Commit graph

6224 commits

Author SHA1 Message Date
dependabot[bot]
6a0a47af88
build(deps): bump securesystemslib[crypto,pynacl] from 0.22.0 to 0.23.0
Bumps [securesystemslib[crypto,pynacl]](https://github.com/secure-systems-lab/securesystemslib) from 0.22.0 to 0.23.0.
- [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases)
- [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/master/CHANGELOG.md)
- [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.22.0...v0.23.0)

---
updated-dependencies:
- dependency-name: securesystemslib[crypto,pynacl]
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 10:08:17 +00:00
Jussi Kukkonen
f1a4cb310b
Merge pull request #1976 from lukpueh/fix-release-doc
Adopt recent ci/cd changes in release docs
2022-04-26 13:44:46 +03:00
Lukas Puehringer
13e64bcd8a Adopt recent ci/cd changes in release docs
Since #1971 ci and cd workflows run independently of each other,
each of them also calling the test workflow.

This patch updates RELEASE.md to match the new setup.

It also fixes a (twice) broken link.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 11:47:40 +02:00
Lukas Pühringer
a50062f668
Merge pull request #1971 from lukpueh/robust-ci-cd
Refactor ci/cd workflows to make more robust
2022-04-26 11:13:49 +02:00
Lukas Puehringer
0b0c55b1df Restrict cd permissions to contents: write
This is the minimum permission needed to create/modify GH releases.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
db471a5fd5 Refactor ci/cd workflows
Prior to this change, ci triggered cd, depending on the event that
triggered ci. Due to the vague information about that event
available to cd, the workflow pipeline was a bit brittle.

This change disassociates ci and cd workflows to allow for an
independent configuration of trigger events.

The test jobs, which used to be defined in ci, are now in a
separate workflow file _test.yml that can be included in both ci
and cd workflows.

**Changes in ci**
- Only defines trigger events and permissions, the "meat" of ci is
  defined in the called _test.yml now.
- No longer triggers on tag pushes, this was only needed for cd.

**Changes in cd**
- Now triggers directly on tag pushes instead of (cd)-workflow_run.
- Calls _test.yml, and require successful run before build/release.
  (`needs: test` replaces `if: ...`)
- Changes variable names about pushed tag that triggered the event.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
38b774e0eb Refactor ci/cd workflows (WIP)
This is an intermediate commit for easier review. See subsequent
commit for details.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Jussi Kukkonen
b1ba8181a7
Merge pull request #1965 from theupdateframework/dependabot/pip/types-requests-2.27.20
build(deps): bump types-requests from 2.27.19 to 2.27.20
2022-04-26 11:23:01 +03:00
Jussi Kukkonen
f150807022
Merge pull request #1964 from theupdateframework/dependabot/pip/pylint-2.13.7
build(deps): bump pylint from 2.13.5 to 2.13.7
2022-04-26 11:22:49 +03:00
Jussi Kukkonen
0ad6eab7cb
Merge pull request #1973 from theupdateframework/dependabot/github_actions/actions/checkout-3.0.2
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
2022-04-26 11:21:27 +03:00
Jussi Kukkonen
34b3c23566
Merge pull request #1970 from lukpueh/include-examples-sdist
Update build config to include examples dir
2022-04-26 11:06:58 +03:00
Naveen
0c0206d1c0
chore: Dependency Review Action
Dependency review is a tool that helps you identify and fix vulnerabilities in your dependencies. By checking the dependency reviews in a pull request and changing any dependencies that are flagged as vulnerable, the project can avoid vulnerabilities being added to your project. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-24 15:15:24 -05:00
dependabot[bot]
68fd8a1cc6
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...2541b1294d2704b0964813337f33b291d3f8596b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 10:19:38 +00:00
Lukas Puehringer
f4165fff3c Update build config to include examples dir
Explicitly include `examples` dir in sdist.

The same would be achieved, by removing explicit includes, which
currently would also add these files/dirs:

```
/gitattributes
/github
/mypy_cache
/readthedocs.yaml
/verify_release
```

Maybe we should instead of defining includes, explicitly exclude
(some of) these files? The advantage of a blacklist approach is
that it becomes less likely to forget including files that should
be in included.

