Commit graph

281 commits

Author SHA1 Message Date
dependabot[bot]
8eaa8dc377
build(deps): bump github/codeql-action from 2.2.7 to 2.2.8
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.7 to 2.2.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](168b99b3c2...67a35a0858)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-23 10:59:10 +00:00
dependabot[bot]
f98f94b46b
build(deps): bump pypa/gh-action-pypi-publish from 1.8.1 to 1.8.3
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.8.1 to 1.8.3.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](a3a3bafbb3...48b317d84d)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-23 10:59:06 +00:00
dependabot[bot]
12266d8fc6
build(deps): bump actions/dependency-review-action from 3.0.3 to 3.0.4
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](c090f4e553...f46c48ed6d)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 11:00:23 +00:00
Jussi Kukkonen
db027027ce
Merge pull request #2334 from theupdateframework/dependabot/github_actions/actions/checkout-3.4.0
build(deps): bump actions/checkout from 3.3.0 to 3.4.0
2023-03-20 10:40:11 +02:00
Jussi Kukkonen
73dae65e23
Merge pull request #2333 from theupdateframework/dependabot/github_actions/pypa/gh-action-pypi-publish-1.8.1
build(deps): bump pypa/gh-action-pypi-publish from 1.7.1 to 1.8.1
2023-03-20 10:22:49 +02:00
dependabot[bot]
a673ac3df5
build(deps): bump actions/checkout from 3.3.0 to 3.4.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ac59398561...24cb908017)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 08:21:35 +00:00
dependabot[bot]
b930e5328a
build(deps): bump github/codeql-action from 2.2.6 to 2.2.7
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.6 to 2.2.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](16964e90ba...168b99b3c2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 10:22:59 +00:00
dependabot[bot]
21d87de04a
build(deps): bump pypa/gh-action-pypi-publish from 1.7.1 to 1.8.1
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.7.1 to 1.8.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](22b4d1f125...a3a3bafbb3)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 10:22:42 +00:00
Lukas Pühringer
6df1146092
Merge pull request #2330 from theupdateframework/dependabot/github_actions/pypa/gh-action-pypi-publish-1.7.1
build(deps): bump pypa/gh-action-pypi-publish from 1.6.4 to 1.7.1
2023-03-15 13:10:08 +01:00
dependabot[bot]
8890b087cd
build(deps): bump github/codeql-action from 2.2.5 to 2.2.6
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.5 to 2.2.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](32dc499307...16964e90ba)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 11:01:00 +00:00
dependabot[bot]
a65568bfef
build(deps): bump pypa/gh-action-pypi-publish from 1.6.4 to 1.7.1
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.6.4 to 1.7.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](c7f29f7ade...22b4d1f125)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 11:00:55 +00:00
Shabeeb Khalid
b618394c5b
Removed unwanted variable from matrix
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-03 10:33:20 -08:00
Shabeeb Khalid
f06fa9d015
Removed unwanted variable from matrix
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-03 10:33:10 -08:00
Shabeeb Khalid
ccaa98a643
Refactor
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-03 10:31:57 -08:00
Shabeeb Khalid
ce14451bdc
Pass tox environment via command line
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-03 10:30:36 -08:00
Shabeeb Khalid
55c8fe0c9d
Removed unwanted env variable
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-03 10:30:02 -08:00
Shabeeb Khalid
95226edacb
Revert comment
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-03 10:29:12 -08:00
Shabeeb Khalid
2329e33c9c
Fix: exporting the correct toxenv in lint job
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-03 00:47:08 -08:00
Shabeeb Khalid
482802d030
Moved lint to seperate job. Some refactor as well.
Signed-off-by: Shabeeb Khalid <convey2shabeeb@gmail.com>
2023-03-02 11:02:02 -08:00
Lukas Puehringer
951ce045cd Adopt securesystemslib branch rename master-> main
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-03-02 09:35:14 +01:00
dependabot[bot]
3fd56facb0
build(deps): bump github/codeql-action from 2.2.4 to 2.2.5
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.4 to 2.2.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](17573ee1cc...32dc499307)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-27 11:02:26 +00:00
dependabot[bot]
ed05a2c66c
build(deps): bump github/codeql-action from 2.2.3 to 2.2.4
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.3 to 2.2.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](8775e86802...17573ee1cc)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-13 11:05:51 +00:00
dependabot[bot]
15c0b40dce
build(deps): bump github/codeql-action from 2.2.2 to 2.2.3
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.2 to 2.2.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](39d8d7e78f...8775e86802)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-09 10:03:50 +00:00
dependabot[bot]
932d72db3a
build(deps): bump github/codeql-action from 2.2.1 to 2.2.2
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.1 to 2.2.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](3ebbd71c74...39d8d7e78f)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-07 10:03:56 +00:00
Jussi Kukkonen
b15af9573a
Merge pull request #2290 from jku/release-refactor
build: Handle GH release manually
2023-02-06 15:09:25 +02:00
Jussi Kukkonen
70555f6e1b build: shorten requirements file names
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-06 14:52:07 +02:00
Jussi Kukkonen
33829fdbab build: Move requirements file to a directory
We already have 6 files and I'm planning to add another one: maybe it's
time to move these out of the top level directory.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-06 14:50:47 +02:00
Jussi Kukkonen
707dc49999 build: Handle GH release manually
Remove dependency on softprops/action-gh-release: instead do the GitHub
release steps using the GitHub API and github-script.

