Jussi Kukkonen
aa0e2b6535
Merge pull request #2503 from theupdateframework/dependabot/github_actions/ossf/scorecard-action-2.3.1
2023-10-25 09:30:02 +03:00
dependabot[bot]
173fc82ef7
build(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](483ef80eb9...0864cf1902 )
---
updated-dependencies:
- dependency-name: ossf/scorecard-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-24 10:50:14 +00:00
Jussi Kukkonen
fb73521982
Merge pull request #2497 from theupdateframework/dependabot/pip/black-23.10.0
...
build(deps): bump black from 23.9.1 to 23.10.0
2023-10-19 17:53:39 +03:00
dependabot[bot]
39e35e9d1d
build(deps): bump black from 23.9.1 to 23.10.0
...
Bumps [black](https://github.com/psf/black ) from 23.9.1 to 23.10.0.
- [Release notes](https://github.com/psf/black/releases )
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md )
- [Commits](https://github.com/psf/black/compare/23.9.1...23.10.0 )
---
updated-dependencies:
- dependency-name: black
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-19 08:06:44 +00:00
Jussi Kukkonen
60770d1346
Merge pull request #2495 from theupdateframework/dependabot/pip/urllib3-2.0.7
...
build(deps): bump urllib3 from 2.0.6 to 2.0.7
2023-10-19 11:06:00 +03:00
Jussi Kukkonen
eda52147d1
Merge pull request #2496 from theupdateframework/dependabot/pip/mypy-1.6.1
...
build(deps): bump mypy from 1.6.0 to 1.6.1
2023-10-19 11:05:01 +03:00
Jussi Kukkonen
d132dd822a
Merge pull request #2498 from theupdateframework/dependabot/github_actions/actions/checkout-4.1.1
...
build(deps): bump actions/checkout from 4.1.0 to 4.1.1
2023-10-19 11:04:27 +03:00
dependabot[bot]
2764851c88
build(deps): bump actions/checkout from 4.1.0 to 4.1.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8ade135a41...b4ffde65f4 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:10:55 +00:00
dependabot[bot]
57354a517e
build(deps): bump mypy from 1.6.0 to 1.6.1
...
Bumps [mypy](https://github.com/python/mypy ) from 1.6.0 to 1.6.1.
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md )
- [Commits](https://github.com/python/mypy/compare/v1.6.0...v1.6.1 )
---
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:06:42 +00:00
dependabot[bot]
89bb82271a
build(deps): bump urllib3 from 2.0.6 to 2.0.7
...
Bumps [urllib3](https://github.com/urllib3/urllib3 ) from 2.0.6 to 2.0.7.
- [Release notes](https://github.com/urllib3/urllib3/releases )
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst )
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.6...2.0.7 )
---
updated-dependencies:
- dependency-name: urllib3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:06:37 +00:00
Lukas Pühringer
f04dc716cb
Merge pull request #2492 from lukpueh/release-3.1.0
...
Release python-tuf 3.1.0
2023-10-16 09:15:10 +02:00
Jussi Kukkonen
ed521c0e20
Merge pull request #2490 from theupdateframework/dependabot/pip/mypy-1.6.0
...
build(deps): bump mypy from 1.5.1 to 1.6.0
2023-10-13 14:09:13 +03:00
Lukas Puehringer
c0c21ca52f
Release python-tuf 3.1.0
...
* Update changelog
* Bump version
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-10-13 10:23:07 +02:00
Jussi Kukkonen
6fed68bcce
Merge pull request #2491 from lukpueh/rm-obsolete-fixtures
2023-10-11 16:43:49 +03:00
Lukas Puehringer
438518f68c
tests: remove unused and obsolete test metadata
...
- metadata.staged: related to a removed tutorial and outdated deployment
recommendation
- project: related to the removed developer_tool (#1790 )
- map.json: related to TAP4, which is not supported by python-tuf
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-10-11 15:09:09 +02:00
dependabot[bot]
f8562879a0
build(deps): bump mypy from 1.5.1 to 1.6.0
...
Bumps [mypy](https://github.com/python/mypy ) from 1.5.1 to 1.6.0.
- [Commits](https://github.com/python/mypy/compare/v1.5.1...v1.6.0 )
---
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-11 10:03:35 +00:00
Lukas Pühringer
038ecd65dc
Merge pull request #2488 from jku/revert-scorecard-pinning
...
workflows: Partially revert action versions
2023-10-10 09:20:02 +02:00
Jussi Kukkonen
d5c953d575
workflows: Partially revert action versions
...
Commit f0058259 started not pinning hashes for actions that are used in
workflows that have no runtime or build security impact.
