Commit graph

5929 commits

Author SHA1 Message Date
Lukas Pühringer
0b44de7cc9
Merge pull request #2508 from theupdateframework/dependabot/pip/mypy-1.7.0
build(deps): bump mypy from 1.6.1 to 1.7.0
2023-11-21 12:49:20 +01:00
Jussi Kukkonen
8ccaffe0fa
Merge pull request #2511 from theupdateframework/dependabot/github_actions/actions/github-script-7.0.1
build(deps): bump actions/github-script from 6.4.1 to 7.0.1
2023-11-20 13:19:15 +02:00
dependabot[bot]
4d6a9310ee
build(deps): bump actions/github-script from 6.4.1 to 7.0.1
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.4.1 to 7.0.1.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](d7906e4ad0...60a0d83039)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 10:13:14 +00:00
dependabot[bot]
1d60002916
build(deps): bump mypy from 1.6.1 to 1.7.0
Bumps [mypy](https://github.com/python/mypy) from 1.6.1 to 1.7.0.
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](https://github.com/python/mypy/compare/v1.6.1...v1.7.0)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-13 10:34:31 +00:00
Jussi Kukkonen
6a682f4df8
Merge pull request #2507 from theupdateframework/dependabot/pip/black-23.11.0
build(deps): bump black from 23.10.1 to 23.11.0
2023-11-13 10:50:23 +02:00
dependabot[bot]
7302c5afe6
build(deps): bump black from 23.10.1 to 23.11.0
Bumps [black](https://github.com/psf/black) from 23.10.1 to 23.11.0.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.10.1...23.11.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-08 10:16:12 +00:00
Jussi Kukkonen
8533ea95ac
Merge pull request #2505 from theupdateframework/dependabot/pip/charset-normalizer-3.3.2
build(deps): bump charset-normalizer from 3.3.1 to 3.3.2
2023-11-03 12:36:27 +02:00
dependabot[bot]
d11fc4be7b
build(deps): bump charset-normalizer from 3.3.1 to 3.3.2
Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.1 to 3.3.2.
- [Release notes](https://github.com/Ousret/charset_normalizer/releases)
- [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.1...3.3.2)

---
updated-dependencies:
- dependency-name: charset-normalizer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-03 10:31:44 +00:00
Lukas Pühringer
61ceb82c46
Merge pull request #2506 from jku/lint-on-oldest-supported-python
CI: Run lint on oldest supported Python version
2023-11-03 11:30:15 +01:00
Jussi Kukkonen
33778942a3 CI: Run lint on oldest supported Python version
* This was suggested as best practice by a pylint developer
* Seems better than CI randomly breaking when GitHub updates
  Python version (and pylint starts applying new rules that we
  can't follow because that would break old Python versions)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-11-03 12:00:25 +02:00
Jussi Kukkonen
a73355e168
Merge pull request #2504 from theupdateframework/dependabot/pip/cryptography-41.0.5
build(deps): bump cryptography from 41.0.4 to 41.0.5
2023-10-26 11:20:41 +03:00
dependabot[bot]
dba2ebe60e
build(deps): bump cryptography from 41.0.4 to 41.0.5
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.4 to 41.0.5.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.4...41.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-25 10:32:08 +00:00
Jussi Kukkonen
52e6ee6db0
Merge pull request #2501 from theupdateframework/dependabot/pip/pylint-3.0.2 2023-10-25 09:35:14 +03:00
Jussi Kukkonen
967974fec6
Merge pull request #2500 from theupdateframework/dependabot/pip/charset-normalizer-3.3.1 2023-10-25 09:32:28 +03:00
dependabot[bot]
a37693df9a
build(deps): bump pylint from 3.0.1 to 3.0.2
Bumps [pylint](https://github.com/pylint-dev/pylint) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/pylint-dev/pylint/releases)
- [Commits](https://github.com/pylint-dev/pylint/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-25 06:31:55 +00:00
Jussi Kukkonen
dadca463ef
Merge pull request #2502 from theupdateframework/dependabot/pip/black-23.10.1 2023-10-25 09:30:38 +03:00
Jussi Kukkonen
aa0e2b6535
Merge pull request #2503 from theupdateframework/dependabot/github_actions/ossf/scorecard-action-2.3.1 2023-10-25 09:30:02 +03:00
dependabot[bot]
173fc82ef7
build(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](483ef80eb9...0864cf1902)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-24 10:50:14 +00:00
dependabot[bot]
ca3e5ec5d8
build(deps): bump black from 23.10.0 to 23.10.1
Bumps [black](https://github.com/psf/black) from 23.10.0 to 23.10.1.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.10.0...23.10.1)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-24 10:22:26 +00:00
dependabot[bot]
ccad78f889
build(deps): bump charset-normalizer from 3.3.0 to 3.3.1
Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.0 to 3.3.1.
- [Release notes](https://github.com/Ousret/charset_normalizer/releases)
- [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.0...3.3.1)

