dependabot[bot]
a2cbdd23a1
build(deps): bump github/codeql-action from 2.1.21 to 2.1.22
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.21 to 2.1.22.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c7f292ea4f...b398f525a5
2022-09-02 10:22:03 +00:00
Lukas Puehringer
b83c738373
chore: fix error in spec version check workflow
...
Use `--upgrade` option to upgrade pip with pip in workflow, instead
of non-existing `-u` option (-U would also be possible).
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-08-30 14:19:12 +02:00
Lukas Puehringer
7baf1d3376
chore: misc setup-python changes in spec check job
...
1. update action/setup-python to latest version
2. pin major version to be used to 3.x
3. upgrade pip before using it
1 and 2 were suggested in #2089
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-08-30 09:44:19 +02:00
Radoslav Dimitrov
53f1611b74
chore: limit the permissions for the job calling the version check workflow
...
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-08-30 09:37:01 +02:00
Radoslav Dimitrov
0e6b928d9a
chore: update the workflow responsible for notifying of new TUF spec release
...
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-08-30 09:36:59 +02:00
dependabot[bot]
de8f97f283
build(deps): bump actions/github-script from 6.1.1 to 6.2.0
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 6.1.1 to 6.2.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](d50f485531...c713e510db
2022-08-29 10:24:16 +00:00
dependabot[bot]
3d1786da74
build(deps): bump github/codeql-action from 2.1.20 to 2.1.21
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.20 to 2.1.21.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](7fee4ca032...c7f292ea4f
2022-08-26 10:16:29 +00:00
dependabot[bot]
90a2ec4804
build(deps): bump github/codeql-action from 2.1.19 to 2.1.20
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.19 to 2.1.20.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](f5d217be74...7fee4ca032
2022-08-24 10:18:21 +00:00
Lukas Pühringer
0e04e3307f
Merge pull request #2080 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.19
...
build(deps): bump github/codeql-action from 2.1.18 to 2.1.19
2022-08-22 09:07:24 +02:00
dependabot[bot]
789dcef5f1
build(deps): bump actions/dependency-review-action from 2.0.4 to 2.1.0
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.0.4 to 2.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](94145f3150...23d1ffffb6
2022-08-19 10:14:19 +00:00
dependabot[bot]
4528289ea2
build(deps): bump github/codeql-action from 2.1.18 to 2.1.19
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.18 to 2.1.19.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](2ca79b6fa8...f5d217be74
2022-08-19 10:14:16 +00:00
dependabot[bot]
e27dce0f5f
build(deps): bump actions/github-script from 6.1.0 to 6.1.1
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](7a5c598405...d50f485531
2022-08-15 10:19:37 +00:00
dependabot[bot]
d442fa2d56
build(deps): bump github/codeql-action from 2.1.17 to 2.1.18
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.17 to 2.1.18.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0c670bbf04...2ca79b6fa8
2022-08-04 10:27:31 +00:00
dependabot[bot]
c524984be4
build(deps): bump actions/setup-python from 4.1.0 to 4.2.0
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](c4e89fac7e...b55428b188
2022-08-03 10:19:48 +00:00
Lukas Pühringer
3108998f75
Merge pull request #2066 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.17
...
build(deps): bump github/codeql-action from 2.1.16 to 2.1.17
2022-08-01 12:11:25 +02:00
dependabot[bot]
3e1fa8b47e
build(deps): bump github/codeql-action from 2.1.16 to 2.1.17
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.16 to 2.1.17.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3e7e3b32d0...0c670bbf04
2022-07-29 10:19:57 +00:00
dependabot[bot]
6edf9191de
build(deps): bump pypa/gh-action-pypi-publish from 1.5.0 to 1.5.1
...