The change does not work for scorecard as scorecard does not tag "v2":
so we have to pin it. Luckily scorecard does not do that many releases.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-09 18:40:56 +03:00
Jussi Kukkonen
00b67c0a67
Merge pull request #2479 from jku/dont-pin-code-scanner-actions
...
workflows: Stop pinning actions that are not security relevant
2023-10-09 11:03:45 +03:00
Jussi Kukkonen
c7f3f6b5da
Merge pull request #2484 from theupdateframework/dependabot/github_actions/actions/setup-python-4.7.1
...
build(deps): bump actions/setup-python from 4.7.0 to 4.7.1
2023-10-09 11:00:31 +03:00
Jussi Kukkonen
37503f0804
Merge pull request #2482 from theupdateframework/dependabot/pip/coverage-7.3.2
...
build(deps): bump coverage from 7.3.1 to 7.3.2
2023-10-09 10:56:38 +03:00
Jussi Kukkonen
34b7c4bc04
Merge pull request #2486 from theupdateframework/dependabot/pip/pylint-3.0.1
...
build(deps): bump pylint from 2.17.7 to 3.0.1
2023-10-09 10:55:43 +03:00
dependabot[bot]
f26e2b24c9
build(deps): bump pylint from 2.17.7 to 3.0.1
...
Bumps [pylint](https://github.com/pylint-dev/pylint ) from 2.17.7 to 3.0.1.
- [Release notes](https://github.com/pylint-dev/pylint/releases )
- [Commits](https://github.com/pylint-dev/pylint/compare/v2.17.7...v3.0.1 )
---
updated-dependencies:
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-06 10:48:03 +00:00
Jussi Kukkonen
4ba5436a50
Merge pull request #2485 from theupdateframework/dependabot/pip/securesystemslib-cryptopynacl--0.30.0
...
build(deps): bump securesystemslib[crypto,pynacl] from 0.29.0 to 0.30.0
2023-10-04 13:51:51 +03:00
dependabot[bot]
2e9321e3bd
build(deps): bump securesystemslib[crypto,pynacl] from 0.29.0 to 0.30.0
...
Bumps [securesystemslib[crypto,pynacl]](https://github.com/secure-systems-lab/securesystemslib ) from 0.29.0 to 0.30.0.
- [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases )
- [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md )
- [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.29.0...v0.30.0 )
---
updated-dependencies:
- dependency-name: securesystemslib[crypto,pynacl]
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-04 10:29:02 +00:00
Lukas Pühringer
e24faf213c
Merge pull request #2481 from lukpueh/signing-status
...
Metadata API: add get_verification_result method
2023-10-04 11:40:54 +02:00
dependabot[bot]
cf3445c22f
build(deps): bump actions/setup-python from 4.7.0 to 4.7.1
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 4.7.0 to 4.7.1.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](61a6322f88...65d7f2d534 )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 11:01:32 +00:00
dependabot[bot]
b6fc566a6e
build(deps): bump coverage from 7.3.1 to 7.3.2
...
Bumps [coverage](https://github.com/nedbat/coveragepy ) from 7.3.1 to 7.3.2.
- [Release notes](https://github.com/nedbat/coveragepy/releases )
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst )
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.1...7.3.2 )
---
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 10:16:45 +00:00
Lukas Puehringer
a55756327b
Metadata API: add get_verification_result method
...
The method returns detailed information about signature verification of
a delegated role metadata.
Its implementation is taken from the verify_delegate method and slightly
updated. verify_delegate now is a thin wrapper on top of
get_verification_result.
fixes #2449
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-authored-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-03 12:05:39 +02:00
Jussi Kukkonen
87f9f9134e
Merge pull request #2480 from theupdateframework/dependabot/pip/requirements/urllib3-2.0.6
...
build(deps): bump urllib3 from 2.0.5 to 2.0.6 in /requirements
2023-10-03 09:55:04 +03:00
dependabot[bot]
2549321b96
build(deps): bump urllib3 from 2.0.5 to 2.0.6 in /requirements
...
Bumps [urllib3](https://github.com/urllib3/urllib3 ) from 2.0.5 to 2.0.6.
- [Release notes](https://github.com/urllib3/urllib3/releases )
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst )
- [Commits](https://github.com/urllib3/urllib3/compare/v2.0.5...2.0.6 )
---
updated-dependencies:
- dependency-name: urllib3
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 00:23:50 +00:00
Jussi Kukkonen
1856ff980f
Merge pull request #2476 from theupdateframework/dependabot/pip/cffi-1.16.0
...
build(deps): bump cffi from 1.15.1 to 1.16.0
2023-10-02 14:08:43 +03:00
dependabot[bot]
1ed83c9fe3
build(deps): bump cffi from 1.15.1 to 1.16.0
...
Bumps [cffi](https://github.com/python-cffi/cffi ) from 1.15.1 to 1.16.0.
- [Release notes](https://github.com/python-cffi/cffi/releases )
- [Commits](https://github.com/python-cffi/cffi/compare/v1.15.1...v1.16.0 )
---
updated-dependencies:
- dependency-name: cffi
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 11:01:33 +00:00
Jussi Kukkonen
4a4128190f
Merge pull request #2477 from theupdateframework/dependabot/pip/charset-normalizer-3.3.0
...
build(deps): bump charset-normalizer from 3.2.0 to 3.3.0
2023-10-02 14:00:07 +03:00
Jussi Kukkonen
3c1cf659b6
Merge pull request #2478 from theupdateframework/dependabot/pip/pylint-2.17.7
...
build(deps): bump pylint from 2.17.6 to 2.17.7
2023-10-02 13:59:05 +03:00
dependabot[bot]
e359d21066
build(deps): bump pylint from 2.17.6 to 2.17.7
...
