Commit graph

5910 commits

Author SHA1 Message Date
dependabot[bot]
ca3e5ec5d8
build(deps): bump black from 23.10.0 to 23.10.1
Bumps [black](https://github.com/psf/black) from 23.10.0 to 23.10.1.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.10.0...23.10.1)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-24 10:22:26 +00:00
Jussi Kukkonen
fb73521982
Merge pull request #2497 from theupdateframework/dependabot/pip/black-23.10.0
build(deps): bump black from 23.9.1 to 23.10.0
2023-10-19 17:53:39 +03:00
dependabot[bot]
39e35e9d1d
build(deps): bump black from 23.9.1 to 23.10.0
Bumps [black](https://github.com/psf/black) from 23.9.1 to 23.10.0.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.9.1...23.10.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-19 08:06:44 +00:00
Jussi Kukkonen
60770d1346
Merge pull request #2495 from theupdateframework/dependabot/pip/urllib3-2.0.7
build(deps): bump urllib3 from 2.0.6 to 2.0.7
2023-10-19 11:06:00 +03:00
Jussi Kukkonen
eda52147d1
Merge pull request #2496 from theupdateframework/dependabot/pip/mypy-1.6.1
build(deps): bump mypy from 1.6.0 to 1.6.1
2023-10-19 11:05:01 +03:00
Jussi Kukkonen
d132dd822a
Merge pull request #2498 from theupdateframework/dependabot/github_actions/actions/checkout-4.1.1
build(deps): bump actions/checkout from 4.1.0 to 4.1.1
2023-10-19 11:04:27 +03:00
dependabot[bot]
2764851c88
build(deps): bump actions/checkout from 4.1.0 to 4.1.1
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](8ade135a41...b4ffde65f4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:10:55 +00:00
dependabot[bot]
57354a517e
build(deps): bump mypy from 1.6.0 to 1.6.1
Bumps [mypy](https://github.com/python/mypy) from 1.6.0 to 1.6.1.
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](https://github.com/python/mypy/compare/v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:06:42 +00:00
dependabot[bot]
89bb82271a
build(deps): bump urllib3 from 2.0.6 to 2.0.7
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.6 to 2.0.7.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.6...2.0.7)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-18 10:06:37 +00:00
Lukas Pühringer
f04dc716cb
Merge pull request #2492 from lukpueh/release-3.1.0
Release python-tuf 3.1.0
2023-10-16 09:15:10 +02:00
Jussi Kukkonen
ed521c0e20
Merge pull request #2490 from theupdateframework/dependabot/pip/mypy-1.6.0
build(deps): bump mypy from 1.5.1 to 1.6.0
2023-10-13 14:09:13 +03:00
Lukas Puehringer
c0c21ca52f Release python-tuf 3.1.0
* Update changelog
* Bump version

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-10-13 10:23:07 +02:00
Jussi Kukkonen
6fed68bcce
Merge pull request #2491 from lukpueh/rm-obsolete-fixtures 2023-10-11 16:43:49 +03:00
Lukas Puehringer
438518f68c tests: remove unused and obsolete test metadata
- metadata.staged: related to a removed tutorial and outdated deployment
  recommendation
- project: related to the removed developer_tool (#1790)
- map.json: related to TAP4, which is not supported by python-tuf

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-10-11 15:09:09 +02:00
dependabot[bot]
f8562879a0
build(deps): bump mypy from 1.5.1 to 1.6.0
Bumps [mypy](https://github.com/python/mypy) from 1.5.1 to 1.6.0.
- [Commits](https://github.com/python/mypy/compare/v1.5.1...v1.6.0)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-11 10:03:35 +00:00
Lukas Pühringer
038ecd65dc
Merge pull request #2488 from jku/revert-scorecard-pinning
workflows: Partially revert action versions
2023-10-10 09:20:02 +02:00
Jussi Kukkonen
d5c953d575 workflows: Partially revert action versions
Commit f0058259 started not pinning hashes for actions that are used in
workflows that have no runtime or build security impact.

