dependabot[bot]
a93182dfa0
build(deps): bump pylint from 2.15.5 to 2.15.6
...
Bumps [pylint](https://github.com/PyCQA/pylint ) from 2.15.5 to 2.15.6.
- [Release notes](https://github.com/PyCQA/pylint/releases )
- [Commits](https://github.com/PyCQA/pylint/compare/v2.15.5...v2.15.6 )
---
updated-dependencies:
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-21 10:07:07 +00:00
Jussi Kukkonen
6856854f74
Merge pull request #2176 from theupdateframework/dependabot/pip/mypy-0.991
...
build(deps): bump mypy from 0.982 to 0.991
2022-11-21 10:39:06 +02:00
dependabot[bot]
b6133cc7bb
build(deps): bump mypy from 0.982 to 0.991
...
Bumps [mypy](https://github.com/python/mypy ) from 0.982 to 0.991.
- [Release notes](https://github.com/python/mypy/releases )
- [Commits](https://github.com/python/mypy/compare/v0.982...v0.991 )
---
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-21 08:34:44 +00:00
Jussi Kukkonen
077602e3bb
Merge pull request #2187 from rogdex24/develop
...
verify_release: PEP 484 compliant annotations - Issue #2171
2022-11-21 10:32:25 +02:00
Abu Talha
21ed19c264
verify_release: PEP 484 compliant annotations
...
Signed-off-by: Abu Talha <itsabutalha@gmail.com>
2022-11-21 06:41:17 +00:00
Jussi Kukkonen
7f4ae24788
Merge pull request #2185 from lukpueh/fix-pypi-classifier
...
doc: update PyPI Development Status classifier
2022-11-20 15:50:32 +02:00
Lukas Puehringer
1980ca1f11
doc: update PyPI Development Status classifier
...
Since v1.0.0 python-tuf is no longer beta software.
See https://pypi.org/classifiers/ for available classifiers.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-11-18 14:23:37 +01:00
Lukas Pühringer
fb17922eac
Merge pull request #2183 from jku/no-limits
...
README: Remove limitations
2022-11-18 14:17:38 +01:00
Jussi Kukkonen
f56d5267ed
README: Remove limitations
...
There may be ways to unsafely use the client library but situation
should be significantly better now with ngclient:
* metadata writing is safer, more atomic
* non-root cached metadata is never trusted (so inconsistent
cached repository is not a security issue)
* the cache locations are now clearly application
decisions (they are required Updater constructor args)
Move the notice to Updater module documentation.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-18 13:16:41 +02:00
Lukas Pühringer
a4d5cf49c9
Merge pull request #2181 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.33
...
build(deps): bump github/codeql-action from 2.1.32 to 2.1.33
2022-11-17 11:45:05 +01:00
dependabot[bot]
878b7ff4d9
build(deps): bump github/codeql-action from 2.1.32 to 2.1.33
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.32 to 2.1.33.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4238421316...678fc3afe2
2022-11-17 10:11:41 +00:00
Lukas Pühringer
7568fc6a8e
Merge pull request #2177 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.32
...
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
2022-11-17 09:54:31 +01:00
Lukas Pühringer
cd1c38d307
Merge pull request #2178 from lukpueh/change-security-contact
...
Update security policy to use new reporting
2022-11-16 14:49:12 +01:00
Lukas Puehringer
9a54677ee9
Update security policy to use new reporting
...
- Enabled new GitHub feature (beta) to privately report security
issues to all maintainers in repo settings.
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
- Updated security policy document to instruct reporters to use the
new reporting mechanism instead of email+pgp.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-11-15 17:01:16 +01:00
Jussi Kukkonen
3bc24ad2c3
Merge pull request #2159 from jku/permissions-tweaks
...
Github workflows: Permissions tweaks
2022-11-15 14:34:48 +02:00
dependabot[bot]
eb8c4263ce
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.31 to 2.1.32.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c3b6fce4ee...4238421316
2022-11-15 10:04:06 +00:00
Jussi Kukkonen
5a4c7ad032
Merge pull request #2175 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.0
...
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
2022-11-14 14:34:09 +02:00
Jussi Kukkonen
eaa8224706
Merge pull request #2170 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.31
...
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
2022-11-14 14:09:42 +02:00
dependabot[bot]
bd03b32a9e
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](0efb1d1d84...30d5821115
2022-11-14 10:09:59 +00:00
Lukas Pühringer
7311808f11
Merge pull request #2173 from jku/fix-pip-cache-in-coveralls-fin
...
workflows: Use setup-python to setup python in coveralls-fin
2022-11-09 10:35:49 +01:00
Jussi Kukkonen
a6c3b487e3
workflows: Use setup-python to setup python in coveralls-fin
...
This makes the job just like all other jobs
Fixes #2172
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-08 18:54:16 +02:00
dependabot[bot]
8d0ae4f99d
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](18fe527fa8...c3b6fce4ee
2022-11-08 10:08:46 +00:00
Jussi Kukkonen
be6c561ec6
Merge pull request #2163 from theupdateframework/dependabot/pip/cryptography-38.0.3
...
build(deps): bump cryptography from 38.0.2 to 38.0.3
2022-11-04 14:12:45 +02:00
Jussi Kukkonen
b8326a245f
Merge pull request #2164 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.30
...
