Commit graph

281 commits

Author SHA1 Message Date
dependabot[bot]
98991d8f50
build(deps): bump actions/checkout from 3.1.0 to 3.2.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](93ea575cb5...755da8c3cf)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-13 10:04:50 +00:00
dependabot[bot]
9fd45d923d
build(deps): bump github/codeql-action from 2.1.35 to 2.1.36
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.35 to 2.1.36.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](b2a92eb56d...a669cc5936)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-12 10:07:12 +00:00
dependabot[bot]
205769d9bf
build(deps): bump actions/setup-python from 4.3.0 to 4.3.1
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](13ae5bb136...2c3dd9e7e2)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-09 17:50:35 +00:00
Jussi Kukkonen
b6c3b66ca6 build: Change build dependency pinning strategy
* don't autoupgrade pip: let's consider pip to be part of platform?
* pin build and tox in new requirements-build.txt: this mostly prevents
  tox from going to 4.x before we're ready
* use requirements-build.txt as constraint when installing tox or build
  during CI & CD
* use requirements-build.txt in requiremenets-dev.txt

Note that coveralls is not pinned, not sure if it should be.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-12-09 18:10:03 +02:00
dependabot[bot]
7f1ddebb71
build(deps): bump pypa/gh-action-pypi-publish from 1.6.1 to 1.6.4
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.6.1 to 1.6.4.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](5d1679fa6b...c7f29f7ade)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-07 10:04:26 +00:00
dependabot[bot]
63c384d9d7
build(deps): bump pypa/gh-action-pypi-publish from 1.5.1 to 1.6.1
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.5.1 to 1.6.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](37f50c210e...5d1679fa6b)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-05 10:08:50 +00:00
dependabot[bot]
07940a1f92
build(deps): bump github/codeql-action from 2.1.33 to 2.1.35
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.33 to 2.1.35.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2.1.33...b2a92eb56d8cb930006a1c6ed86b0782dd8a4297)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-02 10:04:16 +00:00
Jussi Kukkonen
f29d8471c8 workflows: Add Scorecards workflow
This is a modifed version of the workflow from the project itself:
* Not using personal access tokens because I believe they are a
  security issue (this means Branch-Protection check will be incorrect)
* Not uploading results to actions cache: Maybe there's a point but I
  don't see it as the SARIF files are not very human readable

This should give us some code scanning alerts in the security tab on Github.
This is not really what I'm interested in though so I've enabled the upload
to https://api.securityscorecards.dev/. The results json on there is not
exactly readable but it is good enough to check what the current results
are -- and deps.dev should use those results after some delay I believe.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-22 18:15:56 +02:00
Lukas Pühringer
650796ee8d
Merge pull request #2182 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.1
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1
2022-11-21 12:10:14 +01:00
dependabot[bot]
10ba3918a7
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](30d5821115...11310527b4)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-17 10:11:44 +00:00
dependabot[bot]
878b7ff4d9
build(deps): bump github/codeql-action from 2.1.32 to 2.1.33
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.32 to 2.1.33.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](4238421316...678fc3afe2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-17 10:11:41 +00:00
Lukas Pühringer
7568fc6a8e
Merge pull request #2177 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.32
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
2022-11-17 09:54:31 +01:00
Jussi Kukkonen
3bc24ad2c3
Merge pull request #2159 from jku/permissions-tweaks
Github workflows: Permissions tweaks
2022-11-15 14:34:48 +02:00
dependabot[bot]
eb8c4263ce
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.31 to 2.1.32.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c3b6fce4ee...4238421316)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-15 10:04:06 +00:00
Jussi Kukkonen
5a4c7ad032
Merge pull request #2175 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.0
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
2022-11-14 14:34:09 +02:00
Jussi Kukkonen
eaa8224706
Merge pull request #2170 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.31
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
2022-11-14 14:09:42 +02:00
dependabot[bot]
bd03b32a9e
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](0efb1d1d84...30d5821115)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-14 10:09:59 +00:00
Jussi Kukkonen
a6c3b487e3 workflows: Use setup-python to setup python in coveralls-fin
This makes the job just like all other jobs

