dependabot[bot]
b869320624
build(deps): bump github/codeql-action from 2.1.14 to 2.1.15
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.14 to 2.1.15.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](41a4ada31b...3f62b754e2
2022-06-29 10:37:50 +00:00
dependabot[bot]
fbe30683dd
build(deps): bump github/codeql-action from 2.1.13 to 2.1.14
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.13 to 2.1.14.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](d00e8c09a3...41a4ada31b
2022-06-23 12:59:20 +00:00
dependabot[bot]
efc530a932
build(deps): bump github/codeql-action from 2.1.12 to 2.1.13
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.12 to 2.1.13.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](27ea8f8fe5...d00e8c09a3
2022-06-21 10:21:08 +00:00
dependabot[bot]
190e9e1f69
build(deps): bump actions/dependency-review-action from 2.0.0 to 2.0.2
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.0.0 to 2.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](97790d29c7...1c59cdf2a9
2022-06-16 10:24:53 +00:00
Jussi Kukkonen
c89cb50b83
Merge pull request #2026 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2
...
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
2022-06-16 09:47:16 +03:00
dependabot[bot]
d05a2f8d2f
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 1.0.2 to 2.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](a9c83d3af6...97790d29c7
2022-06-15 10:27:51 +00:00
Joshua Lock
6678d2f76a
Add workflow for codeql analysis
...
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-06-15 10:19:35 +01:00
dependabot[bot]
94b08faade
build(deps): bump actions/setup-python from 3.1.2 to 4
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.1.2 to 4.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](https://github.com/actions/setup-python/compare/v3.1.2...d09bd5e6005b175076f227b13d9730d56e9dcfcb )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 10:22:16 +00:00
Jussi Kukkonen
cfcc0c3f0f
Merge pull request #1974 from naveensrinivasan/Dependency-Review-Action
...
chore: Dependency Review Action
2022-06-06 16:30:12 +03:00
naveensrinivasan
a5afebd1ab
Changed the tags to SHA
...
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-06-02 07:01:45 -05:00
Lukas Pühringer
e9d11962b9
Merge pull request #2006 from theupdateframework/dependabot/github_actions/actions/github-script-6.1.0
...
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
2022-05-24 11:20:33 +02:00
dependabot[bot]
2ae099c140
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](6673cd052c...3cea537223
2022-05-23 10:23:02 +00:00
dependabot[bot]
78dc59bf8b
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](9ac08808f9...7a5c598405
2022-05-13 10:17:47 +00:00
Jussi Kukkonen
7c0de84f26
Update maintainers permission checklist
...
* Release permissions are now controlled in GitHub release environment
* It is no longer required for a releasing maintainer to have PyPI
permissions
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 18:11:38 +03:00
Lukas Puehringer
0b0c55b1df
Restrict cd permissions to contents: write
...
This is the minimum permission needed to create/modify GH releases.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
db471a5fd5
Refactor ci/cd workflows
...
Prior to this change, ci triggered cd, depending on the event that
triggered ci. Due to the vague information about that event
available to cd, the workflow pipeline was a bit brittle.
This change disassociates ci and cd workflows to allow for an
independent configuration of trigger events.
The test jobs, which used to be defined in ci, are now in a
separate workflow file _test.yml that can be included in both ci
and cd workflows.
**Changes in ci**
- Only defines trigger events and permissions, the "meat" of ci is
defined in the called _test.yml now.
- No longer triggers on tag pushes, this was only needed for cd.
**Changes in cd**
- Now triggers directly on tag pushes instead of (cd)-workflow_run.
- Calls _test.yml, and require successful run before build/release.
(`needs: test` replaces `if: ...`)
- Changes variable names about pushed tag that triggered the event.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
38b774e0eb
Refactor ci/cd workflows (WIP)
...
This is an intermediate commit for easier review. See subsequent
commit for details.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Naveen
0c0206d1c0
chore: Dependency Review Action
...
Dependency review is a tool that helps you identify and fix vulnerabilities in your dependencies. By checking the dependency reviews in a pull request and changing any dependencies that are flagged as vulnerable, the project can avoid vulnerabilities being added to your project. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-24 15:15:24 -05:00
dependabot[bot]
68fd8a1cc6
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.0.0 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3...2541b1294d2704b0964813337f33b291d3f8596b )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 10:19:38 +00:00
Lukas Pühringer
72424a958b
Merge pull request #1946 from lukpueh/auto-release
...
