dependabot[bot]
6c07c7c414
build(deps): bump actions/dependency-review-action from 3.0.1 to 3.0.2
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](11310527b4...0ff3da6f81
2022-12-27 08:47:28 +00:00
Jussi Kukkonen
2acea003fc
Merge pull request #2245 from theupdateframework/dependabot/github_actions/ossf/scorecard-action-2.1.2
...
build(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.2
2022-12-23 12:37:01 +02:00
dependabot[bot]
681c134e09
build(deps): bump actions/setup-python from 4.3.1 to 4.4.0
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 4.3.1 to 4.4.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](2c3dd9e7e2...5ccb29d877
2022-12-23 10:22:10 +00:00
dependabot[bot]
483d31c7a9
build(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.2
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](937ffa90d7...e38b1902ae
2022-12-22 10:06:51 +00:00
Lukas Pühringer
99b200eff8
Merge pull request #2226 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.37
...
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37
2022-12-16 10:19:00 +01:00
dependabot[bot]
ca67ed9f62
build(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.0.6 to 2.1.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](99c53751e0...937ffa90d7
2022-12-15 10:04:26 +00:00
dependabot[bot]
8f3f5713c6
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.36 to 2.1.37.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](a669cc5936...959cbb7472
2022-12-15 10:04:23 +00:00
dependabot[bot]
98991d8f50
build(deps): bump actions/checkout from 3.1.0 to 3.2.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](93ea575cb5...755da8c3cf
2022-12-13 10:04:50 +00:00
dependabot[bot]
9fd45d923d
build(deps): bump github/codeql-action from 2.1.35 to 2.1.36
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.35 to 2.1.36.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b2a92eb56d...a669cc5936
2022-12-12 10:07:12 +00:00
dependabot[bot]
205769d9bf
build(deps): bump actions/setup-python from 4.3.0 to 4.3.1
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](13ae5bb136...2c3dd9e7e2
2022-12-09 17:50:35 +00:00
Jussi Kukkonen
b6c3b66ca6
build: Change build dependency pinning strategy
...
* don't autoupgrade pip: let's consider pip to be part of platform?
* pin build and tox in new requirements-build.txt: this mostly prevents
tox from going to 4.x before we're ready
* use requirements-build.txt as constraint when installing tox or build
during CI & CD
* use requirements-build.txt in requiremenets-dev.txt
Note that coveralls is not pinned, not sure if it should be.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-12-09 18:10:03 +02:00
dependabot[bot]
7f1ddebb71
build(deps): bump pypa/gh-action-pypi-publish from 1.6.1 to 1.6.4
...
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish ) from 1.6.1 to 1.6.4.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases )
- [Commits](5d1679fa6b...c7f29f7ade
2022-12-07 10:04:26 +00:00
dependabot[bot]
63c384d9d7
build(deps): bump pypa/gh-action-pypi-publish from 1.5.1 to 1.6.1
...
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish ) from 1.5.1 to 1.6.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases )
- [Commits](37f50c210e...5d1679fa6b
2022-12-05 10:08:50 +00:00
dependabot[bot]
07940a1f92
build(deps): bump github/codeql-action from 2.1.33 to 2.1.35
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.33 to 2.1.35.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v2.1.33...b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-12-02 10:04:16 +00:00
Jussi Kukkonen
f29d8471c8
workflows: Add Scorecards workflow
...
This is a modifed version of the workflow from the project itself:
* Not using personal access tokens because I believe they are a
security issue (this means Branch-Protection check will be incorrect)
* Not uploading results to actions cache: Maybe there's a point but I
don't see it as the SARIF files are not very human readable
This should give us some code scanning alerts in the security tab on Github.
This is not really what I'm interested in though so I've enabled the upload
to https://api.securityscorecards.dev/ . The results json on there is not
exactly readable but it is good enough to check what the current results
are -- and deps.dev should use those results after some delay I believe.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-22 18:15:56 +02:00
Lukas Pühringer
650796ee8d
Merge pull request #2182 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.1
...
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1
2022-11-21 12:10:14 +01:00
dependabot[bot]
10ba3918a7
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](30d5821115...11310527b4
2022-11-17 10:11:44 +00:00
dependabot[bot]
878b7ff4d9
build(deps): bump github/codeql-action from 2.1.32 to 2.1.33
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.32 to 2.1.33.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4238421316...678fc3afe2
2022-11-17 10:11:41 +00:00
Lukas Pühringer
7568fc6a8e
Merge pull request #2177 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.32
...
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
2022-11-17 09:54:31 +01:00
Jussi Kukkonen
3bc24ad2c3
Merge pull request #2159 from jku/permissions-tweaks
...
Github workflows: Permissions tweaks
2022-11-15 14:34:48 +02:00
dependabot[bot]
eb8c4263ce
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.31 to 2.1.32.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c3b6fce4ee...4238421316
2022-11-15 10:04:06 +00:00
Jussi Kukkonen
5a4c7ad032
Merge pull request #2175 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.0
...
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
2022-11-14 14:34:09 +02:00
Jussi Kukkonen
eaa8224706
Merge pull request #2170 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.31
...
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
2022-11-14 14:09:42 +02:00
dependabot[bot]
bd03b32a9e
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](0efb1d1d84...30d5821115
2022-11-14 10:09:59 +00:00
Jussi Kukkonen
a6c3b487e3
workflows: Use setup-python to setup python in coveralls-fin
...