Fixes #2172

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-08 18:54:16 +02:00
dependabot[bot]
8d0ae4f99d
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](18fe527fa8...c3b6fce4ee)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 10:08:46 +00:00
Jussi Kukkonen
b8326a245f
Merge pull request #2164 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.30
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
2022-11-04 14:12:16 +02:00
Jussi Kukkonen
0c07a84441
Merge pull request #2157 from jku/enable-py-3.11
build: Enable Python 3.11 in test matrix
2022-11-03 13:19:38 +02:00
dependabot[bot]
c12df73040
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](ec3cf9c605...18fe527fa8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-03 10:03:51 +00:00
Jussi Kukkonen
b002860206 Github workflows: Only upload to pypi in upstream repo
This is not a security measure: it makes testing the CD/release workflow
(at least the non-pypi-upload parts) in a fork a little easier as the pypi
upload is skipped.

This does make testing the pypi upload even more difficult but maybe
that is acceptable?

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:14:23 +02:00
Jussi Kukkonen
327fcf8640 GitHub workflows: limit "content:write" to minimum
permissions can be defined on workflow and job level, but not on step level.
Currently permissions are defined at workflow level which is not ideal.
Create a new "release_candidate" job so that we can minimize the
"content:write" permission exposure.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-31 12:13:11 +02:00
Jussi Kukkonen
53521bfda0 workflows: Set top-level permissions
This changes very little but it does mean any jobs added in future have to
be explicit about the permissions they need. This also makes OSSF scorecard
happier.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-30 12:56:22 +02:00
Jussi Kukkonen
5b59e7cfe6 build: Enable Python 3.11 in test matrix
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-10-27 17:35:00 +03:00
dependabot[bot]
5e42be8173
build(deps): bump github/codeql-action from 2.1.28 to 2.1.29
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.28 to 2.1.29.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](cc7986c02b...ec3cf9c605)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 10:36:17 +00:00
Lukas Pühringer
080cf606da
Merge pull request #2150 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.5.1
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
2022-10-25 14:12:52 +02:00
dependabot[bot]
dac600fc8e
build(deps): bump actions/dependency-review-action from 2.5.0 to 2.5.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.0 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](fd675ced9c...0efb1d1d84)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-25 10:21:49 +00:00
dependabot[bot]
2fa55a089c
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](3cea537223...83fd05a356)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-24 10:21:27 +00:00
Miles Liu
0a79245c43
ci: migrate deprecating set-output commands
Signed-off-by: Miles Liu <miles@bung.cc>
2022-10-24 15:46:44 +08:00
dependabot[bot]
68571fb887
build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](fb598a63ae...9782bd6a98)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-21 11:14:31 +00:00
dependabot[bot]
5fffbb0485
build(deps): bump github/codeql-action from 2.1.27 to 2.1.28
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.27 to 2.1.28.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](807578363a...cc7986c02b)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-19 10:17:35 +00:00
Jussi Kukkonen
852f7a4101
Merge pull request #2139 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.5.0
build(deps): bump actions/dependency-review-action from 2.4.1 to 2.5.0
2022-10-18 16:17:15 +03:00
dependabot[bot]
b8976bfd51
build(deps): bump actions/dependency-review-action from 2.4.1 to 2.5.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](9c96258789...fd675ced9c)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 10:16:58 +00:00
dependabot[bot]
67a5fca932
build(deps): bump actions/github-script from 6.3.2 to 6.3.3
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.3.2 to 6.3.3.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](100527700e...d556feaca3)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 10:16:54 +00:00
Lukas Pühringer
7e51f356b3
Merge pull request #2134 from theupdateframework/dependabot/github_actions/actions/github-script-6.3.2
build(deps): bump actions/github-script from 6.3.1 to 6.3.2
2022-10-12 14:21:06 +02:00
dependabot[bot]
2c56fc3532
build(deps): bump actions/dependency-review-action from 2.4.0 to 2.4.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](375c537008...9c96258789)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 10:19:15 +00:00
dependabot[bot]
39b823afe4
build(deps): bump actions/github-script from 6.3.1 to 6.3.2
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.3.1 to 6.3.2.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](7dff1a8764...100527700e)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 10:19:05 +00:00
dependabot[bot]
76c0d6cec0
build(deps): bump actions/setup-python from 4.2.0 to 4.3.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](b55428b188...13ae5bb136)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 10:29:56 +00:00
Kairo de Araujo
869d23a9f2 Fix typo CD.yml
Fixed typo in CD.yml: 'candidate' instead ' candidate'.