The change does not work for scorecard as scorecard does not tag "v2":
so we have to pin it. Luckily scorecard does not do that many releases.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-09 18:40:56 +03:00
Jussi Kukkonen
00b67c0a67
Merge pull request #2479 from jku/dont-pin-code-scanner-actions
workflows: Stop pinning actions that are not security relevant
2023-10-09 11:03:45 +03:00
Jussi Kukkonen
c7f3f6b5da
Merge pull request #2484 from theupdateframework/dependabot/github_actions/actions/setup-python-4.7.1
build(deps): bump actions/setup-python from 4.7.0 to 4.7.1
2023-10-09 11:00:31 +03:00
Jussi Kukkonen
37503f0804
Merge pull request #2482 from theupdateframework/dependabot/pip/coverage-7.3.2
build(deps): bump coverage from 7.3.1 to 7.3.2
2023-10-09 10:56:38 +03:00
Jussi Kukkonen
34b7c4bc04
Merge pull request #2486 from theupdateframework/dependabot/pip/pylint-3.0.1
build(deps): bump pylint from 2.17.7 to 3.0.1
2023-10-09 10:55:43 +03:00
dependabot[bot]
f26e2b24c9
build(deps): bump pylint from 2.17.7 to 3.0.1
Bumps [pylint](https://github.com/pylint-dev/pylint) from 2.17.7 to 3.0.1.
- [Release notes](https://github.com/pylint-dev/pylint/releases)
- [Commits](https://github.com/pylint-dev/pylint/compare/v2.17.7...v3.0.1)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-06 10:48:03 +00:00
Jussi Kukkonen
4ba5436a50
Merge pull request #2485 from theupdateframework/dependabot/pip/securesystemslib-cryptopynacl--0.30.0
build(deps): bump securesystemslib[crypto,pynacl] from 0.29.0 to 0.30.0
2023-10-04 13:51:51 +03:00
dependabot[bot]
2e9321e3bd
build(deps): bump securesystemslib[crypto,pynacl] from 0.29.0 to 0.30.0
Bumps [securesystemslib[crypto,pynacl]](https://github.com/secure-systems-lab/securesystemslib) from 0.29.0 to 0.30.0.
- [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases)
- [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.29.0...v0.30.0)

---
updated-dependencies:
- dependency-name: securesystemslib[crypto,pynacl]
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-04 10:29:02 +00:00
Lukas Pühringer
e24faf213c
Merge pull request #2481 from lukpueh/signing-status
Metadata API: add get_verification_result method
2023-10-04 11:40:54 +02:00
dependabot[bot]
cf3445c22f
build(deps): bump actions/setup-python from 4.7.0 to 4.7.1
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.0 to 4.7.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](61a6322f88...65d7f2d534)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 11:01:32 +00:00
dependabot[bot]
b6fc566a6e
build(deps): bump coverage from 7.3.1 to 7.3.2
Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.1 to 7.3.2.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.1...7.3.2)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 10:16:45 +00:00
Lukas Puehringer
a55756327b Metadata API: add get_verification_result method
The method returns detailed information about signature verification of
a delegated role metadata.

Its implementation is taken from the verify_delegate method and slightly
updated. verify_delegate now is a thin wrapper on top of
get_verification_result.

fixes #2449

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-authored-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-03 12:05:39 +02:00
Jussi Kukkonen
87f9f9134e
Merge pull request #2480 from theupdateframework/dependabot/pip/requirements/urllib3-2.0.6
build(deps): bump urllib3 from 2.0.5 to 2.0.6 in /requirements
2023-10-03 09:55:04 +03:00
dependabot[bot]
2549321b96
build(deps): bump urllib3 from 2.0.5 to 2.0.6 in /requirements
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.5 to 2.0.6.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/v2.0.5...2.0.6)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-03 00:23:50 +00:00
Jussi Kukkonen
1856ff980f
Merge pull request #2476 from theupdateframework/dependabot/pip/cffi-1.16.0
build(deps): bump cffi from 1.15.1 to 1.16.0
2023-10-02 14:08:43 +03:00
dependabot[bot]
1ed83c9fe3
build(deps): bump cffi from 1.15.1 to 1.16.0
Bumps [cffi](https://github.com/python-cffi/cffi) from 1.15.1 to 1.16.0.
- [Release notes](https://github.com/python-cffi/cffi/releases)
- [Commits](https://github.com/python-cffi/cffi/compare/v1.15.1...v1.16.0)

---
updated-dependencies:
- dependency-name: cffi
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 11:01:33 +00:00
Jussi Kukkonen
4a4128190f
Merge pull request #2477 from theupdateframework/dependabot/pip/charset-normalizer-3.3.0
build(deps): bump charset-normalizer from 3.2.0 to 3.3.0
2023-10-02 14:00:07 +03:00
Jussi Kukkonen
3c1cf659b6
Merge pull request #2478 from theupdateframework/dependabot/pip/pylint-2.17.7
build(deps): bump pylint from 2.17.6 to 2.17.7
2023-10-02 13:59:05 +03:00
dependabot[bot]
e359d21066
build(deps): bump pylint from 2.17.6 to 2.17.7
Bumps [pylint](https://github.com/pylint-dev/pylint) from 2.17.6 to 2.17.7.
- [Release notes](https://github.com/pylint-dev/pylint/releases)
- [Commits](https://github.com/pylint-dev/pylint/compare/v2.17.6...v2.17.7)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 10:47:23 +00:00
dependabot[bot]
0c569eb3ae
build(deps): bump charset-normalizer from 3.2.0 to 3.3.0
Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/Ousret/charset_normalizer/releases)
- [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Ousret/charset_normalizer/compare/3.2.0...3.3.0)