The only difference should be that release name is not "<tag>-rc" first:
instead the initial release is marked as draft in the API (and shows as
draft in the UI).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-04 17:32:56 +02:00
Jussi Kukkonen
4eea38da42
Merge pull request #2285 from theupdateframework/dependabot/github_actions/actions/github-script-6.4.0
build(deps): bump actions/github-script from 6.3.3 to 6.4.0
2023-02-02 12:56:21 +02:00
dependabot[bot]
f2fff33566
build(deps): bump actions/github-script from 6.3.3 to 6.4.0
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.3.3 to 6.4.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](d556feaca3...98814c53be)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-27 10:05:30 +00:00
dependabot[bot]
49b0385c40
build(deps): bump github/codeql-action from 2.1.39 to 2.2.1
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.39 to 2.2.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](a34ca99b46...3ebbd71c74)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-27 10:05:26 +00:00
Jussi Kukkonen
d2908c0041
Merge pull request #2269 from theupdateframework/dependabot/github_actions/actions/setup-python-4.5.0
build(deps): bump actions/setup-python from 4.4.0 to 4.5.0
2023-01-24 15:06:10 +02:00
dependabot[bot]
2a250df063
build(deps): bump github/codeql-action from 2.1.38 to 2.1.39
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.38 to 2.1.39.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](515828d974...a34ca99b46)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-19 10:04:05 +00:00
dependabot[bot]
4c3df14a50
build(deps): bump actions/setup-python from 4.4.0 to 4.5.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.4.0 to 4.5.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](5ccb29d877...d27e3f3d7c)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-13 10:50:28 +00:00
Lukas Pühringer
fa9761bb8f
Merge pull request #2259 from theupdateframework/dependabot/github_actions/actions/checkout-3.3.0
build(deps): bump actions/checkout from 3.2.0 to 3.3.0
2023-01-13 11:49:36 +01:00
Lukas Pühringer
cc6171b1d7
Merge pull request #2258 from theupdateframework/dependabot/github_actions/actions/download-artifact-3.0.2
build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2
2023-01-13 11:33:33 +01:00
dependabot[bot]
bfbfb55444
build(deps): bump actions/checkout from 3.2.0 to 3.3.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](755da8c3cf...ac59398561)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-13 10:32:56 +00:00
Lukas Pühringer
a4a4e1a3f9
Merge pull request #2262 from theupdateframework/dependabot/github_actions/actions/upload-artifact-3.1.2
build(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2
2023-01-13 11:32:37 +01:00
Lukas Pühringer
7eb2cd0e16
Merge pull request #2261 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.3
build(deps): bump actions/dependency-review-action from 3.0.2 to 3.0.3
2023-01-13 11:31:42 +01:00
dependabot[bot]
373f527de3
build(deps): bump github/codeql-action from 2.1.37 to 2.1.38
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.37 to 2.1.38.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](959cbb7472...515828d974)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-13 10:04:32 +00:00
dependabot[bot]
d156bdf82f
build(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](83fd05a356...0b7f8abb15)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-09 10:10:05 +00:00
dependabot[bot]
f9f9566ad2
build(deps): bump actions/dependency-review-action from 3.0.2 to 3.0.3
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](0ff3da6f81...c090f4e553)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-09 10:10:00 +00:00
dependabot[bot]
671df68a6d
build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](9782bd6a98...9bc31d5ccc)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-06 10:04:00 +00:00
dependabot[bot]
6c07c7c414
build(deps): bump actions/dependency-review-action from 3.0.1 to 3.0.2
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](11310527b4...0ff3da6f81)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-27 08:47:28 +00:00
Jussi Kukkonen
2acea003fc
Merge pull request #2245 from theupdateframework/dependabot/github_actions/ossf/scorecard-action-2.1.2
build(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.2
2022-12-23 12:37:01 +02:00
dependabot[bot]
681c134e09
build(deps): bump actions/setup-python from 4.3.1 to 4.4.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.3.1 to 4.4.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](2c3dd9e7e2...5ccb29d877)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-23 10:22:10 +00:00
dependabot[bot]
483d31c7a9
build(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.2
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](937ffa90d7...e38b1902ae)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-22 10:06:51 +00:00
Lukas Pühringer
99b200eff8
Merge pull request #2226 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.37
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37
2022-12-16 10:19:00 +01:00
dependabot[bot]
ca67ed9f62
build(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.0.6 to 2.1.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](99c53751e0...937ffa90d7)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-15 10:04:26 +00:00
dependabot[bot]
8f3f5713c6
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.36 to 2.1.37.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](a669cc5936...959cbb7472)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-15 10:04:23 +00:00
dependabot[bot]
98991d8f50
build(deps): bump actions/checkout from 3.1.0 to 3.2.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](93ea575cb5...755da8c3cf)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-13 10:04:50 +00:00
dependabot[bot]
9fd45d923d
build(deps): bump github/codeql-action from 2.1.35 to 2.1.36
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.35 to 2.1.36.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](b2a92eb56d...a669cc5936)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-12 10:07:12 +00:00
dependabot[bot]
205769d9bf
build(deps): bump actions/setup-python from 4.3.0 to 4.3.1
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](13ae5bb136...2c3dd9e7e2)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-09 17:50:35 +00:00
Jussi Kukkonen
b6c3b66ca6 build: Change build dependency pinning strategy
* don't autoupgrade pip: let's consider pip to be part of platform?
* pin build and tox in new requirements-build.txt: this mostly prevents
  tox from going to 4.x before we're ready
* use requirements-build.txt as constraint when installing tox or build
  during CI & CD
* use requirements-build.txt in requiremenets-dev.txt

