Merge pull request #145 from instructlab/dependabot/github_actions/sigstore/gh-action-sigstore-python-3.0.0

build(deps): bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0

Author: markmc

.github/workflows/pypi.yaml

@@ -110,11 +110,12 @@ jobs:
                   path: dist
 
             - name: "Sigstore sign package"
-              uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1
+              uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
               with:
                   inputs: |
                       ./dist/*.tar.gz
                       ./dist/*.whl
+                  release-signing-artifacts: false
 
             - name: "Upload artifacts and signatures to GitHub release"
               run: |
@@ -126,7 +127,7 @@ jobs:
             # gh-action-pypi-publish has no option to ignore them.
             - name: "Remove sigstore signatures before uploading to PyPI"
               run: |
-                  rm ./dist/*.sigstore
+                  rm ./dist/*.sigstore.json
 
             - name: "Upload to PyPI"
               uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0