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-10-10 09:56:25 +02:00
dependabot[bot]
45f8096d97
build(deps): bump github/codeql-action from 2.1.26 to 2.1.27
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.26 to 2.1.27.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](e0e5ded33c...807578363a)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-07 10:43:05 +00:00
dependabot[bot]
9907d4d38a
build(deps): bump actions/checkout from 3.0.2 to 3.1.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.2 to 3.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](2541b1294d...93ea575cb5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-04 10:45:28 +00:00
dependabot[bot]
903ad61a8e
build(deps): bump actions/github-script from 6.2.0 to 6.3.1
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.2.0 to 6.3.1.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](c713e510db...7dff1a8764)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 09:39:02 +00:00
dependabot[bot]
99b9246db7
build(deps): bump github/codeql-action from 2.1.25 to 2.1.26
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.25 to 2.1.26.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](86f3159a69...e0e5ded33c)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-30 10:18:27 +00:00
dependabot[bot]
e7ab8d56b6
build(deps): bump actions/dependency-review-action from 2.1.0 to 2.4.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.1.0 to 2.4.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](23d1ffffb6...375c537008)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 10:56:29 +00:00
dependabot[bot]
849a44d655
build(deps): bump github/codeql-action from 2.1.24 to 2.1.25
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.24 to 2.1.25.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](904260d7d9...86f3159a69)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-22 10:33:20 +00:00
dependabot[bot]
6b89263932
build(deps): bump github/codeql-action from 2.1.22 to 2.1.24
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.22 to 2.1.24.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](b398f525a5...904260d7d9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-19 10:21:33 +00:00
dependabot[bot]
afd47391f4
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...2541b1294d2704b0964813337f33b291d3f8596b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-09 10:25:06 +00:00
dependabot[bot]
a2cbdd23a1
build(deps): bump github/codeql-action from 2.1.21 to 2.1.22
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.21 to 2.1.22.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c7f292ea4f...b398f525a5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-02 10:22:03 +00:00
Lukas Puehringer
b83c738373 chore: fix error in spec version check workflow
Use `--upgrade` option to upgrade pip with pip in workflow, instead
of non-existing `-u` option (-U would also be possible).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-08-30 14:19:12 +02:00
Lukas Puehringer
7baf1d3376 chore: misc setup-python changes in spec check job
1. update action/setup-python to latest version
2. pin major version to be used to 3.x
3. upgrade pip before using it