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish ) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases )
- [Commits](717ba43cfb...37f50c210e
2022-07-27 16:36:56 +00:00
Lukas Pühringer
e00e854841
Merge pull request #2054 from theupdateframework/dependabot/github_actions/actions/setup-python-4.1.0
...
build(deps): bump actions/setup-python from 4.0.0 to 4.1.0
2022-07-19 11:26:37 +02:00
Lukas Pühringer
43f5db694d
Merge pull request #2057 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2.0.4
...
build(deps): bump actions/dependency-review-action from 2.0.2 to 2.0.4
2022-07-19 11:23:47 +02:00
dependabot[bot]
a49d8cbc8d
build(deps): bump github/codeql-action from 2.1.15 to 2.1.16
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.15 to 2.1.16.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3f62b754e2...3e7e3b32d0
2022-07-14 10:21:41 +00:00
dependabot[bot]
f617ae5d77
build(deps): bump actions/dependency-review-action from 2.0.2 to 2.0.4
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.0.2 to 2.0.4.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](1c59cdf2a9...94145f3150
2022-07-14 10:21:36 +00:00
dependabot[bot]
deb9633879
build(deps): bump actions/setup-python from 4.0.0 to 4.1.0
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](d09bd5e600...c4e89fac7e
2022-07-12 10:20:32 +00:00
dependabot[bot]
b869320624
build(deps): bump github/codeql-action from 2.1.14 to 2.1.15
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.14 to 2.1.15.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](41a4ada31b...3f62b754e2
2022-06-29 10:37:50 +00:00
dependabot[bot]
fbe30683dd
build(deps): bump github/codeql-action from 2.1.13 to 2.1.14
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.13 to 2.1.14.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](d00e8c09a3...41a4ada31b
2022-06-23 12:59:20 +00:00
dependabot[bot]
efc530a932
build(deps): bump github/codeql-action from 2.1.12 to 2.1.13
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.12 to 2.1.13.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](27ea8f8fe5...d00e8c09a3
2022-06-21 10:21:08 +00:00
dependabot[bot]
190e9e1f69
build(deps): bump actions/dependency-review-action from 2.0.0 to 2.0.2
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.0.0 to 2.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](97790d29c7...1c59cdf2a9
2022-06-16 10:24:53 +00:00
Jussi Kukkonen
c89cb50b83
Merge pull request #2026 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-2
...
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
2022-06-16 09:47:16 +03:00
dependabot[bot]
d05a2f8d2f
build(deps): bump actions/dependency-review-action from 1.0.2 to 2
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 1.0.2 to 2.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](a9c83d3af6...97790d29c7
2022-06-15 10:27:51 +00:00
Joshua Lock
6678d2f76a
Add workflow for codeql analysis
...
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-06-15 10:19:35 +01:00
dependabot[bot]
94b08faade
build(deps): bump actions/setup-python from 3.1.2 to 4
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.1.2 to 4.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](https://github.com/actions/setup-python/compare/v3.1.2...d09bd5e6005b175076f227b13d9730d56e9dcfcb )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-06-09 10:22:16 +00:00
Jussi Kukkonen
cfcc0c3f0f
Merge pull request #1974 from naveensrinivasan/Dependency-Review-Action
...
chore: Dependency Review Action
2022-06-06 16:30:12 +03:00
naveensrinivasan
a5afebd1ab
Changed the tags to SHA
...
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-06-02 07:01:45 -05:00
Lukas Pühringer
e9d11962b9
Merge pull request #2006 from theupdateframework/dependabot/github_actions/actions/github-script-6.1.0
...
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
2022-05-24 11:20:33 +02:00
dependabot[bot]
2ae099c140
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](6673cd052c...3cea537223
2022-05-23 10:23:02 +00:00
dependabot[bot]
78dc59bf8b
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](9ac08808f9...7a5c598405
2022-05-13 10:17:47 +00:00
Jussi Kukkonen
7c0de84f26
Update maintainers permission checklist
...
* Release permissions are now controlled in GitHub release environment
* It is no longer required for a releasing maintainer to have PyPI
permissions
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 18:11:38 +03:00
Lukas Puehringer
0b0c55b1df
Restrict cd permissions to contents: write
...
This is the minimum permission needed to create/modify GH releases.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
db471a5fd5
Refactor ci/cd workflows
...
Prior to this change, ci triggered cd, depending on the event that
triggered ci. Due to the vague information about that event
available to cd, the workflow pipeline was a bit brittle.