---
updated-dependencies:
- dependency-name: charset-normalizer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 10:20:59 +00:00
Jussi Kukkonen
fb73521982
Merge pull request #2497 from theupdateframework/dependabot/pip/black-23.10.0
build(deps): bump black from 23.9.1 to 23.10.0
2023-10-19 17:53:39 +03:00
dependabot[bot]
39e35e9d1d
build(deps): bump black from 23.9.1 to 23.10.0
Bumps [black](https://github.com/psf/black) from 23.9.1 to 23.10.0.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.9.1...23.10.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-19 08:06:44 +00:00
Jussi Kukkonen
60770d1346
Merge pull request #2495 from theupdateframework/dependabot/pip/urllib3-2.0.7
build(deps): bump urllib3 from 2.0.6 to 2.0.7
2023-10-19 11:06:00 +03:00
Jussi Kukkonen
eda52147d1
Merge pull request #2496 from theupdateframework/dependabot/pip/mypy-1.6.1
build(deps): bump mypy from 1.6.0 to 1.6.1
2023-10-19 11:05:01 +03:00
Jussi Kukkonen
d132dd822a
Merge pull request #2498 from theupdateframework/dependabot/github_actions/actions/checkout-4.1.1
build(deps): bump actions/checkout from 4.1.0 to 4.1.1
2023-10-19 11:04:27 +03:00
dependabot[bot]
2764851c88
build(deps): bump actions/checkout from 4.1.0 to 4.1.1
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](8ade135a41...b4ffde65f4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:10:55 +00:00
dependabot[bot]
57354a517e
build(deps): bump mypy from 1.6.0 to 1.6.1
Bumps [mypy](https://github.com/python/mypy) from 1.6.0 to 1.6.1.
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](https://github.com/python/mypy/compare/v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:06:42 +00:00
dependabot[bot]
89bb82271a
build(deps): bump urllib3 from 2.0.6 to 2.0.7
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.6 to 2.0.7.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.6...2.0.7)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:06:37 +00:00
Lukas Pühringer
f04dc716cb
Merge pull request #2492 from lukpueh/release-3.1.0
Release python-tuf 3.1.0
2023-10-16 09:15:10 +02:00
Jussi Kukkonen
ed521c0e20
Merge pull request #2490 from theupdateframework/dependabot/pip/mypy-1.6.0
build(deps): bump mypy from 1.5.1 to 1.6.0
2023-10-13 14:09:13 +03:00
Lukas Puehringer
c0c21ca52f Release python-tuf 3.1.0
* Update changelog
* Bump version

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-10-13 10:23:07 +02:00
Jussi Kukkonen
6fed68bcce
Merge pull request #2491 from lukpueh/rm-obsolete-fixtures 2023-10-11 16:43:49 +03:00
Lukas Puehringer
438518f68c tests: remove unused and obsolete test metadata
- metadata.staged: related to a removed tutorial and outdated deployment
  recommendation
- project: related to the removed developer_tool (#1790)
- map.json: related to TAP4, which is not supported by python-tuf

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-10-11 15:09:09 +02:00
dependabot[bot]
f8562879a0
build(deps): bump mypy from 1.5.1 to 1.6.0
Bumps [mypy](https://github.com/python/mypy) from 1.5.1 to 1.6.0.
- [Commits](https://github.com/python/mypy/compare/v1.5.1...v1.6.0)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-11 10:03:35 +00:00
Lukas Pühringer
038ecd65dc
Merge pull request #2488 from jku/revert-scorecard-pinning
workflows: Partially revert action versions
2023-10-10 09:20:02 +02:00
Jussi Kukkonen
d5c953d575 workflows: Partially revert action versions
Commit f0058259 started not pinning hashes for actions that are used in
workflows that have no runtime or build security impact.

