smallstep
diff --git a/‎.github/workflows/actionci.yml‎
Lines changed: 24 additions & 0 deletions b/‎.github/workflows/actionci.yml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎.github/workflows/actionlint.yml‎
Lines changed: 0 additions & 17 deletions b/‎.github/workflows/actionlint.yml‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 7 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/workflows/code-scan-cron.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/workflows/code-scan-cron.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/publish-packages.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/publish-packages.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 13 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎.github/workflows/triage.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/triage.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/zizmor.yml‎
Lines changed: 12 additions & 0 deletions b/‎.github/zizmor.yml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 29 additions & 6 deletions b/‎.goreleaser.yml‎
Lines changed: 29 additions & 6 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 32 additions & 5 deletions b/‎CHANGELOG.md‎
Lines changed: 32 additions & 5 deletions
@@ -0,0 +1,24 @@
+name: Action CI
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "master"
+  pull_request:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  actionci:
+    permissions:
+      contents: read
+      security-events: write
+    uses: smallstep/workflows/.github/workflows/actionci.yml@main
+    with:
+      zizmor-advanced-security: true
+    secrets: inherit
@@ -16,8 +16,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ci:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/goCI.yml@main
     with:
       only-latest-golang: false
 
@@ -2,6 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   code-scan:
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main
@@ -23,7 +23,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.tag }}
           fetch-depth: 0
 
@@ -6,13 +6,22 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: write
+
 jobs:
   ci:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     uses: smallstep/certificates/.github/workflows/ci.yml@master
     secrets: inherit
 
   create_release:
     name: Create Release
+    permissions:
+      contents: write
     needs: ci
     runs-on: ubuntu-latest
     env:
@@ -25,9 +34,11 @@ jobs:
     steps:
       - name: Is Pre-release
         id: is_prerelease
+        env:
+          REF: ${{ github.ref }}
         run: |
           set +e
-          echo ${{ github.ref }} | grep "\-rc.*"
+          echo "${REF}" | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"
@@ -45,7 +56,7 @@ jobs:
           echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
 
@@ -10,6 +10,10 @@ on:
       - opened
       - reopened
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   triage:
     uses: smallstep/workflows/.github/workflows/triage.yml@main
 
@@ -0,0 +1,12 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "smallstep/*": ref-pin
+  secrets-inherit:
+    disable: true
+  ref-confusion:
+    disable: true
+  dangerous-triggers:
+    ignore:
+      - triage.yml
@@ -120,9 +120,12 @@ checksum:
 
 signs:
 - cmd: cosign
-  signature: "${artifact}.sig"
-  certificate: "${artifact}.pem"
-  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
+  signature: "${artifact}.sigstore.json"
+  args:
+    - "sign-blob"
+    - "--bundle=${signature}"
+    - "${artifact}"
+    - "--yes"
   artifacts: all
 
 publishers:
@@ -197,8 +200,7 @@ release:
 
     ```
     cosign verify-blob \
-      --certificate step-ca_darwin_{{ .Version }}_amd64.tar.gz.pem \
-      --signature step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
+      --bundle step-ca_darwin_{{ .Version }}_amd64.tar.gz.sigstore.json \
       --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
       --certificate-oidc-issuer https://token.actions.githubusercontent.com \
       step-ca_darwin_{{ .Version }}_amd64.tar.gz
@@ -253,6 +255,12 @@ winget:
     # Required.
     short_description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management."
 
+    # Package identifier.
+    #
+    # Default: Publisher.ProjectName
+    # Templates: allowed
+    package_identifier: Smallstep.step-ca
+
     # License name.
     #
     # Templates: allowed
@@ -269,6 +277,11 @@ winget:
     # Templates: allowed
     publisher_support_url: "https://github.com/smallstep/certificates/discussions"
 
+    # Privacy URL.
+    #
+    # Templates: allowed
+    privacy_url: "https://smallstep.com/privacy-policy/"
+
     # URL which is determined by the given Token (github, gitlab or gitea).
     #
     # Default depends on the client.
@@ -291,18 +304,28 @@ winget:
     # Your app's long description.
     #
     # Templates: allowed
-    description: ""
+    description: "step-ca is an online certificate authority for secure, automated certificate management. It issues X.509 and SSH certificates using protocols like ACME, OIDC, and SCEP."
 
     # License URL.
     #
     # Templates: allowed
     license_url: "https://github.com/smallstep/certificates/blob/master/LICENSE"
 
+    # Release notes.
+    #
+    # Templates: allowed
+    release_notes: "{{.Changelog}}"
+
     # Release notes URL.
     #
     # Templates: allowed
     release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{ .Tag }}"
 
+    # Installation notes.
+    #
+    # Templates: allowed
+    installation_notes: "After installation, run 'step-ca --help' to get started. Documentation: https://smallstep.com/docs/step-ca"
+
     # Create the PR - for testing
     skip_upload: auto
 
 
@@ -25,7 +25,23 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
-### [x.y.z] - unreleased
+## [0.30.2] - 2026-03-22
+
+- Update golang.org/grpc to patch security advisory
+
+
+### [0.30.1] - 2026-03-18
+
+ - Fix release issue
+
+
+### [0.30.0] - 2026-03-18
+
+### Added
+
+- Warn when ACME provisioner is configured without a database (smallstep/certificates#2526)
+- Validate webhooks configured on the ca.json (smallstep/certificates#2570)
+- Add HTTP transport decorator (smallstep/certificates#2533)
 
 ### Changed
 
@@ -36,6 +52,18 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   ensuring consistent command execution. Commands can still be overridden via
   Kubernetes or Docker configuration when needed (smallstep/certificates#2493)
 
+### Fixed
+
+- Fix CRL IssuingDistributionPoint marshaling to correctly unset `OnlyContainsUserCerts` and `OnlyContainsCACerts` flags (smallstep/certificates#2511)
+- Fix CRL DER download content-disposition filename extension from `.der` to `.crl` (smallstep/certificates#2537)
+- Fix SSH agent KMS when CA is configured with Prometheus instrumented signer (smallstep/certificates#2379)
+- Return helpful error message when root certificate is not found (smallstep/certificates#1893)
+- Fix missing version number when building step-ca from source archive (smallstep/certificates#2513)
+- Fix potential panic if a certificate had an empty tcg-kp-AIKCertificate extended key usage (smallstep/certificates#2569)
+- Fix CA startup when configured with SCEP and Google Cloud CAS (smallstep/certificates#2517)
+- Close idle connections on client certificate renew (smallstep/certificates#2515)
+
+
 ## [0.29.0] - 2025-12-03
 
 ### Added
@@ -50,10 +78,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - Use errgroup to shutdown services concurrently (smallstep/certificates#2343)
 
-### Deprecated
-
-### Removed
-
 ### Fixed
 
 - Fix process hanging after SIGTERM (smallstep/certificates#2338)
@@ -62,6 +86,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Security
 
+- Authorization Bypass in ACME and SCEP Provisioners (smallstep/certificates#2491)
+- Improper Authorization Check for SSH Certificate Revocation (smallstep/certificates#2491)
+
 
 ## [0.28.4] - 2025-07-13