1 and 2 were suggested in #2089

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-08-30 09:44:19 +02:00
Radoslav Dimitrov
53f1611b74 chore: limit the permissions for the job calling the version check workflow
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-08-30 09:37:01 +02:00
Radoslav Dimitrov
0e6b928d9a chore: update the workflow responsible for notifying of new TUF spec release
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-08-30 09:36:59 +02:00
dependabot[bot]
de8f97f283
build(deps): bump actions/github-script from 6.1.1 to 6.2.0
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.1.1 to 6.2.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](d50f485531...c713e510db)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-29 10:24:16 +00:00
dependabot[bot]
3d1786da74
build(deps): bump github/codeql-action from 2.1.20 to 2.1.21
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.20 to 2.1.21.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7fee4ca032...c7f292ea4f)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-26 10:16:29 +00:00
dependabot[bot]
90a2ec4804
build(deps): bump github/codeql-action from 2.1.19 to 2.1.20
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.19 to 2.1.20.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](f5d217be74...7fee4ca032)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 10:18:21 +00:00
Lukas Pühringer
0e04e3307f
Merge pull request #2080 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.19
build(deps): bump github/codeql-action from 2.1.18 to 2.1.19
2022-08-22 09:07:24 +02:00
dependabot[bot]
789dcef5f1
build(deps): bump actions/dependency-review-action from 2.0.4 to 2.1.0
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.4 to 2.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](94145f3150...23d1ffffb6)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-19 10:14:19 +00:00
dependabot[bot]
4528289ea2
build(deps): bump github/codeql-action from 2.1.18 to 2.1.19
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.18 to 2.1.19.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](2ca79b6fa8...f5d217be74)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-19 10:14:16 +00:00
dependabot[bot]
e27dce0f5f
build(deps): bump actions/github-script from 6.1.0 to 6.1.1
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](7a5c598405...d50f485531)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-15 10:19:37 +00:00
dependabot[bot]
d442fa2d56
build(deps): bump github/codeql-action from 2.1.17 to 2.1.18
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.17 to 2.1.18.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](0c670bbf04...2ca79b6fa8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-04 10:27:31 +00:00
dependabot[bot]
c524984be4
build(deps): bump actions/setup-python from 4.1.0 to 4.2.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](c4e89fac7e...b55428b188)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-03 10:19:48 +00:00
Lukas Pühringer
3108998f75
Merge pull request #2066 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.17
build(deps): bump github/codeql-action from 2.1.16 to 2.1.17
2022-08-01 12:11:25 +02:00
dependabot[bot]
3e1fa8b47e
build(deps): bump github/codeql-action from 2.1.16 to 2.1.17
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.16 to 2.1.17.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](3e7e3b32d0...0c670bbf04)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-29 10:19:57 +00:00
dependabot[bot]
6edf9191de
build(deps): bump pypa/gh-action-pypi-publish from 1.5.0 to 1.5.1
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](717ba43cfb...37f50c210e)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-27 16:36:56 +00:00
Lukas Pühringer
e00e854841
Merge pull request #2054 from theupdateframework/dependabot/github_actions/actions/setup-python-4.1.0
build(deps): bump actions/setup-python from 4.0.0 to 4.1.0
2022-07-19 11:26:37 +02:00
Lukas Pühringer
43f5db694d
Merge pull request #2057 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.0.4
build(deps): bump actions/dependency-review-action from 2.0.2 to 2.0.4
2022-07-19 11:23:47 +02:00
dependabot[bot]
a49d8cbc8d
build(deps): bump github/codeql-action from 2.1.15 to 2.1.16
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.15 to 2.1.16.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](3f62b754e2...3e7e3b32d0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 10:21:41 +00:00
dependabot[bot]
f617ae5d77
build(deps): bump actions/dependency-review-action from 2.0.2 to 2.0.4
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.2 to 2.0.4.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](1c59cdf2a9...94145f3150)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 10:21:36 +00:00
dependabot[bot]
deb9633879
build(deps): bump actions/setup-python from 4.0.0 to 4.1.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](d09bd5e600...c4e89fac7e)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-12 10:20:32 +00:00
dependabot[bot]
b869320624
build(deps): bump github/codeql-action from 2.1.14 to 2.1.15
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.14 to 2.1.15.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](41a4ada31b...3f62b754e2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-29 10:37:50 +00:00
dependabot[bot]
fbe30683dd
build(deps): bump github/codeql-action from 2.1.13 to 2.1.14
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.13 to 2.1.14.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](d00e8c09a3...41a4ada31b)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-23 12:59:20 +00:00
dependabot[bot]
efc530a932
build(deps): bump github/codeql-action from 2.1.12 to 2.1.13
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.12 to 2.1.13.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](27ea8f8fe5...d00e8c09a3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-21 10:21:08 +00:00
dependabot[bot]
190e9e1f69
build(deps): bump actions/dependency-review-action from 2.0.0 to 2.0.2
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.0 to 2.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](97790d29c7...1c59cdf2a9)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-16 10:24:53 +00:00
Jussi Kukkonen
c89cb50b83
Merge pull request #2026 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
2022-06-16 09:47:16 +03:00
dependabot[bot]
d05a2f8d2f
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1.0.2 to 2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](a9c83d3af6...97790d29c7)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-15 10:27:51 +00:00
Joshua Lock
6678d2f76a Add workflow for codeql analysis
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-06-15 10:19:35 +01:00
dependabot[bot]
94b08faade
build(deps): bump actions/setup-python from 3.1.2 to 4
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.2 to 4.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v3.1.2...d09bd5e6005b175076f227b13d9730d56e9dcfcb)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 10:22:16 +00:00
Jussi Kukkonen
cfcc0c3f0f
Merge pull request #1974 from naveensrinivasan/Dependency-Review-Action
chore: Dependency Review Action
2022-06-06 16:30:12 +03:00
naveensrinivasan
a5afebd1ab
Changed the tags to SHA
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-06-02 07:01:45 -05:00
Lukas Pühringer
e9d11962b9
Merge pull request #2006 from theupdateframework/dependabot/github_actions/actions/github-script-6.1.0
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
2022-05-24 11:20:33 +02:00
dependabot[bot]
2ae099c140
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](6673cd052c...3cea537223)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 10:23:02 +00:00
dependabot[bot]
78dc59bf8b
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](9ac08808f9...7a5c598405)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-13 10:17:47 +00:00
Jussi Kukkonen
7c0de84f26 Update maintainers permission checklist
* Release permissions are now controlled in GitHub release environment
* It is no longer required for a releasing maintainer to have PyPI
  permissions