The change does not work for scorecard as scorecard does not tag "v2":
so we have to pin it. Luckily scorecard does not do that many releases.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-09 18:40:56 +03:00
Jussi Kukkonen
00b67c0a67
Merge pull request #2479 from jku/dont-pin-code-scanner-actions
workflows: Stop pinning actions that are not security relevant
2023-10-09 11:03:45 +03:00
Jussi Kukkonen
c7f3f6b5da
Merge pull request #2484 from theupdateframework/dependabot/github_actions/actions/setup-python-4.7.1
build(deps): bump actions/setup-python from 4.7.0 to 4.7.1
2023-10-09 11:00:31 +03:00
Jussi Kukkonen
37503f0804
Merge pull request #2482 from theupdateframework/dependabot/pip/coverage-7.3.2
build(deps): bump coverage from 7.3.1 to 7.3.2
2023-10-09 10:56:38 +03:00
Jussi Kukkonen
34b7c4bc04
Merge pull request #2486 from theupdateframework/dependabot/pip/pylint-3.0.1
build(deps): bump pylint from 2.17.7 to 3.0.1
2023-10-09 10:55:43 +03:00
dependabot[bot]
f26e2b24c9
build(deps): bump pylint from 2.17.7 to 3.0.1
Bumps [pylint](https://github.com/pylint-dev/pylint) from 2.17.7 to 3.0.1.
- [Release notes](https://github.com/pylint-dev/pylint/releases)
- [Commits](https://github.com/pylint-dev/pylint/compare/v2.17.7...v3.0.1)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-06 10:48:03 +00:00
Jussi Kukkonen
4ba5436a50
Merge pull request #2485 from theupdateframework/dependabot/pip/securesystemslib-cryptopynacl--0.30.0
build(deps): bump securesystemslib[crypto,pynacl] from 0.29.0 to 0.30.0
2023-10-04 13:51:51 +03:00
dependabot[bot]
2e9321e3bd
build(deps): bump securesystemslib[crypto,pynacl] from 0.29.0 to 0.30.0
Bumps [securesystemslib[crypto,pynacl]](https://github.com/secure-systems-lab/securesystemslib) from 0.29.0 to 0.30.0.
- [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases)
- [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.29.0...v0.30.0)

---
updated-dependencies:
- dependency-name: securesystemslib[crypto,pynacl]
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-04 10:29:02 +00:00
Lukas Pühringer
e24faf213c
Merge pull request #2481 from lukpueh/signing-status
Metadata API: add get_verification_result method
2023-10-04 11:40:54 +02:00
dependabot[bot]
cf3445c22f
build(deps): bump actions/setup-python from 4.7.0 to 4.7.1
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.0 to 4.7.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](61a6322f88...65d7f2d534)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 11:01:32 +00:00
dependabot[bot]
b6fc566a6e
build(deps): bump coverage from 7.3.1 to 7.3.2
Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.1 to 7.3.2.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.1...7.3.2)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 10:16:45 +00:00
Lukas Puehringer
a55756327b Metadata API: add get_verification_result method
The method returns detailed information about signature verification of
a delegated role metadata.

Its implementation is taken from the verify_delegate method and slightly
updated. verify_delegate now is a thin wrapper on top of
get_verification_result.

fixes #2449

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-authored-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-03 12:05:39 +02:00
Jussi Kukkonen
87f9f9134e
Merge pull request #2480 from theupdateframework/dependabot/pip/requirements/urllib3-2.0.6
build(deps): bump urllib3 from 2.0.5 to 2.0.6 in /requirements
2023-10-03 09:55:04 +03:00
dependabot[bot]
2549321b96
build(deps): bump urllib3 from 2.0.5 to 2.0.6 in /requirements
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.5 to 2.0.6.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/v2.0.5...2.0.6)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 00:23:50 +00:00
Jussi Kukkonen
1856ff980f
Merge pull request #2476 from theupdateframework/dependabot/pip/cffi-1.16.0
build(deps): bump cffi from 1.15.1 to 1.16.0
2023-10-02 14:08:43 +03:00