This change disassociates ci and cd workflows to allow for an
independent configuration of trigger events.
The test jobs, which used to be defined in ci, are now in a
separate workflow file _test.yml that can be included in both ci
and cd workflows.
**Changes in ci**
- Only defines trigger events and permissions, the "meat" of ci is
defined in the called _test.yml now.
- No longer triggers on tag pushes, this was only needed for cd.
**Changes in cd**
- Now triggers directly on tag pushes instead of (cd)-workflow_run.
- Calls _test.yml, and require successful run before build/release.
(`needs: test` replaces `if: ...`)
- Changes variable names about pushed tag that triggered the event.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Lukas Puehringer
38b774e0eb
Refactor ci/cd workflows (WIP)
...
This is an intermediate commit for easier review. See subsequent
commit for details.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-26 10:36:58 +02:00
Naveen
0c0206d1c0
chore: Dependency Review Action
...
Dependency review is a tool that helps you identify and fix vulnerabilities in your dependencies. By checking the dependency reviews in a pull request and changing any dependencies that are flagged as vulnerable, the project can avoid vulnerabilities being added to your project. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-24 15:15:24 -05:00
dependabot[bot]
68fd8a1cc6
build(deps): bump actions/checkout from 3.0.0 to 3.0.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.0.0 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3...2541b1294d2704b0964813337f33b291d3f8596b )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 10:19:38 +00:00
Lukas Pühringer
72424a958b
Merge pull request #1946 from lukpueh/auto-release
...
Add GH workflow to build and release on GH and PyPI
2022-04-21 13:03:25 +02:00
Lukas Puehringer
b99d0432a7
build: minor updates in CI/CD workflow files
...
- polish code comments
- wrap long lines
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-20 16:02:25 +02:00
dependabot[bot]
4d54629293
build(deps): bump actions/setup-python from 3.1.1 to 3.1.2
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](21c0493ecf...98f2ad02fd
2022-04-20 06:58:22 +00:00
dependabot[bot]
65d1b87a2f
build(deps): bump actions/checkout from 3.0.0 to 3.0.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](a12a3943b4...dcd71f6466
2022-04-15 10:16:40 +00:00
dependabot[bot]
156e535dcf
build(deps): bump actions/setup-python from 3.1.0 to 3.1.1
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](9c644ca2ab...21c0493ecf
2022-04-07 10:19:18 +00:00
Lukas Puehringer
a1a71c11a1
build: update CI/CD workflow to run in series
...
- Change CI workflow to also run on push to (release) tag
- Change CD workflow to run on successful CI run, and only if a
(release) tag push triggered the CI
NOTE: Unfortunately the setup is not very robust
(see code comment in cd.yml)
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-07 12:15:39 +02:00
Lukas Puehringer
5bfe897335
build: update CD workflow to create GH release
...
- Create preliminary GitHub release (X.Y.Z-rc) in 'build' job,
using popular 3rd-party 'softprops/action-gh-release'.
- Finalize GH release in 'release' job using custom GH script.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:56 +02:00
Lukas Puehringer
faef040407
build: add GH workflow to build + release on PyPI
...
Add workflow with two jobs to build and publish on PyPI. The
release job waits for the build job and uses a custom release
environment, which can be configured to require review.
To share the build artifacts between the jobs and to make them
available for intermediate review, they are stored using
'actions/upload-artifact' and 'actions/download-artifact'.
https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts
To upload the build artifacts to PyPI, the PyPA recommended
'pypa/gh-action-pypi-publish' is used.
https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
**Caveat**
The URL to grab the artifacts, e.g. for review, requires knowledge
of action ID and artifact ID, and a login token (no special
permissions). This makes it a bit cumbersome to fetch the artifacts
with a script and compare them to a local build.
https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-06 17:30:13 +02:00
dependabot[bot]
b0a73e41c6
build(deps): bump actions/setup-python from 3.0.0 to 3.1.0
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](0ebf233433...9c644ca2ab
2022-04-04 10:21:57 +00:00