Note that coveralls is not pinned, not sure if it should be.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-12-09 18:10:03 +02:00
dependabot[bot]
7f1ddebb71
build(deps): bump pypa/gh-action-pypi-publish from 1.6.1 to 1.6.4
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.6.1 to 1.6.4.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](5d1679fa6b...c7f29f7ade)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-07 10:04:26 +00:00
dependabot[bot]
63c384d9d7
build(deps): bump pypa/gh-action-pypi-publish from 1.5.1 to 1.6.1
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.5.1 to 1.6.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](37f50c210e...5d1679fa6b)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-05 10:08:50 +00:00
dependabot[bot]
07940a1f92
build(deps): bump github/codeql-action from 2.1.33 to 2.1.35
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.33 to 2.1.35.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2.1.33...b2a92eb56d8cb930006a1c6ed86b0782dd8a4297)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-02 10:04:16 +00:00
Jussi Kukkonen
f29d8471c8 workflows: Add Scorecards workflow
This is a modifed version of the workflow from the project itself:
* Not using personal access tokens because I believe they are a
  security issue (this means Branch-Protection check will be incorrect)
* Not uploading results to actions cache: Maybe there's a point but I
  don't see it as the SARIF files are not very human readable

This should give us some code scanning alerts in the security tab on Github.
This is not really what I'm interested in though so I've enabled the upload
to https://api.securityscorecards.dev/. The results json on there is not
exactly readable but it is good enough to check what the current results
are -- and deps.dev should use those results after some delay I believe.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-22 18:15:56 +02:00
Lukas Pühringer
650796ee8d
Merge pull request #2182 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.1
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1
2022-11-21 12:10:14 +01:00
dependabot[bot]
10ba3918a7
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](30d5821115...11310527b4)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-17 10:11:44 +00:00
dependabot[bot]
878b7ff4d9
build(deps): bump github/codeql-action from 2.1.32 to 2.1.33
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.32 to 2.1.33.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](4238421316...678fc3afe2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-17 10:11:41 +00:00
Lukas Pühringer
7568fc6a8e
Merge pull request #2177 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.32
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
2022-11-17 09:54:31 +01:00
Jussi Kukkonen
3bc24ad2c3
Merge pull request #2159 from jku/permissions-tweaks
Github workflows: Permissions tweaks
2022-11-15 14:34:48 +02:00
dependabot[bot]
eb8c4263ce
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.31 to 2.1.32.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c3b6fce4ee...4238421316)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-15 10:04:06 +00:00
Jussi Kukkonen
5a4c7ad032
Merge pull request #2175 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.0
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
2022-11-14 14:34:09 +02:00
Jussi Kukkonen
eaa8224706
Merge pull request #2170 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.31
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
2022-11-14 14:09:42 +02:00
dependabot[bot]
bd03b32a9e
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](0efb1d1d84...30d5821115)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-14 10:09:59 +00:00
Jussi Kukkonen
a6c3b487e3 workflows: Use setup-python to setup python in coveralls-fin
This makes the job just like all other jobs

Fixes #2172

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-08 18:54:16 +02:00
dependabot[bot]
8d0ae4f99d
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](18fe527fa8...c3b6fce4ee)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 10:08:46 +00:00
Jussi Kukkonen
b8326a245f
Merge pull request #2164 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.30
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
2022-11-04 14:12:16 +02:00
Jussi Kukkonen
0c07a84441
Merge pull request #2157 from jku/enable-py-3.11
build: Enable Python 3.11 in test matrix
2022-11-03 13:19:38 +02:00
dependabot[bot]
c12df73040
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](ec3cf9c605...18fe527fa8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-03 10:03:51 +00:00
Jussi Kukkonen
b002860206 Github workflows: Only upload to pypi in upstream repo
This is not a security measure: it makes testing the CD/release workflow
(at least the non-pypi-upload parts) in a fork a little easier as the pypi
upload is skipped.

This does make testing the pypi upload even more difficult but maybe
that is acceptable?