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 18:11:38 +03:00
Lukas Puehringer
0b0c55b1df Restrict cd permissions to contents: write
This is the minimum permission needed to create/modify GH releases.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
db471a5fd5 Refactor ci/cd workflows
Prior to this change, ci triggered cd, depending on the event that
triggered ci. Due to the vague information about that event
available to cd, the workflow pipeline was a bit brittle.

This change disassociates ci and cd workflows to allow for an
independent configuration of trigger events.

The test jobs, which used to be defined in ci, are now in a
separate workflow file _test.yml that can be included in both ci
and cd workflows.

**Changes in ci**
- Only defines trigger events and permissions, the "meat" of ci is
  defined in the called _test.yml now.
- No longer triggers on tag pushes, this was only needed for cd.

**Changes in cd**
- Now triggers directly on tag pushes instead of (cd)-workflow_run.
- Calls _test.yml, and require successful run before build/release.
  (`needs: test` replaces `if: ...`)
- Changes variable names about pushed tag that triggered the event.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
38b774e0eb Refactor ci/cd workflows (WIP)
This is an intermediate commit for easier review. See subsequent
commit for details.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Naveen
0c0206d1c0
chore: Dependency Review Action
Dependency review is a tool that helps you identify and fix vulnerabilities in your dependencies. By checking the dependency reviews in a pull request and changing any dependencies that are flagged as vulnerable, the project can avoid vulnerabilities being added to your project. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-24 15:15:24 -05:00
dependabot[bot]
68fd8a1cc6
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...2541b1294d2704b0964813337f33b291d3f8596b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 10:19:38 +00:00
Lukas Pühringer
72424a958b
Merge pull request #1946 from lukpueh/auto-release
Add GH workflow to build and release on GH and PyPI
2022-04-21 13:03:25 +02:00
Lukas Puehringer
b99d0432a7 build: minor updates in CI/CD workflow files
- polish code comments
- wrap long lines

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-20 16:02:25 +02:00
dependabot[bot]
4d54629293
build(deps): bump actions/setup-python from 3.1.1 to 3.1.2
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](21c0493ecf...98f2ad02fd)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-20 06:58:22 +00:00
dependabot[bot]
65d1b87a2f
build(deps): bump actions/checkout from 3.0.0 to 3.0.1
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](a12a3943b4...dcd71f6466)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-15 10:16:40 +00:00
dependabot[bot]
156e535dcf
build(deps): bump actions/setup-python from 3.1.0 to 3.1.1
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](9c644ca2ab...21c0493ecf)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-07 10:19:18 +00:00
Lukas Puehringer
a1a71c11a1 build: update CI/CD workflow to run in series
- Change CI workflow to also run on push to (release) tag
- Change CD workflow to run on successful CI run, and only if a
  (release) tag push triggered the CI