See hatch docs for:
- what files should be in sdist
https://ofek.dev/hatch/latest/plugins/builder/#source-distribution

- what files get into sdist by default:
https://ofek.dev/hatch/latest/plugins/builder/#default-file-selection_1

- how to configure what files get into sdist:
https://ofek.dev/hatch/latest/config/build/#file-selection

Fixes #1901

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-21 14:06:11 +02:00
Lukas Pühringer
72424a958b
Merge pull request #1946 from lukpueh/auto-release
Add GH workflow to build and release on GH and PyPI
2022-04-21 13:03:25 +02:00
dependabot[bot]
734dcc5924
build(deps): bump types-requests from 2.27.19 to 2.27.20
Bumps [types-requests](https://github.com/python/typeshed) from 2.27.19 to 2.27.20.
- [Release notes](https://github.com/python/typeshed/releases)
- [Commits](https://github.com/python/typeshed/commits)

---
updated-dependencies:
- dependency-name: types-requests
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-21 10:09:01 +00:00
dependabot[bot]
ae723d4b49
build(deps): bump pylint from 2.13.5 to 2.13.7
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.13.5 to 2.13.7.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.13.5...v2.13.7)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-21 10:08:55 +00:00
Lukas Puehringer
b99d0432a7 build: minor updates in CI/CD workflow files
- polish code comments
- wrap long lines

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-20 16:02:25 +02:00
Lukas Puehringer
674eb9d096 doc: describe repo setup in RELEASE.md + typos fix
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-20 16:02:18 +02:00
Jussi Kukkonen
31ca674aa0
Merge pull request #1951 from theupdateframework/dependabot/github_actions/actions/setup-python-3.1.2
build(deps): bump actions/setup-python from 3.1.1 to 3.1.2
2022-04-20 11:30:20 +03:00
dependabot[bot]
4d54629293
build(deps): bump actions/setup-python from 3.1.1 to 3.1.2
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](21c0493ecf...98f2ad02fd)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-20 06:58:22 +00:00
Jussi Kukkonen
9da9050dd0
Merge pull request #1957 from theupdateframework/dependabot/github_actions/actions/checkout-3.0.1
build(deps): bump actions/checkout from 3.0.0 to 3.0.1
2022-04-20 09:58:03 +03:00
Jussi Kukkonen
5811f55ab1
Merge pull request #1958 from theupdateframework/dependabot/pip/types-requests-2.27.19
build(deps): bump types-requests from 2.27.16 to 2.27.19
2022-04-20 09:57:44 +03:00
Jussi Kukkonen
3a7fad7854
Merge pull request #1960 from mnm678/spec-version
Update supported spec version
2022-04-20 09:57:24 +03:00
Jussi Kukkonen
b8acf5512d
Merge pull request #1953 from MVrachev/fix-eq-tests
Tests: restore objects to initial state after test
2022-04-20 09:57:12 +03:00
Marina Moore
70b27b0ef8 Regenerate tests with new spec version
Signed-off-by: Marina Moore <mnm678@gmail.com>
2022-04-19 10:31:07 -04:00
Marina Moore
9c5c5f7a73 Update supported spec version
Signed-off-by: Marina Moore <mnm678@gmail.com>
2022-04-19 10:22:43 -04:00
Lukas Pühringer
c2087b39e1
Merge pull request #1955 from jku/test-client-metadata-length-limits
tests: Test client max metadata length config
2022-04-19 15:47:47 +02:00
Lukas Pühringer
8e526d7547
Merge pull request #1954 from aribasch/fix-path-construction
Replaced manual path construction with os.path.join
2022-04-19 15:17:22 +02:00
Ari
0708fb4a3b Reverted URL construction back to f-strings
Signed-off-by: Ari <aribasch@umich.edu>
2022-04-18 12:21:44 -04:00
Ari
d867debb77 Replaced manual path construction with os.path.join
Signed-off-by: Ari <aribasch@umich.edu>
2022-04-18 12:21:44 -04:00
dependabot[bot]
39ccb9910c
build(deps): bump types-requests from 2.27.16 to 2.27.19
Bumps [types-requests](https://github.com/python/typeshed) from 2.27.16 to 2.27.19.
- [Release notes](https://github.com/python/typeshed/releases)
- [Commits](https://github.com/python/typeshed/commits)

---
updated-dependencies:
- dependency-name: types-requests
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-18 10:09:04 +00:00
dependabot[bot]
65d1b87a2f
build(deps): bump actions/checkout from 3.0.0 to 3.0.1
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](a12a3943b4...dcd71f6466)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-15 10:16:40 +00:00
Jussi Kukkonen
17ec875cd8 tests: Test client max metadata length config
Fixes #1730

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-14 10:22:17 +03:00
Martin Vrachev
ce11102dee Tests: restore objects to initial state after test
Inside test_metadata_eq_.py we test the __eq__ implementations of all
classes. In order to do this, we change the attribute of the object and
then compare them to the unchanged version of those objects.
Usually, we do it in the following steps:
1. create an initial version "a"
2. create a copy of "a" called "b"
3. iterate all attributes inside "b" and change them to a given value
4. check that "a" and "b" are different