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:14:23 +02:00
Jussi Kukkonen
327fcf8640 GitHub workflows: limit "content:write" to minimum
permissions can be defined on workflow and job level, but not on step level.
Currently permissions are defined at workflow level which is not ideal.
Create a new "release_candidate" job so that we can minimize the
"content:write" permission exposure.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:13:11 +02:00
Jussi Kukkonen
53521bfda0 workflows: Set top-level permissions
This changes very little but it does mean any jobs added in future have to
be explicit about the permissions they need. This also makes OSSF scorecard
happier.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-30 12:56:22 +02:00
Jussi Kukkonen
5b59e7cfe6 build: Enable Python 3.11 in test matrix
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-27 17:35:00 +03:00
dependabot[bot]
5e42be8173
build(deps): bump github/codeql-action from 2.1.28 to 2.1.29
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.28 to 2.1.29.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](cc7986c02b...ec3cf9c605)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 10:36:17 +00:00
Lukas Pühringer
080cf606da
Merge pull request #2150 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.5.1
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
2022-10-25 14:12:52 +02:00
dependabot[bot]
dac600fc8e
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.0 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](fd675ced9c...0efb1d1d84)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-25 10:21:49 +00:00
dependabot[bot]
2fa55a089c
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](3cea537223...83fd05a356)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-24 10:21:27 +00:00
Miles Liu
0a79245c43
ci: migrate deprecating set-output commands
Signed-off-by: Miles Liu <miles@bung.cc>
2022-10-24 15:46:44 +08:00
dependabot[bot]
68571fb887
build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](fb598a63ae...9782bd6a98)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-21 11:14:31 +00:00
dependabot[bot]
5fffbb0485
build(deps): bump github/codeql-action from 2.1.27 to 2.1.28
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.27 to 2.1.28.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](807578363a...cc7986c02b)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-19 10:17:35 +00:00
Jussi Kukkonen
852f7a4101
Merge pull request #2139 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.5.0
build(deps): bump actions/dependency-review-action from 2.4.1 to 2.5.0
2022-10-18 16:17:15 +03:00
dependabot[bot]
b8976bfd51
build(deps): bump actions/dependency-review-action from 2.4.1 to 2.5.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](9c96258789...fd675ced9c)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 10:16:58 +00:00
dependabot[bot]
67a5fca932
build(deps): bump actions/github-script from 6.3.2 to 6.3.3
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.3.2 to 6.3.3.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](100527700e...d556feaca3)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 10:16:54 +00:00
Lukas Pühringer
7e51f356b3
Merge pull request #2134 from theupdateframework/dependabot/github_actions/actions/github-script-6.3.2
build(deps): bump actions/github-script from 6.3.1 to 6.3.2
2022-10-12 14:21:06 +02:00
dependabot[bot]
2c56fc3532
build(deps): bump actions/dependency-review-action from 2.4.0 to 2.4.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](375c537008...9c96258789)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 10:19:15 +00:00
dependabot[bot]
39b823afe4
build(deps): bump actions/github-script from 6.3.1 to 6.3.2
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.3.1 to 6.3.2.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](7dff1a8764...100527700e)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 10:19:05 +00:00
dependabot[bot]
76c0d6cec0
build(deps): bump actions/setup-python from 4.2.0 to 4.3.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](b55428b188...13ae5bb136)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 10:29:56 +00:00
Kairo de Araujo
869d23a9f2 Fix typo CD.yml
Fixed typo in CD.yml: 'candidate' instead ' candidate'.

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-10-10 09:56:25 +02:00
dependabot[bot]
45f8096d97
build(deps): bump github/codeql-action from 2.1.26 to 2.1.27
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.26 to 2.1.27.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](e0e5ded33c...807578363a)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-07 10:43:05 +00:00
dependabot[bot]
9907d4d38a
build(deps): bump actions/checkout from 3.0.2 to 3.1.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.2 to 3.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](2541b1294d...93ea575cb5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-04 10:45:28 +00:00
dependabot[bot]
903ad61a8e
build(deps): bump actions/github-script from 6.2.0 to 6.3.1
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.2.0 to 6.3.1.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](c713e510db...7dff1a8764)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 09:39:02 +00:00
dependabot[bot]
99b9246db7
build(deps): bump github/codeql-action from 2.1.25 to 2.1.26
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.25 to 2.1.26.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](86f3159a69...e0e5ded33c)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-30 10:18:27 +00:00
dependabot[bot]
e7ab8d56b6
build(deps): bump actions/dependency-review-action from 2.1.0 to 2.4.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.1.0 to 2.4.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](23d1ffffb6...375c537008)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 10:56:29 +00:00
dependabot[bot]
849a44d655
build(deps): bump github/codeql-action from 2.1.24 to 2.1.25
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.24 to 2.1.25.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](904260d7d9...86f3159a69)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-22 10:33:20 +00:00
dependabot[bot]
6b89263932
build(deps): bump github/codeql-action from 2.1.22 to 2.1.24
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.22 to 2.1.24.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](b398f525a5...904260d7d9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-19 10:21:33 +00:00
dependabot[bot]
afd47391f4
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...2541b1294d2704b0964813337f33b291d3f8596b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-09 10:25:06 +00:00
dependabot[bot]
a2cbdd23a1
build(deps): bump github/codeql-action from 2.1.21 to 2.1.22
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.21 to 2.1.22.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c7f292ea4f...b398f525a5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-02 10:22:03 +00:00
Lukas Puehringer
b83c738373 chore: fix error in spec version check workflow
Use `--upgrade` option to upgrade pip with pip in workflow, instead
of non-existing `-u` option (-U would also be possible).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-08-30 14:19:12 +02:00
Lukas Puehringer
7baf1d3376 chore: misc setup-python changes in spec check job
1. update action/setup-python to latest version
2. pin major version to be used to 3.x
3. upgrade pip before using it