NOTE: Unfortunately the setup is not very robust
      (see code comment in cd.yml)

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:15:39 +02:00
Lukas Puehringer
5bfe897335 build: update CD workflow to create GH release
- Create preliminary GitHub release (X.Y.Z-rc) in 'build' job,
  using popular 3rd-party 'softprops/action-gh-release'.
- Finalize GH release in 'release' job using custom GH script.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:56 +02:00
Lukas Puehringer
faef040407 build: add GH workflow to build + release on PyPI
Add workflow with two jobs to build and publish on PyPI.  The
release job waits for the build job and uses a custom release
environment, which can be configured to require review.

To share the build artifacts between the jobs and to make them
available for intermediate review, they are stored using
'actions/upload-artifact' and 'actions/download-artifact'.
https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts

To upload the build artifacts to PyPI, the PyPA recommended
'pypa/gh-action-pypi-publish' is used.
https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

**Caveat**
The URL to grab the artifacts, e.g. for review, requires knowledge
of action ID and artifact ID, and a login token (no special
permissions). This makes it a bit cumbersome to fetch the artifacts
with a script and compare them to a local build.
https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:13 +02:00
dependabot[bot]
b0a73e41c6
build(deps): bump actions/setup-python from 3.0.0 to 3.1.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](0ebf233433...9c644ca2ab)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-04 10:21:57 +00:00
dependabot[bot]
38b5e07f62
build(deps): bump actions/checkout from 2.4.0 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ec3a7ce113...a12a3943b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 10:21:30 +00:00
dependabot[bot]
311120a192
build(deps): bump actions/setup-python from 2.3.2 to 3
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.2 to 3.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](7f80679172...0ebf233433)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-01 10:21:10 +00:00
Lukas Pühringer
fc9b42fa5d
Merge pull request #1871 from lukpueh/rm-authors-txt
doc: update acknowledgements and rm AUHTORS.txt
2022-02-16 13:29:09 +01:00
Lukas Puehringer
c5e787c328 CI: remind to update contributor acknowledgement
Add optional task to  maintainer permission review reminder
checklist that suggests to also update the list of significant
contributors in README.md#acknowledgements.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-02-16 11:09:25 +01:00
Jussi Kukkonen
d806b62e03 github: Update github-script to 6.0.0
The big change is runtime update from nodejs 12 to nodejs 16: does not
seem to affect us.

Dependabot got confused so this update is done manually to v6.0.0
release commit:
https://github.com/actions/github-script/releases/tag/v6.0.0

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-16 10:13:41 +02:00
Jussi Kukkonen
92e49ad2a1 github: Pin actions hashes
This allows us to control when our workflows change.
Dependabot should now open PRs when the actions update.

This still leaves the actual OS image as a variable but Github does not
support pinning that: we'd have to start using our own containers (and
installing our own pythons, etc) to do that -- not worth the trouble.

Fixes #1826

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-07 15:32:23 +02:00
Jussi Kukkonen
1a59b292f4 Revert "github: disable pip caching temporarily"
This reverts commit 55d6cb47da.

According to changelog setup-python v2.3.2 should include a workaround
for the issue.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-05 12:30:31 +02:00
lukpueh
67e2b24a6c
Merge pull request #1821 from jku/disable-pip-cache
github: disable pip caching temporarily
2022-02-04 09:51:16 +01:00
Jussi Kukkonen
55d6cb47da github: disable pip caching temporarily
setup-python fails on Windows currently
(https://github.com/actions/virtual-environments/issues/5009)
Disable caching to workaround the failure.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-04 09:19:25 +02:00
Jussi Kukkonen
b0524e53dc CI: Add yearly reminder issue to review maintainers
This is easy to forget:
 * there are multiple different critical services
 * some permissions are not visible to everyone

but review is important as every maintainer account increases attack surface.
So let's remind ourselves once a year.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-01-27 15:03:37 +02:00
Martin Vrachev
0f59f4b749 Drop support for python version 3.6
Python version 3.6 was supported until December 23-rd 2021 meaning its
end of life has expired before more than 20 days.
Dropping support for python version 3.6 will allow us to remove
OrderedDicts.