Bumps [pylint](https://github.com/pylint-dev/pylint ) from 2.17.6 to 2.17.7.
- [Release notes](https://github.com/pylint-dev/pylint/releases )
- [Commits](https://github.com/pylint-dev/pylint/compare/v2.17.6...v2.17.7 )
---
updated-dependencies:
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 10:47:23 +00:00
dependabot[bot]
0c569eb3ae
build(deps): bump charset-normalizer from 3.2.0 to 3.3.0
...
Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer ) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/Ousret/charset_normalizer/releases )
- [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Ousret/charset_normalizer/compare/3.2.0...3.3.0 )
---
updated-dependencies:
- dependency-name: charset-normalizer
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 10:47:08 +00:00
Jussi Kukkonen
f005825955
workflows: Stop pinning actions that are not security relevant
...
These workflows have no real security relevance (runtime build or test)
in the sense that a compromise in the dependencies could compromise
python-tuf security:
* scorecards
* dependency-review
* codeql-analysis
Stop pinning the actions used in them (except the common actions that
are used everyewhere like actions/checkout: use the same version of
those everywhere). The benefit here is fewer Dependabot PRs: If we had
done this from the start we'd have skipped ~70 PRs by now.
The interesting permissions used in these workflows are
* security-events: write
This can add things onto the "Security" tab in GitHub
* id-token: write
This allows OIDC authentication, but only as this specific workflow
These permissions look completely acceptable to me.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-02 13:34:24 +03:00
Jussi Kukkonen
ba1f322559
Merge pull request #2474 from lukpueh/rm-obsolete-comments
...
Remove obsolete comments from Python 2.7 times
2023-09-28 13:36:27 +03:00
Lukas Pühringer
1d8b57ba71
Merge pull request #2458 from theupdateframework/dependabot/pip/coverage-7.3.1
...
build(deps): bump coverage from 7.2.7 to 7.3.1
2023-09-28 11:43:38 +02:00
Lukas Puehringer
9894d735a9
Remove obsolete comments from Python 2.7 times
...
We longer run 2.7 tests (_test.yml) and we no longer need per-version
requirements files (main.txt).
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-09-28 11:40:29 +02:00
dependabot[bot]
81487170f3
build(deps): bump coverage from 7.2.7 to 7.3.1
...
Bumps [coverage](https://github.com/nedbat/coveragepy ) from 7.2.7 to 7.3.1.
- [Release notes](https://github.com/nedbat/coveragepy/releases )
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst )
- [Commits](https://github.com/nedbat/coveragepy/compare/7.2.7...7.3.1 )
---
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-09-28 09:29:42 +00:00
Lukas Pühringer
ad1bbe65df
Merge pull request #2460 from jku/drop-3.7-support
...
Drop support for Python 3.7
2023-09-28 11:28:13 +02:00
Jussi Kukkonen
74f2cfe54b
Merge pull request #2470 from theupdateframework/dependabot/pip/pylint-2.17.6
...
build(deps): bump pylint from 2.17.5 to 2.17.6
2023-09-26 13:55:57 +03:00
dependabot[bot]
65efc693c3
build(deps): bump pylint from 2.17.5 to 2.17.6
...
Bumps [pylint](https://github.com/pylint-dev/pylint ) from 2.17.5 to 2.17.6.
- [Release notes](https://github.com/pylint-dev/pylint/releases )
- [Commits](https://github.com/pylint-dev/pylint/compare/v2.17.5...v2.17.6 )
---
updated-dependencies:
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-09-26 10:49:01 +00:00
Jussi Kukkonen
b7c956cd01
Merge pull request #2469 from theupdateframework/dependabot/github_actions/actions/checkout-4.1.0
...
build(deps): bump actions/checkout from 4.0.0 to 4.1.0
2023-09-26 12:00:53 +03:00
dependabot[bot]
aaea6c29ab
build(deps): bump actions/checkout from 4.0.0 to 4.1.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](3df4ab11eb...8ade135a41 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 10:56:33 +00:00
Jussi Kukkonen
cf7489491d
Merge pull request #2465 from theupdateframework/dependabot/github_actions/github/codeql-action-2.21.8
...
build(deps): bump github/codeql-action from 2.21.7 to 2.21.8
2023-09-25 13:50:06 +03:00
Jussi Kukkonen
457f046afa
Merge pull request #2467 from theupdateframework/dependabot/pip/urllib3-2.0.5
...
build(deps): bump urllib3 from 2.0.4 to 2.0.5
2023-09-25 13:49:31 +03:00
Jussi Kukkonen
bd4470b911
Merge pull request #2466 from theupdateframework/dependabot/pip/cryptography-41.0.4
...
build(deps): bump cryptography from 41.0.3 to 41.0.4
2023-09-25 13:48:32 +03:00