1 and 2 were suggested in #2089

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-08-30 09:44:19 +02:00
Radoslav Dimitrov
53f1611b74 chore: limit the permissions for the job calling the version check workflow
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-08-30 09:37:01 +02:00
Radoslav Dimitrov
0e6b928d9a chore: update the workflow responsible for notifying of new TUF spec release
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-08-30 09:36:59 +02:00
dependabot[bot]
de8f97f283
build(deps): bump actions/github-script from 6.1.1 to 6.2.0
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.1.1 to 6.2.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](d50f485531...c713e510db)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-29 10:24:16 +00:00
dependabot[bot]
3d1786da74
build(deps): bump github/codeql-action from 2.1.20 to 2.1.21
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.20 to 2.1.21.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7fee4ca032...c7f292ea4f)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-26 10:16:29 +00:00
dependabot[bot]
90a2ec4804
build(deps): bump github/codeql-action from 2.1.19 to 2.1.20
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.19 to 2.1.20.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](f5d217be74...7fee4ca032)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 10:18:21 +00:00
Lukas Pühringer
0e04e3307f
Merge pull request #2080 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.19
build(deps): bump github/codeql-action from 2.1.18 to 2.1.19
2022-08-22 09:07:24 +02:00
dependabot[bot]
789dcef5f1
build(deps): bump actions/dependency-review-action from 2.0.4 to 2.1.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.4 to 2.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](94145f3150...23d1ffffb6)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-19 10:14:19 +00:00
dependabot[bot]
4528289ea2
build(deps): bump github/codeql-action from 2.1.18 to 2.1.19
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.18 to 2.1.19.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](2ca79b6fa8...f5d217be74)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-19 10:14:16 +00:00
dependabot[bot]
e27dce0f5f
build(deps): bump actions/github-script from 6.1.0 to 6.1.1
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](7a5c598405...d50f485531)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-15 10:19:37 +00:00
dependabot[bot]
d442fa2d56
build(deps): bump github/codeql-action from 2.1.17 to 2.1.18
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.17 to 2.1.18.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](0c670bbf04...2ca79b6fa8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-04 10:27:31 +00:00
dependabot[bot]
c524984be4
build(deps): bump actions/setup-python from 4.1.0 to 4.2.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](c4e89fac7e...b55428b188)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-03 10:19:48 +00:00
Lukas Pühringer
3108998f75
Merge pull request #2066 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.17
build(deps): bump github/codeql-action from 2.1.16 to 2.1.17
2022-08-01 12:11:25 +02:00
dependabot[bot]
3e1fa8b47e
build(deps): bump github/codeql-action from 2.1.16 to 2.1.17
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.16 to 2.1.17.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](3e7e3b32d0...0c670bbf04)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-29 10:19:57 +00:00
dependabot[bot]
6edf9191de
build(deps): bump pypa/gh-action-pypi-publish from 1.5.0 to 1.5.1
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](717ba43cfb...37f50c210e)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-27 16:36:56 +00:00
Lukas Pühringer
e00e854841
Merge pull request #2054 from theupdateframework/dependabot/github_actions/actions/setup-python-4.1.0
build(deps): bump actions/setup-python from 4.0.0 to 4.1.0
2022-07-19 11:26:37 +02:00
Lukas Pühringer
43f5db694d
Merge pull request #2057 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.0.4
build(deps): bump actions/dependency-review-action from 2.0.2 to 2.0.4
2022-07-19 11:23:47 +02:00
dependabot[bot]
a49d8cbc8d
build(deps): bump github/codeql-action from 2.1.15 to 2.1.16