Add GH workflow to build and release on GH and PyPI
2022-04-21 13:03:25 +02:00
Lukas Puehringer
b99d0432a7
build: minor updates in CI/CD workflow files
...
- polish code comments
- wrap long lines
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-20 16:02:25 +02:00
dependabot[bot]
4d54629293
build(deps): bump actions/setup-python from 3.1.1 to 3.1.2
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](21c0493ecf...98f2ad02fd
2022-04-20 06:58:22 +00:00
dependabot[bot]
65d1b87a2f
build(deps): bump actions/checkout from 3.0.0 to 3.0.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](a12a3943b4...dcd71f6466
2022-04-15 10:16:40 +00:00
dependabot[bot]
156e535dcf
build(deps): bump actions/setup-python from 3.1.0 to 3.1.1
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](9c644ca2ab...21c0493ecf
2022-04-07 10:19:18 +00:00
Lukas Puehringer
a1a71c11a1
build: update CI/CD workflow to run in series
...
- Change CI workflow to also run on push to (release) tag
- Change CD workflow to run on successful CI run, and only if a
(release) tag push triggered the CI
NOTE: Unfortunately the setup is not very robust
(see code comment in cd.yml)
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:15:39 +02:00
Lukas Puehringer
5bfe897335
build: update CD workflow to create GH release
...
- Create preliminary GitHub release (X.Y.Z-rc) in 'build' job,
using popular 3rd-party 'softprops/action-gh-release'.
- Finalize GH release in 'release' job using custom GH script.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:56 +02:00
Lukas Puehringer
faef040407
build: add GH workflow to build + release on PyPI
...
Add workflow with two jobs to build and publish on PyPI. The
release job waits for the build job and uses a custom release
environment, which can be configured to require review.
To share the build artifacts between the jobs and to make them
available for intermediate review, they are stored using
'actions/upload-artifact' and 'actions/download-artifact'.
https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts
To upload the build artifacts to PyPI, the PyPA recommended
'pypa/gh-action-pypi-publish' is used.
https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
**Caveat**
The URL to grab the artifacts, e.g. for review, requires knowledge
of action ID and artifact ID, and a login token (no special
permissions). This makes it a bit cumbersome to fetch the artifacts
with a script and compare them to a local build.
https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:13 +02:00
dependabot[bot]
b0a73e41c6
build(deps): bump actions/setup-python from 3.0.0 to 3.1.0
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](0ebf233433...9c644ca2ab
2022-04-04 10:21:57 +00:00
dependabot[bot]
38b5e07f62
build(deps): bump actions/checkout from 2.4.0 to 3
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](ec3a7ce113...a12a3943b4
2022-03-02 10:21:30 +00:00
dependabot[bot]
311120a192
build(deps): bump actions/setup-python from 2.3.2 to 3
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 2.3.2 to 3.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](7f80679172...0ebf233433
2022-03-01 10:21:10 +00:00
Lukas Pühringer
fc9b42fa5d
Merge pull request #1871 from lukpueh/rm-authors-txt
...
doc: update acknowledgements and rm AUHTORS.txt
2022-02-16 13:29:09 +01:00
Lukas Puehringer
c5e787c328
CI: remind to update contributor acknowledgement
...
Add optional task to maintainer permission review reminder
checklist that suggests to also update the list of significant
contributors in README.md#acknowledgements.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-02-16 11:09:25 +01:00
Jussi Kukkonen
d806b62e03
github: Update github-script to 6.0.0
...
The big change is runtime update from nodejs 12 to nodejs 16: does not
seem to affect us.
Dependabot got confused so this update is done manually to v6.0.0
release commit:
https://github.com/actions/github-script/releases/tag/v6.0.0
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-16 10:13:41 +02:00
Jussi Kukkonen
92e49ad2a1
github: Pin actions hashes
...
This allows us to control when our workflows change.
Dependabot should now open PRs when the actions update.
This still leaves the actual OS image as a variable but Github does not
support pinning that: we'd have to start using our own containers (and
installing our own pythons, etc) to do that -- not worth the trouble.
Fixes #1826
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-07 15:32:23 +02:00
Jussi Kukkonen
1a59b292f4
Revert "github: disable pip caching temporarily"
...
