the following permissions:
+
+```yaml
+permissions:
+  id-token: write
+  contents: read
+```
+
+See [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings) for details.
+
+
 Notes:
 
-- GPG: Maven Central publication rules require GPG signing each files: to avoid GPG signing of `.sigstore.json` files, just use version 3.1.0 minimum of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/).
+<!-- TBD: (uncomment when gpg adding exclusion from .sigstore.java - GPG: Maven Central publication rules require GPG signing each files: to avoid GPG signing of `.sigstore.json` files, just use version 3.X.X minimum of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/). -->
 - `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 minimum or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java`
 
 Known limitations: