From a513fa49ad39f14af3f74d56ace1f26932abd11c Mon Sep 17 00:00:00 2001
From: Thomas Juul Dyhr <thomas@dyhr.com>
Date: Wed, 1 Apr 2026 18:38:46 +0200
Subject: [PATCH] docs: add CHANGELOG entry for v1.0.1 CI and security fixes

Documents PRs #127 (sigstore @v3.3.0), #128 (skip-existing PyPI),
and #129 (black CVE-2026-32274) under a new [1.0.1] section.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f79221..aa89ba2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.1] - 2026-04-01
+
+### Fixed
+- **CI: sigstore action version** (`@v3` → `@v3.3.0`): the `@v3` tag does not exist in
+  `sigstore/gh-action-sigstore-python`; updated to the latest available tag so the
+  Sign and Attach to GitHub Release job no longer fails (#127)
+- **CI: production PyPI publish step** now includes `skip-existing: true`, matching the
+  TestPyPI step — prevents `400 Bad Request` errors when re-running the Release
+  workflow for a version already on PyPI (#128)
+
+### Security
+- **`black` dev dependency** bumped `>=24.0` → `>=26.3.1` (CVE-2026-32274): Black
+  <26.3.1 writes cache files to attacker-controlled paths when `--python-cell-magics`
+  is passed with untrusted input (#129)
+
 ## [1.0.0] - 2026-03-31
 
 ### Fixed