We do however forget to restore the object `b` to its initial state
which means we don't check the `__eq__` correctly as we stop on the
first, the found difference which could be of an older attribute changed
in one of the past iterations.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-04-13 16:28:31 +03:00
Jussi Kukkonen
c47121b1cb
Merge pull request #1950 from abs007/patch-1938
Fixed annotation for unrecognized_fields
2022-04-13 10:11:42 +03:00
Abhisman Sarkar
944a540f97 Metadata API: Annotate 'unrecognized_fields' as Dict
Fixes #1938

Description of the changes being introduced by the pull request:

Annotating as Mapping seems wrong as further changes to the content might
be added in the code base. Hence, annotation changed to Dict.

Signed-off-by: Abhisman Sarkar <abhisman.sarkar@gmail.com>
2022-04-12 22:25:33 +05:30
Jussi Kukkonen
8a7243ff23
Merge pull request #1947 from jku/verify-release-build-isolation
verify_release: Build from git sources only
2022-04-11 12:01:36 +03:00
Jussi Kukkonen
62580abf9c verify_release: Build from git sources only
Make a new (local) git clone to build from. This ensures uncommitted
files do not affect the build.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-08 16:54:02 +03:00
Jussi Kukkonen
76a46090a3
Merge pull request #1945 from theupdateframework/dependabot/github_actions/actions/setup-python-3.1.1
build(deps): bump actions/setup-python from 3.1.0 to 3.1.1
2022-04-08 11:07:55 +03:00
Jussi Kukkonen
fe95c88ea3
Merge pull request #1944 from theupdateframework/dependabot/pip/pylint-2.13.5
build(deps): bump pylint from 2.13.4 to 2.13.5
2022-04-08 11:07:24 +03:00
dependabot[bot]
156e535dcf
build(deps): bump actions/setup-python from 3.1.0 to 3.1.1
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](9c644ca2ab...21c0493ecf)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-07 10:19:18 +00:00
Lukas Puehringer
37cb272a43 doc: describe auto release workflow in RELEASE.md
Change RELEASE.md to include instructions to trigger and review
auto release workflow (CI/CD).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:16:00 +02:00
Lukas Puehringer
4f275ad636 build: add skip-pypi flag to verify_release script
Add '--skip-pypi' flag to 'verify_release' script to allow for
pre-release checks, when the automatic build job has uploaded the
build assets to GitHub and is awaiting review/approval in order to
upload it to PyPI eventually.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:16:00 +02:00
Lukas Puehringer
a76ed28c02 build: lint 'verify_release' with tox
Enable tox to lint 'verify_release' script and fix:
- whitespace
- unused import (we only import here to see if the module is
  available for use in a subprocess)
- unfound import (same as unused import)

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:16:00 +02:00
Lukas Puehringer
a1a71c11a1 build: update CI/CD workflow to run in series
- Change CI workflow to also run on push to (release) tag
- Change CD workflow to run on successful CI run, and only if a
  (release) tag push triggered the CI

NOTE: Unfortunately the setup is not very robust
      (see code comment in cd.yml)

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:15:39 +02:00
dependabot[bot]
1d9219a8bb
build(deps): bump pylint from 2.13.4 to 2.13.5
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.13.4 to 2.13.5.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.13.4...v2.13.5)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-07 10:06:10 +00:00
Lukas Puehringer
5bfe897335 build: update CD workflow to create GH release
- Create preliminary GitHub release (X.Y.Z-rc) in 'build' job,
  using popular 3rd-party 'softprops/action-gh-release'.
- Finalize GH release in 'release' job using custom GH script.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:56 +02:00
Lukas Puehringer
faef040407 build: add GH workflow to build + release on PyPI
Add workflow with two jobs to build and publish on PyPI.  The
release job waits for the build job and uses a custom release
environment, which can be configured to require review.

To share the build artifacts between the jobs and to make them
available for intermediate review, they are stored using
'actions/upload-artifact' and 'actions/download-artifact'.
https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts

To upload the build artifacts to PyPI, the PyPA recommended
'pypa/gh-action-pypi-publish' is used.
https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

**Caveat**
The URL to grab the artifacts, e.g. for review, requires knowledge
of action ID and artifact ID, and a login token (no special
permissions). This makes it a bit cumbersome to fetch the artifacts
with a script and compare them to a local build.
https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:13 +02:00
Jussi Kukkonen
10f9feaead
Merge pull request #1939 from theupdateframework/dependabot/pip/types-requests-2.27.16
build(deps): bump types-requests from 2.27.15 to 2.27.16
2022-04-04 16:57:33 +03:00