After a quick check I saw that Warehouse target python version 3.8.2:
- their docker file: https://github.com/pypa/warehouse/blob/main/Dockerfile#L47
- https://github.com/pypa/warehouse/blob/main/.python-version
- last pr updating pr version: https://github.com/pypa/warehouse/pull/7828
Pip supports python version 3.7+ as well. They dropped python 3.6 a
couple of months ago:
https://github.com/pypa/pip/pull/10641

This means it shouldn't cause headache to our users if we drop python
version 3.6 too.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-01-19 17:11:18 +02:00
Kairo de Araujo
2f93e9d0a2 Add workflows permissions
read the contents and write (open) issues

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 10:11:56 +01:00
Kairo de Araujo
852bd02bbe Improve the logs output
Minor changes to the console logs add versioning and simplify when
they are logged.

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 09:35:49 +01:00
Kairo de Araujo
93f7dc0a76 Fix query syntax
Fix query syntax that was missing the repository parameter

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 08:51:40 +01:00
Kairo de Araujo
2f4565e100 Add to CI check for specification version.
This commit adds to the CI an automatic check for the TUF
specification version and compares it with the python-tuf metadata
API version.

If the version does not match and there is not a issue already open,
a new issue is opened.

Closes #1598

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-01-11 08:51:40 +01:00
Jussi Kukkonen
f7006f5df0 CI: Use builtin package cache support
actions/setup-python now supports pip cache: use that instead of
handling cache locations manually.

Cache invalidates when any requirements file changes (same as before):
this is a bit over cautious but probably harder to break.

Fixes #1692

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-12-09 13:03:18 +02:00
Jussi Kukkonen
6744f6a9c7
Merge pull request #1652 from jku/limit-github-token-visibility
GH actions: limit GitHub token visibility
2021-11-17 10:06:31 +02:00
Jussi Kukkonen
e073fea819 github: explicitly set workflow permissions
* current workflow only needs to read git content
* if the workflow in the future does need write access, it's good to
  see permissions explicitly changing

For context: "pull_request" runs never have write access anyway, so this
significantly changes only the "push" runs that happen when branches are
merged to develop.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-11-04 11:39:05 +02:00
Jussi Kukkonen
15e84dfb2e GH actions: limit GitHub token visibility
Token should be visible to only the code that actually needs it.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-11-01 09:47:50 +02:00
Martin Vrachev
2e94e39275 Use quotes for python version for github workflows
Fix GitHub workflow failures by using quotes for python versions.
It seems that adding `3.10` as a number is transformed then to `3.1`
which as a result is translated to Python version 3.1 instead of Python
version 3.10.
This seems to work for other projects as well:
https://github.com/MasoniteFramework/masonite4/blob/master/.github/workflows/pythontest.yml
https://github.com/python-pillow/Pillow/blob/main/.github/workflows/test-windows.yml
https://github.com/PyGithub/PyGithub/blob/master/.github/workflows/ci.yml

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-21 14:32:05 +03:00
Martin Vrachev
6ff852ad0f Add support for python 3.10
Python 3.10 is released on October 4-th 2021 and it seems
logical to add support for it as it doesn't require any major effort
from the project.

For reference read:
https://www.python.org/downloads/release/python-3100/

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-21 14:32:04 +03:00
Jussi Kukkonen
65fc968b7f CI: Do not require coveralls-fin to succeed
We already do not require individual build uploads to succeed: let's
also not require the final step to succeed.

The immediate context for this is that coveralls has been down for
three days now.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-09-20 12:51:32 +03:00
Jussi Kukkonen
4110a1cf9c GitHub workflow: Use Python 3.x for lint
pylint 2.7 supports Python 3.9. This issue might reappear with next
Python release but let's deal with that if it happens.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-09-17 19:34:08 +03:00
Jussi Kukkonen
b59679c374 GitHub CI workflow: tweak names
Currently the github UI dropdown for checks looks useless since
checks are named "Run TUF tests and...".

