Tests now run from root dir so various coverage complications
can be removed.
Also remove the duplicate .coveragerc and rely on pyproject.toml
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
We don't strictly require 3.9 yet but likely should soon as the
container annotation features are nice.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* The conformance test suite is likely to still change quite a bit so
the workflow is not enabled on PRs yet
* The actual conformance client is copied from the tuf-conformance project
* This is mostly a test to see how things should work out, and a
demonstration of how the tuf-conformance project should be used
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
The goal here is to have ruff enable new rulesets when new releases are
made without us having to o anything: we can then decide if we disable
or not.
* Enable a couple more rulesets (ERA, INP, T )
* Add a few individual ignores to tests and examples
* Default to enable all, disable the rulesets we don't want
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* Remove exectuable flag from a couple of files
* Half of the test files have a shebang (but are
still not executable): remove the shebang
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
I'm not sure I agree with not using the parens in
raise SomeError
but being consistent is definitely better than not being consistent.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
There are several breaking changes coming up in securesystemslib on its
way to 1.0.
To not disrupt tuf users this patch constrains securesystemslib to not
update the current minor version..
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Minor fixes were needed, the only possibly interesting one is
the one in RequestsFetcher (use "yield from").
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* Remove bandit
* Add ruff ruleset "flake8-bandit"
* verify_release is now checked by bandit
* Avoid some asserts as suggested
* ignore a subprocess.run lint: it seems dumb
* ignore all bandit rules for tests and examples (just like before)
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Only leave E501 (line-too-long) disabled: There is a lot of embedded
test data that is not formatted according to the rules.
Fixes#2568
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
- adpot changes in dependabot.yml and remove --diff from ruff check.
- select pydocstyle, isort, pyflakes, pep8-naming, pycodestyle for ruff and ignore some small issues / add inline comments.
- adjust docstring length to 80 in various files
Signed-off-by: E3E <ntanzill@purdue.edu>
Dependabot does not support `build-system.requires`. To get
reproducibility and auto-updates, we pin the version in a regular
requirements file and use it as constraint during build.
fixes: #2529
upstream issue: dependabot/dependabot-core#8465
h/t @jku
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This is not tracked by dependabot so needs manual updates.
Manually tested by building with previous and new hatchling version
and diffing unzipped/untared wheel and sdist.
There were no unexpected changes.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
* Python 3.7 is EOL.
* Our runtime dependencies are still ok with 3.7
* Testing dependencies have started requiring 3.8
Stop supporting and testing Python 3.7.
We could just stop testing Python 3.7 (while claiming to still support
it) but that seems like it'll lead to trouble: we will inevitably use
some 3.8 feature and then won't notice because we don't test 3.7 any
more.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is not tracked by dependabot so needs manual updates.
Manually tested: no unexpected changes in the release artifacts.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
We already have 6 files and I'm planning to add another one: maybe it's
time to move these out of the top level directory.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Double reasoning for this one:
* urllib3 now does have annotations
* since we don't import requests annotations (to avoid depending on typeshed)
urllib3 annotations are never needed: we don't use urllib3 directly
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Since v1.0.0 python-tuf is no longer beta software.
See https://pypi.org/classifiers/ for available classifiers.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Per PEP 621 this should be a table, not a string. This resolves failures
installing on systems with newer setuptools (v61.3.0 or newer:
https://setuptools.pypa.io/en/latest/history.html#v61-3-0).
Signed-off-by: Joshua Lock <jlock@vmware.com>
requests project does not maintain annotations: typeshed project tries
to do it for them, and releases the annotations as "types-requests".
There's two main problems:
* typeshed releases constantly: this means a lot of test dependency
updates
* typeshed releases are not tagged in git: updates are impossible to
review
The benefit we get from types-requests is minimal as there is very
little requests-related code and it does not change often.
Remove annotations to lower the test dependency update churn.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Building a specific release with specific build tools feels like correct
choice for reproducibility in general. It's also practically required
as the hatchling version is embedded in the WHEEL file: this means
updating the build tool modifies the resulting build artifact.
Pin hatchling version. This version should be kept up-to-date: my
working assumption is that Dependabot will handle it.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