This makes the job just like all other jobs
Fixes #2172
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-08 18:54:16 +02:00
dependabot[bot]
8d0ae4f99d
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](18fe527fa8...c3b6fce4ee
2022-11-08 10:08:46 +00:00
Jussi Kukkonen
b8326a245f
Merge pull request #2164 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.30
...
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
2022-11-04 14:12:16 +02:00
Jussi Kukkonen
0c07a84441
Merge pull request #2157 from jku/enable-py-3.11
...
build: Enable Python 3.11 in test matrix
2022-11-03 13:19:38 +02:00
dependabot[bot]
c12df73040
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](ec3cf9c605...18fe527fa8
2022-11-03 10:03:51 +00:00
Jussi Kukkonen
b002860206
Github workflows: Only upload to pypi in upstream repo
...
This is not a security measure: it makes testing the CD/release workflow
(at least the non-pypi-upload parts) in a fork a little easier as the pypi
upload is skipped.
This does make testing the pypi upload even more difficult but maybe
that is acceptable?
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:14:23 +02:00
Jussi Kukkonen
327fcf8640
GitHub workflows: limit "content:write" to minimum
...
permissions can be defined on workflow and job level, but not on step level.
Currently permissions are defined at workflow level which is not ideal.
Create a new "release_candidate" job so that we can minimize the
"content:write" permission exposure.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:13:11 +02:00
Jussi Kukkonen
53521bfda0
workflows: Set top-level permissions
...
This changes very little but it does mean any jobs added in future have to
be explicit about the permissions they need. This also makes OSSF scorecard
happier.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-30 12:56:22 +02:00
Jussi Kukkonen
5b59e7cfe6
build: Enable Python 3.11 in test matrix
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-27 17:35:00 +03:00
dependabot[bot]
5e42be8173
build(deps): bump github/codeql-action from 2.1.28 to 2.1.29
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.28 to 2.1.29.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cc7986c02b...ec3cf9c605
2022-10-26 10:36:17 +00:00
Lukas Pühringer
080cf606da
Merge pull request #2150 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.5.1
...
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
2022-10-25 14:12:52 +02:00
dependabot[bot]
dac600fc8e
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.5.0 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](fd675ced9c...0efb1d1d84
2022-10-25 10:21:49 +00:00
dependabot[bot]
2fa55a089c
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](3cea537223...83fd05a356
2022-10-24 10:21:27 +00:00
Miles Liu
0a79245c43
ci: migrate deprecating set-output commands
...
Signed-off-by: Miles Liu <miles@bung.cc>
2022-10-24 15:46:44 +08:00
dependabot[bot]
68571fb887
build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1
...
Bumps [actions/download-artifact](https://github.com/actions/download-artifact ) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](fb598a63ae...9782bd6a98
2022-10-21 11:14:31 +00:00
dependabot[bot]
5fffbb0485
build(deps): bump github/codeql-action from 2.1.27 to 2.1.28
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.27 to 2.1.28.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](807578363a...cc7986c02b
2022-10-19 10:17:35 +00:00
Jussi Kukkonen
852f7a4101
Merge pull request #2139 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.5.0
...
build(deps): bump actions/dependency-review-action from 2.4.1 to 2.5.0
2022-10-18 16:17:15 +03:00
dependabot[bot]
b8976bfd51
build(deps): bump actions/dependency-review-action from 2.4.1 to 2.5.0
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.4.1 to 2.5.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](9c96258789...fd675ced9c
2022-10-14 10:16:58 +00:00
dependabot[bot]
67a5fca932
build(deps): bump actions/github-script from 6.3.2 to 6.3.3
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 6.3.2 to 6.3.3.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](100527700e...d556feaca3
2022-10-14 10:16:54 +00:00
Lukas Pühringer
7e51f356b3
Merge pull request #2134 from theupdateframework/dependabot/github_actions/actions/github-script-6.3.2
...
build(deps): bump actions/github-script from 6.3.1 to 6.3.2
2022-10-12 14:21:06 +02:00
dependabot[bot]
2c56fc3532
build(deps): bump actions/dependency-review-action from 2.4.0 to 2.4.1
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](375c537008...9c96258789
2022-10-12 10:19:15 +00:00
dependabot[bot]
39b823afe4
build(deps): bump actions/github-script from 6.3.1 to 6.3.2
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 6.3.1 to 6.3.2.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](7dff1a8764...100527700e
2022-10-12 10:19:05 +00:00
dependabot[bot]
76c0d6cec0
build(deps): bump actions/setup-python from 4.2.0 to 4.3.0
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](b55428b188...13ae5bb136
2022-10-11 10:29:56 +00:00
Kairo de Araujo
869d23a9f2
Fix typo CD.yml
...
Fixed typo in CD.yml: 'candidate' instead ' candidate'.
Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-10-10 09:56:25 +02:00
dependabot[bot]
45f8096d97
build(deps): bump github/codeql-action from 2.1.26 to 2.1.27
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.26 to 2.1.27.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](e0e5ded33c...807578363a
2022-10-07 10:43:05 +00:00
dependabot[bot]
9907d4d38a
build(deps): bump actions/checkout from 3.0.2 to 3.1.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.0.2 to 3.1.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](2541b1294d...93ea575cb5
2022-10-04 10:45:28 +00:00