Tweak the workflow and job names to hopefully fit the actual
step name in the UI.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-09-17 19:34:08 +03:00
samuelgregorovic
112575d987 updated docs and comments
Updated/removed documented commands and comments which were referencing Python2. Also updated links to documentation referencing Python2 docs (unchanged where needed)

Signed-off-by: Samuel Gregorovic <samuelgregorovic@gmail.com>
Signed-off-by: samuelgregorovic <samuelgregorovic@gmail.com>
2021-07-14 10:37:08 +03:00
Teodora Sechkova
785350b28e CI: Allow failure when publishing on coveralls
A failure during publishing of the coverage results
on coveralls should not fail the whole build job.
Allow the step to fail.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-04-29 15:31:56 +03:00
Joshua Lock
16bd3c2358 Remove Python 2.7 from GitHub CI configuration
- Drop Python 2.7 from GitHub Actions workflows. Note: There is likely
  additional cleanup that can be done to the workflow now we no longer
  care about supporting Python 2.7.
- No longer tell dependabot to ignore idna updates.

Signed-off-by: Joshua Lock <jlock@vmware.com>
2021-03-03 09:37:21 +00:00
Jussi Kukkonen
7c5416d5c3 CI: Limit build-on-push to develop branch only
Dependabot pushes to main repository and ends up triggering two builds
every time (one for PR, one for push): limit the rule for build-on-push
to apply to develop branch only.

If release branches are used later on they should be added to list here.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-02-16 15:40:35 +02:00
Lukas Puehringer
d97c2872db Re-add coveralls.io badge
A recent commit reinstates publishing of coverage data to
coveralls.io. This commit re-adds the corresponding badge which
was temporarily removed in #1242.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2021-01-13 13:45:03 +01:00
Lukas Puehringer
8bb0187a69 Use py3 coveralls to publish coverage on py2
Prior to this commit our GitHub workflow would set up one Python
version only for each build, which means that the commands to run
the tests and publish coverage (tox and coveralls) were run with
the same Python version as tox runs the tests in.

Given that the coveralls CLI tool dropped py2 a couple of releases
ago, this commit sets up an additional service py3 to run coveralls
(and tox) on when building for py2.

To prevent tox from using the wrong Python version to run the tests
on, this commit changes the toxenv value from the generic 'py'
(uses default python on path) to 'py27'.

For convenience and readability we use the environment variable
TOXENV instead of the tox -e option.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2021-01-13 13:43:46 +01:00
Lukas Puehringer
32452c4142 Configure GitHub workflow to publish coverage
Re-add coverage publishing on coveralls.io, formerly performed by
Travis CI (prior to #1242), using the coveralls cli tool according
to the documentation:
https://coveralls-python.readthedocs.io/en/latest/usage/configuration.html#github-actions-gotcha

**Considered alternatives:**
- Official coveralls GitHub action, which does not seem to work
  well for Python:
  https://github.com/coverallsapp/github-action/issues/4
  https://github.com/coverallsapp/github-action/issues/30

- Inofficial fork of that action, which seems to work better
  but had issues finding the coverage data in the tests folder,
  or the covered code respectively.
  https://github.com/AndreMiras/coveralls-python-action

Besides aforementioned issues of these actions the use of cli tools
from curated package managers seems slightly preferable over
actions from the GitHub Marketplace (see #1246).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2021-01-13 13:43:39 +01:00
Lukas Puehringer
36b8d43bd8 Add basic GitHub workflow to run tests and linters
Configure workflow to run all tox environments, where each 'py' env
runs on linux, macos and windows, and sslib master and lint builds
run only Linux/Python3.x only.

The workflow also configures pip caching.

TODO: Adopt publishing of coverage (coveralls) and license (fossa)
data from .travis.yml.

Co-authored-by: Jussi Kukkonen <jkukkonen@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-12-17 10:28:31 +01:00