---
updated-dependencies:
- dependency-name: charset-normalizer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 10:47:08 +00:00
Jussi Kukkonen
f005825955 workflows: Stop pinning actions that are not security relevant
These workflows have no real security relevance (runtime build or test)
in the sense that a compromise in the dependencies could compromise
python-tuf security:
* scorecards
* dependency-review
* codeql-analysis

Stop pinning the actions used in them (except the common actions that
are used everyewhere like actions/checkout: use the same version of
those everywhere). The benefit here is fewer Dependabot PRs: If we had
done this from the start we'd have skipped ~70 PRs by now.

The interesting permissions used in these workflows are
 * security-events: write
   This can add things onto the "Security" tab in GitHub
 * id-token: write
   This allows OIDC authentication, but only as this specific workflow

These permissions look completely acceptable to me.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-10-02 13:34:24 +03:00
Jussi Kukkonen
ba1f322559
Merge pull request #2474 from lukpueh/rm-obsolete-comments
Remove obsolete comments from Python 2.7 times
2023-09-28 13:36:27 +03:00
Lukas Pühringer
1d8b57ba71
Merge pull request #2458 from theupdateframework/dependabot/pip/coverage-7.3.1
build(deps): bump coverage from 7.2.7 to 7.3.1
2023-09-28 11:43:38 +02:00
Lukas Puehringer
9894d735a9 Remove obsolete comments from Python 2.7 times
We longer run 2.7 tests (_test.yml) and we no longer need per-version
requirements files (main.txt).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-09-28 11:40:29 +02:00
dependabot[bot]
81487170f3
build(deps): bump coverage from 7.2.7 to 7.3.1
Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.2.7 to 7.3.1.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.2.7...7.3.1)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-28 09:29:42 +00:00
Lukas Pühringer
ad1bbe65df
Merge pull request #2460 from jku/drop-3.7-support
Drop support for Python 3.7
2023-09-28 11:28:13 +02:00
Jussi Kukkonen
74f2cfe54b
Merge pull request #2470 from theupdateframework/dependabot/pip/pylint-2.17.6
build(deps): bump pylint from 2.17.5 to 2.17.6
2023-09-26 13:55:57 +03:00
dependabot[bot]
65efc693c3
build(deps): bump pylint from 2.17.5 to 2.17.6
Bumps [pylint](https://github.com/pylint-dev/pylint) from 2.17.5 to 2.17.6.
- [Release notes](https://github.com/pylint-dev/pylint/releases)
- [Commits](https://github.com/pylint-dev/pylint/compare/v2.17.5...v2.17.6)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-26 10:49:01 +00:00
Jussi Kukkonen
b7c956cd01
Merge pull request #2469 from theupdateframework/dependabot/github_actions/actions/checkout-4.1.0
build(deps): bump actions/checkout from 4.0.0 to 4.1.0
2023-09-26 12:00:53 +03:00
dependabot[bot]
aaea6c29ab
build(deps): bump actions/checkout from 4.0.0 to 4.1.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](3df4ab11eb...8ade135a41)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 10:56:33 +00:00
Jussi Kukkonen
cf7489491d
Merge pull request #2465 from theupdateframework/dependabot/github_actions/github/codeql-action-2.21.8
build(deps): bump github/codeql-action from 2.21.7 to 2.21.8
2023-09-25 13:50:06 +03:00
Jussi Kukkonen
457f046afa
Merge pull request #2467 from theupdateframework/dependabot/pip/urllib3-2.0.5
build(deps): bump urllib3 from 2.0.4 to 2.0.5
2023-09-25 13:49:31 +03:00
Jussi Kukkonen
bd4470b911
Merge pull request #2466 from theupdateframework/dependabot/pip/cryptography-41.0.4
build(deps): bump cryptography from 41.0.3 to 41.0.4
2023-09-25 13:48:32 +03:00
dependabot[bot]
f3e7461d2f
build(deps): bump urllib3 from 2.0.4 to 2.0.5
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.4 to 2.0.5.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.4...v2.0.5)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-20 10:11:08 +00:00