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.15 to 2.1.16.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](3f62b754e2...3e7e3b32d0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 10:21:41 +00:00
dependabot[bot]
f617ae5d77
build(deps): bump actions/dependency-review-action from 2.0.2 to 2.0.4
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.2 to 2.0.4.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](1c59cdf2a9...94145f3150)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 10:21:36 +00:00
dependabot[bot]
deb9633879
build(deps): bump actions/setup-python from 4.0.0 to 4.1.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](d09bd5e600...c4e89fac7e)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-12 10:20:32 +00:00
dependabot[bot]
b869320624
build(deps): bump github/codeql-action from 2.1.14 to 2.1.15
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.14 to 2.1.15.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](41a4ada31b...3f62b754e2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-29 10:37:50 +00:00
dependabot[bot]
fbe30683dd
build(deps): bump github/codeql-action from 2.1.13 to 2.1.14
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.13 to 2.1.14.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](d00e8c09a3...41a4ada31b)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-23 12:59:20 +00:00
dependabot[bot]
efc530a932
build(deps): bump github/codeql-action from 2.1.12 to 2.1.13
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.12 to 2.1.13.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](27ea8f8fe5...d00e8c09a3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-21 10:21:08 +00:00
dependabot[bot]
190e9e1f69
build(deps): bump actions/dependency-review-action from 2.0.0 to 2.0.2
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.0 to 2.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](97790d29c7...1c59cdf2a9)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-16 10:24:53 +00:00
Jussi Kukkonen
c89cb50b83
Merge pull request #2026 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
2022-06-16 09:47:16 +03:00
dependabot[bot]
d05a2f8d2f
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1.0.2 to 2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](a9c83d3af6...97790d29c7)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-15 10:27:51 +00:00
Joshua Lock
6678d2f76a Add workflow for codeql analysis
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-06-15 10:19:35 +01:00
dependabot[bot]
94b08faade
build(deps): bump actions/setup-python from 3.1.2 to 4
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.2 to 4.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v3.1.2...d09bd5e6005b175076f227b13d9730d56e9dcfcb)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 10:22:16 +00:00
Jussi Kukkonen
cfcc0c3f0f
Merge pull request #1974 from naveensrinivasan/Dependency-Review-Action
chore: Dependency Review Action
2022-06-06 16:30:12 +03:00
naveensrinivasan
a5afebd1ab
Changed the tags to SHA
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-06-02 07:01:45 -05:00
Lukas Pühringer
e9d11962b9
Merge pull request #2006 from theupdateframework/dependabot/github_actions/actions/github-script-6.1.0
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
2022-05-24 11:20:33 +02:00
dependabot[bot]
2ae099c140
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](6673cd052c...3cea537223)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 10:23:02 +00:00
dependabot[bot]
78dc59bf8b
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](9ac08808f9...7a5c598405)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-13 10:17:47 +00:00
Jussi Kukkonen
7c0de84f26 Update maintainers permission checklist
* Release permissions are now controlled in GitHub release environment
* It is no longer required for a releasing maintainer to have PyPI
  permissions

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 18:11:38 +03:00
Lukas Puehringer
0b0c55b1df Restrict cd permissions to contents: write
This is the minimum permission needed to create/modify GH releases.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
db471a5fd5 Refactor ci/cd workflows
Prior to this change, ci triggered cd, depending on the event that
triggered ci. Due to the vague information about that event
available to cd, the workflow pipeline was a bit brittle.