This reverts commit 55d6cb47da
2022-02-05 12:30:31 +02:00
lukpueh
67e2b24a6c
Merge pull request #1821 from jku/disable-pip-cache
...
github: disable pip caching temporarily
2022-02-04 09:51:16 +01:00
Jussi Kukkonen
55d6cb47da
github: disable pip caching temporarily
...
setup-python fails on Windows currently
(https://github.com/actions/virtual-environments/issues/5009 )
Disable caching to workaround the failure.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-04 09:19:25 +02:00
Jussi Kukkonen
b0524e53dc
CI: Add yearly reminder issue to review maintainers
...
This is easy to forget:
* there are multiple different critical services
* some permissions are not visible to everyone
but review is important as every maintainer account increases attack surface.
So let's remind ourselves once a year.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-01-27 15:03:37 +02:00
Martin Vrachev
0f59f4b749
Drop support for python version 3.6
...
Python version 3.6 was supported until December 23-rd 2021 meaning its
end of life has expired before more than 20 days.
Dropping support for python version 3.6 will allow us to remove
OrderedDicts.
After a quick check I saw that Warehouse target python version 3.8.2:
- their docker file: https://github.com/pypa/warehouse/blob/main/Dockerfile#L47
- https://github.com/pypa/warehouse/blob/main/.python-version
- last pr updating pr version: https://github.com/pypa/warehouse/pull/7828
Pip supports python version 3.7+ as well. They dropped python 3.6 a
couple of months ago:
https://github.com/pypa/pip/pull/10641
This means it shouldn't cause headache to our users if we drop python
version 3.6 too.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-01-19 17:11:18 +02:00
Kairo de Araujo
2f93e9d0a2
Add workflows permissions
...
read the contents and write (open) issues
Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 10:11:56 +01:00
Kairo de Araujo
852bd02bbe
Improve the logs output
...
Minor changes to the console logs add versioning and simplify when
they are logged.
Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 09:35:49 +01:00
Kairo de Araujo
93f7dc0a76
Fix query syntax
...
Fix query syntax that was missing the repository parameter
Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 08:51:40 +01:00
Kairo de Araujo
2f4565e100
Add to CI check for specification version.
...
This commit adds to the CI an automatic check for the TUF
specification version and compares it with the python-tuf metadata
API version.
If the version does not match and there is not a issue already open,
a new issue is opened.
Closes #1598
Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 08:51:40 +01:00
Jussi Kukkonen
f7006f5df0
CI: Use builtin package cache support
...
actions/setup-python now supports pip cache: use that instead of
handling cache locations manually.
Cache invalidates when any requirements file changes (same as before):
this is a bit over cautious but probably harder to break.
Fixes #1692
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-12-09 13:03:18 +02:00
Jussi Kukkonen
6744f6a9c7
Merge pull request #1652 from jku/limit-github-token-visibility
...
GH actions: limit GitHub token visibility
2021-11-17 10:06:31 +02:00
Jussi Kukkonen
e073fea819
github: explicitly set workflow permissions
...
* current workflow only needs to read git content
* if the workflow in the future does need write access, it's good to
see permissions explicitly changing
For context: "pull_request" runs never have write access anyway, so this
significantly changes only the "push" runs that happen when branches are
merged to develop.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-11-04 11:39:05 +02:00
Jussi Kukkonen
15e84dfb2e
GH actions: limit GitHub token visibility
...
Token should be visible to only the code that actually needs it.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-11-01 09:47:50 +02:00
Martin Vrachev
2e94e39275
Use quotes for python version for github workflows
...
Fix GitHub workflow failures by using quotes for python versions.
It seems that adding `3.10` as a number is transformed then to `3.1`
which as a result is translated to Python version 3.1 instead of Python
version 3.10.
This seems to work for other projects as well:
https://github.com/MasoniteFramework/masonite4/blob/master/.github/workflows/pythontest.yml
https://github.com/python-pillow/Pillow/blob/main/.github/workflows/test-windows.yml
https://github.com/PyGithub/PyGithub/blob/master/.github/workflows/ci.yml
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-21 14:32:05 +03:00
Martin Vrachev
6ff852ad0f
Add support for python 3.10
...
Python 3.10 is released on October 4-th 2021 and it seems
logical to add support for it as it doesn't require any major effort
from the project.
For reference read:
https://www.python.org/downloads/release/python-3100/
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-21 14:32:04 +03:00
Jussi Kukkonen
65fc968b7f
CI: Do not require coveralls-fin to succeed
...
We already do not require individual build uploads to succeed: let's
also not require the final step to succeed.
The immediate context for this is that coveralls has been down for
three days now.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-09-20 12:51:32 +03:00