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
2022-11-04 14:12:16 +02:00
Jussi Kukkonen
0c07a84441
Merge pull request #2157 from jku/enable-py-3.11
...
build: Enable Python 3.11 in test matrix
2022-11-03 13:19:38 +02:00
dependabot[bot]
c12df73040
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](ec3cf9c605...18fe527fa8
2022-11-03 10:03:51 +00:00
dependabot[bot]
f85807287b
build(deps): bump cryptography from 38.0.2 to 38.0.3
...
Bumps [cryptography](https://github.com/pyca/cryptography ) from 38.0.2 to 38.0.3.
- [Release notes](https://github.com/pyca/cryptography/releases )
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/38.0.2...38.0.3 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-02 11:07:28 +00:00
Jussi Kukkonen
98587c579e
Merge pull request #2075 from KOLANICH-libs/netloc
...
Supported `file` scheme without netloc.
2022-11-02 11:17:08 +02:00
Jussi Kukkonen
35a7dd58c5
RequestsFetcher: satisfy mypy with small fix
...
The typeshed annotations for requests say that the hostname could be None:
I think this is untrue but let's keep mypy happy.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 21:25:02 +03:00
KOLANICH
0c9c494261
Supported schemes without netloc.
...
Signed-off-by: KOLANICH <KOLANICH@users.noreply.github.com>
2022-10-31 21:23:56 +03:00
Jussi Kukkonen
b002860206
Github workflows: Only upload to pypi in upstream repo
...
This is not a security measure: it makes testing the CD/release workflow
(at least the non-pypi-upload parts) in a fork a little easier as the pypi
upload is skipped.
This does make testing the pypi upload even more difficult but maybe
that is acceptable?
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:14:23 +02:00
Jussi Kukkonen
327fcf8640
GitHub workflows: limit "content:write" to minimum
...
permissions can be defined on workflow and job level, but not on step level.
Currently permissions are defined at workflow level which is not ideal.
Create a new "release_candidate" job so that we can minimize the
"content:write" permission exposure.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:13:11 +02:00
Jussi Kukkonen
53521bfda0
workflows: Set top-level permissions
...
This changes very little but it does mean any jobs added in future have to
be explicit about the permissions they need. This also makes OSSF scorecard
happier.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-30 12:56:22 +02:00
Jussi Kukkonen
6b03ef43ae
Merge pull request #2158 from UDITBALUJA/develop
...
updated hatchling to current latest 1.11.1
2022-10-29 21:23:26 +03:00
UDITBALUJA
37313fbfc4
updated hatchling to current latest 1.11.1
...
Signed-off-by: UDITBALUJA <uditbaluja1000@gmail.com>
2022-10-29 19:27:53 +05:30
Jussi Kukkonen
ee3e2799d5
Merge pull request #2148 from theupdateframework/dependabot/pip/pylint-2.15.5
...
build(deps): bump pylint from 2.15.4 to 2.15.5
2022-10-28 15:49:33 +03:00
Jussi Kukkonen
5568565c65
Merge pull request #2154 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.29
...
build(deps): bump github/codeql-action from 2.1.28 to 2.1.29
2022-10-27 17:59:24 +03:00
Jussi Kukkonen
5b59e7cfe6
build: Enable Python 3.11 in test matrix
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-27 17:35:00 +03:00
Lukas Pühringer
9264ffc580
Merge pull request #2156 from lukpueh/fix-sec-audit-blog-post
...
Fix wrong count in security audit blog post
2022-10-26 17:41:02 +02:00
Lukas Puehringer
e4d0c6d6df
Fix wrong count in security audit blog post
...
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-10-26 16:59:57 +02:00
Lukas Pühringer
9605a8218c
Merge pull request #2155 from joshuagl/joshuagl/audit-blog-post
...
Add post on python-tuf security audit by x41
2022-10-26 15:06:36 +02:00
Joshua Lock
8bb117a739
Add post on python-tuf security audit by x41
...
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-10-26 09:02:37 -04:00
dependabot[bot]
5e42be8173
build(deps): bump github/codeql-action from 2.1.28 to 2.1.29
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.28 to 2.1.29.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cc7986c02b...ec3cf9c605
2022-10-26 10:36:17 +00:00
Lukas Pühringer
080cf606da
Merge pull request #2150 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.5.1
...
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
2022-10-25 14:12:52 +02:00
Lukas Pühringer
d03be1cf76
Merge pull request #2149 from theupdateframework/dependabot/github_actions/actions/upload-artifact-3.1.1
...
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1
2022-10-25 14:05:00 +02:00
dependabot[bot]
dac600fc8e
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.5.0 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](fd675ced9c...0efb1d1d84
2022-10-25 10:21:49 +00:00
dependabot[bot]
2fa55a089c
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](3cea537223...83fd05a356
2022-10-24 10:21:27 +00:00
Jussi Kukkonen
eeefeb5675
Merge pull request #2147 from miles170/ci-migrate-set-output
...
ci: migrate deprecating set-output commands
2022-10-24 13:16:52 +03:00
dependabot[bot]
193bfcdc8d
build(deps): bump pylint from 2.15.4 to 2.15.5
...
Bumps [pylint](https://github.com/PyCQA/pylint ) from 2.15.4 to 2.15.5.
- [Release notes](https://github.com/PyCQA/pylint/releases )
- [Commits](https://github.com/PyCQA/pylint/compare/v2.15.4...v2.15.5 )
---
updated-dependencies:
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-24 10:07:42 +00:00
Miles Liu
0a79245c43
ci: migrate deprecating set-output commands
...
Signed-off-by: Miles Liu <miles@bung.cc>
2022-10-24 15:46:44 +08:00