This change disassociates ci and cd workflows to allow for an
independent configuration of trigger events.

The test jobs, which used to be defined in ci, are now in a
separate workflow file _test.yml that can be included in both ci
and cd workflows.

**Changes in ci**
- Only defines trigger events and permissions, the "meat" of ci is
  defined in the called _test.yml now.
- No longer triggers on tag pushes, this was only needed for cd.

**Changes in cd**
- Now triggers directly on tag pushes instead of (cd)-workflow_run.
- Calls _test.yml, and require successful run before build/release.
  (`needs: test` replaces `if: ...`)
- Changes variable names about pushed tag that triggered the event.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
38b774e0eb Refactor ci/cd workflows (WIP)
This is an intermediate commit for easier review. See subsequent
commit for details.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Naveen
0c0206d1c0
chore: Dependency Review Action
Dependency review is a tool that helps you identify and fix vulnerabilities in your dependencies. By checking the dependency reviews in a pull request and changing any dependencies that are flagged as vulnerable, the project can avoid vulnerabilities being added to your project. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-24 15:15:24 -05:00
dependabot[bot]
68fd8a1cc6
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...2541b1294d2704b0964813337f33b291d3f8596b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 10:19:38 +00:00
Lukas Pühringer
72424a958b
Merge pull request #1946 from lukpueh/auto-release
Add GH workflow to build and release on GH and PyPI
2022-04-21 13:03:25 +02:00
Lukas Puehringer
b99d0432a7 build: minor updates in CI/CD workflow files
- polish code comments
- wrap long lines

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-20 16:02:25 +02:00
dependabot[bot]
4d54629293
build(deps): bump actions/setup-python from 3.1.1 to 3.1.2
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](21c0493ecf...98f2ad02fd)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-20 06:58:22 +00:00
dependabot[bot]
65d1b87a2f
build(deps): bump actions/checkout from 3.0.0 to 3.0.1
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](a12a3943b4...dcd71f6466)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-15 10:16:40 +00:00
dependabot[bot]
156e535dcf
build(deps): bump actions/setup-python from 3.1.0 to 3.1.1
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](9c644ca2ab...21c0493ecf)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-07 10:19:18 +00:00
Lukas Puehringer
a1a71c11a1 build: update CI/CD workflow to run in series
- Change CI workflow to also run on push to (release) tag
- Change CD workflow to run on successful CI run, and only if a
  (release) tag push triggered the CI

NOTE: Unfortunately the setup is not very robust
      (see code comment in cd.yml)

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:15:39 +02:00
Lukas Puehringer
5bfe897335 build: update CD workflow to create GH release
- Create preliminary GitHub release (X.Y.Z-rc) in 'build' job,
  using popular 3rd-party 'softprops/action-gh-release'.
- Finalize GH release in 'release' job using custom GH script.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:56 +02:00
Lukas Puehringer
faef040407 build: add GH workflow to build + release on PyPI
Add workflow with two jobs to build and publish on PyPI.  The
release job waits for the build job and uses a custom release
environment, which can be configured to require review.

To share the build artifacts between the jobs and to make them
available for intermediate review, they are stored using
'actions/upload-artifact' and 'actions/download-artifact'.
https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts

To upload the build artifacts to PyPI, the PyPA recommended
'pypa/gh-action-pypi-publish' is used.
https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

**Caveat**
The URL to grab the artifacts, e.g. for review, requires knowledge
of action ID and artifact ID, and a login token (no special
permissions). This makes it a bit cumbersome to fetch the artifacts
with a script and compare them to a local build.
https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:13 +02:00
dependabot[bot]
b0a73e41c6
build(deps): bump actions/setup-python from 3.0.0 to 3.1.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](0ebf233433...9c644ca2ab)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-04 10:21:57 +00:00
dependabot[bot]
38b5e07f62
build(deps): bump actions/checkout from 2.4.0 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ec3a7ce113...a12a3943b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 10:21:30 +00:00