From b690d8f5732f7aef37cff1598cd497de0157352d Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 14 Mar 2025 14:51:59 +0200 Subject: [PATCH 01/44] docs: Include version number in docs Otherwise on readthedocs it's not clear what version "latest" is. Signed-off-by: Jussi Kukkonen --- docs/index.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index a158b70422..6a5b50d9bd 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,5 +1,5 @@ -TUF Developer Documentation -=========================== +Python-TUF |version| Developer Documentation +======================================================================= This documentation provides essential information for those developing software with the `Python reference implementation of The Update Framework (TUF) From 075949fecef9304137a88fc989c9120525a607a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Mar 2025 21:31:22 +0000 Subject: [PATCH 02/44] build(deps): bump the test-and-lint-dependencies group with 2 updates Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/woodruffw/zizmor). Updates `ruff` from 0.9.10 to 0.11.0 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.9.10...0.11.0) Updates `zizmor` from 1.4.1 to 1.5.1 - [Release notes](https://github.com/woodruffw/zizmor/releases) - [Changelog](https://github.com/woodruffw/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/woodruffw/zizmor/compare/v1.4.1...v1.5.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies - dependency-name: zizmor dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index b4ae77b517..51f9a2ca52 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.9.10 +ruff==0.11.0 mypy==1.15.0 -zizmor==1.4.1 +zizmor==1.5.1 # Required for type stubs freezegun==1.5.1 From 9f873cb9d53cee2714d3165b939c19c1aa0a01c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Mar 2025 10:17:42 +0200 Subject: [PATCH 03/44] build(deps): bump coverage[toml] in the dependencies group (#2813) --- requirements/test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/test.txt b/requirements/test.txt index 6a54f92051..928c264847 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.6.12 +coverage[toml]==7.7.0 freezegun==1.5.1 From 866409ffe9f058cefa062d7b13f91bd84217f7de Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Tue, 18 Mar 2025 14:49:24 +0100 Subject: [PATCH 04/44] Port securesystemslib.hash module securesystemslib.hash is a small wrapper around hashlib, which serves two main purposes: * provide helper function to hash a file * translate custom hash algorithm name "blake2b-256" to "blake2b" with (digest_size=32). In preparation for the removal of securesystemslib.hash, this patch ports above behavior to tuf and uses the builtin hashlib directly where possible. related secure-systems-lab/securesystemslib#943 Signed-off-by: Lukas Puehringer --- tests/repository_simulator.py | 8 +++-- tests/test_api.py | 5 +-- tuf/api/_payload.py | 59 +++++++++++++++++++++++------------ 3 files changed, 45 insertions(+), 27 deletions(-) diff --git a/tests/repository_simulator.py b/tests/repository_simulator.py index 637ba42a54..5e9ba18939 100644 --- a/tests/repository_simulator.py +++ b/tests/repository_simulator.py @@ -45,6 +45,7 @@ from __future__ import annotations import datetime +import hashlib import logging import os import tempfile @@ -52,7 +53,6 @@ from typing import TYPE_CHECKING from urllib import parse -import securesystemslib.hash as sslib_hash from securesystemslib.signer import CryptoSigner, Signer from tuf.api.exceptions import DownloadHTTPError @@ -80,6 +80,8 @@ SPEC_VER = ".".join(SPECIFICATION_VERSION) +_DEFAULT_HASH_ALGORITHM = "sha256" + @dataclass class FetchTracker: @@ -292,9 +294,9 @@ def _compute_hashes_and_length( self, role: str ) -> tuple[dict[str, str], int]: data = self.fetch_metadata(role) - digest_object = sslib_hash.digest(sslib_hash.DEFAULT_HASH_ALGORITHM) + digest_object = hashlib.new(_DEFAULT_HASH_ALGORITHM) digest_object.update(data) - hashes = {sslib_hash.DEFAULT_HASH_ALGORITHM: digest_object.hexdigest()} + hashes = {_DEFAULT_HASH_ALGORITHM: digest_object.hexdigest()} return hashes, len(data) def update_timestamp(self) -> None: diff --git a/tests/test_api.py b/tests/test_api.py index 7b80d36041..53a13f14ff 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -17,7 +17,6 @@ from typing import ClassVar from securesystemslib import exceptions as sslib_exceptions -from securesystemslib import hash as sslib_hash from securesystemslib.signer import ( CryptoSigner, Key, @@ -958,9 +957,7 @@ def test_targetfile_from_file(self) -> None: # Test with a non-existing file file_path = os.path.join(self.repo_dir, Targets.type, "file123.txt") with self.assertRaises(FileNotFoundError): - TargetFile.from_file( - file_path, file_path, [sslib_hash.DEFAULT_HASH_ALGORITHM] - ) + TargetFile.from_file(file_path, file_path, ["sha256"]) # Test with an unsupported algorithm file_path = os.path.join(self.repo_dir, Targets.type, "file1.txt") diff --git a/tuf/api/_payload.py b/tuf/api/_payload.py index 56852082ea..72c66785a2 100644 --- a/tuf/api/_payload.py +++ b/tuf/api/_payload.py @@ -8,8 +8,10 @@ import abc import fnmatch +import hashlib import io import logging +import sys from dataclasses import dataclass from datetime import datetime, timezone from typing import ( @@ -21,7 +23,6 @@ ) from securesystemslib import exceptions as sslib_exceptions -from securesystemslib import hash as sslib_hash from securesystemslib.signer import Key, Signature from tuf.api.exceptions import LengthOrHashMismatchError, UnsignedMetadataError @@ -34,6 +35,9 @@ _TARGETS = "targets" _TIMESTAMP = "timestamp" +_DEFAULT_HASH_ALGORITHM = "sha256" +_BLAKE_HASH_ALGORITHM = "blake2b-256" + # We aim to support SPECIFICATION_VERSION and require the input metadata # files to have the same major version (the first number) as ours. SPECIFICATION_VERSION = ["1", "0", "31"] @@ -45,6 +49,30 @@ T = TypeVar("T", "Root", "Timestamp", "Snapshot", "Targets") +def _hash(algo: str) -> Any: # noqa: ANN401 + """Returns new hash object, supporting custom "blake2b-256" algo name.""" + if algo == _BLAKE_HASH_ALGORITHM: + return hashlib.blake2b(digest_size=32) + + return hashlib.new(algo) + + +def _file_hash(f: IO[bytes], algo: str) -> Any: # noqa: ANN401 + """Returns hashed file.""" + f.seek(0) + if sys.version_info >= (3, 11): + digest = hashlib.file_digest(f, lambda: _hash(algo)) # type: ignore[arg-type] + + else: + # Fallback for older Pythons. Chunk size is taken from the previously + # used and now deprecated `securesystemslib.hash.digest_fileobject`. + digest = _hash(algo) + for chunk in iter(lambda: f.read(4096), b""): + digest.update(chunk) + + return digest + + class Signed(metaclass=abc.ABCMeta): """A base class for the signed part of TUF metadata. @@ -664,19 +692,15 @@ def _verify_hashes( data: bytes | IO[bytes], expected_hashes: dict[str, str] ) -> None: """Verify that the hash of ``data`` matches ``expected_hashes``.""" - is_bytes = isinstance(data, bytes) for algo, exp_hash in expected_hashes.items(): try: - if is_bytes: - digest_object = sslib_hash.digest(algo) + if isinstance(data, bytes): + digest_object = _hash(algo) digest_object.update(data) else: # if data is not bytes, assume it is a file object - digest_object = sslib_hash.digest_fileobject(data, algo) - except ( - sslib_exceptions.UnsupportedAlgorithmError, - sslib_exceptions.FormatError, - ) as e: + digest_object = _file_hash(data, algo) + except (ValueError, TypeError) as e: raise LengthOrHashMismatchError( f"Unsupported algorithm '{algo}'" ) from e @@ -731,21 +755,16 @@ def _get_length_and_hashes( hashes = {} if hash_algorithms is None: - hash_algorithms = [sslib_hash.DEFAULT_HASH_ALGORITHM] + hash_algorithms = [_DEFAULT_HASH_ALGORITHM] for algorithm in hash_algorithms: try: if isinstance(data, bytes): - digest_object = sslib_hash.digest(algorithm) + digest_object = _hash(algorithm) digest_object.update(data) else: - digest_object = sslib_hash.digest_fileobject( - data, algorithm - ) - except ( - sslib_exceptions.UnsupportedAlgorithmError, - sslib_exceptions.FormatError, - ) as e: + digest_object = _file_hash(data, algorithm) + except (ValueError, TypeError) as e: raise ValueError(f"Unsupported algorithm '{algorithm}'") from e hashes[algorithm] = digest_object.hexdigest() @@ -1150,7 +1169,7 @@ def is_delegated_path(self, target_filepath: str) -> bool: if self.path_hash_prefixes is not None: # Calculate the hash of the filepath # to determine in which bin to find the target. - digest_object = sslib_hash.digest(algorithm="sha256") + digest_object = hashlib.new(name="sha256") digest_object.update(target_filepath.encode("utf-8")) target_filepath_hash = digest_object.hexdigest() @@ -1269,7 +1288,7 @@ def get_role_for_target(self, target_filepath: str) -> str: target_filepath: URL path to a target file, relative to a base targets URL. """ - hasher = sslib_hash.digest(algorithm="sha256") + hasher = hashlib.new(name="sha256") hasher.update(target_filepath.encode("utf-8")) # We can't ever need more than 4 bytes (32 bits). From f3eddc19ff026e1d0a8ce25b3a613ad6f41d8326 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 18 Mar 2025 18:20:11 +0200 Subject: [PATCH 05/44] lint: Accept ruff suggestions for cast() Signed-off-by: Jussi Kukkonen --- tuf/api/dsse.py | 4 ++-- tuf/api/metadata.py | 2 +- tuf/ngclient/_internal/trusted_metadata_set.py | 8 ++++---- tuf/ngclient/updater.py | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tuf/api/dsse.py b/tuf/api/dsse.py index 493fefd1d0..8f812d0741 100644 --- a/tuf/api/dsse.py +++ b/tuf/api/dsse.py @@ -81,7 +81,7 @@ def from_bytes(cls, data: bytes) -> SimpleEnvelope[T]: except Exception as e: raise DeserializationError from e - return cast(SimpleEnvelope[T], envelope) + return cast("SimpleEnvelope[T]", envelope) def to_bytes(self) -> bytes: """Return envelope as JSON bytes. @@ -150,4 +150,4 @@ def get_signed(self) -> T: except Exception as e: raise DeserializationError from e - return cast(T, inner_cls.from_dict(payload_dict)) + return cast("T", inner_cls.from_dict(payload_dict)) diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py index 76b5ce0fde..d03a501546 100644 --- a/tuf/api/metadata.py +++ b/tuf/api/metadata.py @@ -199,7 +199,7 @@ def from_dict(cls, metadata: dict[str, Any]) -> Metadata[T]: return cls( # Specific type T is not known at static type check time: use cast - signed=cast(T, inner_cls.from_dict(metadata.pop("signed"))), + signed=cast("T", inner_cls.from_dict(metadata.pop("signed"))), signatures=signatures, # All fields left in the metadata dict are unrecognized. unrecognized_fields=metadata, diff --git a/tuf/ngclient/_internal/trusted_metadata_set.py b/tuf/ngclient/_internal/trusted_metadata_set.py index 3678ddf3a1..179a65ed87 100644 --- a/tuf/ngclient/_internal/trusted_metadata_set.py +++ b/tuf/ngclient/_internal/trusted_metadata_set.py @@ -145,22 +145,22 @@ def __iter__(self) -> Iterator[Signed]: @property def root(self) -> Root: """Get current root.""" - return cast(Root, self._trusted_set[Root.type]) + return cast("Root", self._trusted_set[Root.type]) @property def timestamp(self) -> Timestamp: """Get current timestamp.""" - return cast(Timestamp, self._trusted_set[Timestamp.type]) + return cast("Timestamp", self._trusted_set[Timestamp.type]) @property def snapshot(self) -> Snapshot: """Get current snapshot.""" - return cast(Snapshot, self._trusted_set[Snapshot.type]) + return cast("Snapshot", self._trusted_set[Snapshot.type]) @property def targets(self) -> Targets: """Get current top-level targets.""" - return cast(Targets, self._trusted_set[Targets.type]) + return cast("Targets", self._trusted_set[Targets.type]) # Methods for updating metadata def update_root(self, data: bytes) -> Root: diff --git a/tuf/ngclient/updater.py b/tuf/ngclient/updater.py index 2504c86aa4..a98e799ce4 100644 --- a/tuf/ngclient/updater.py +++ b/tuf/ngclient/updater.py @@ -459,7 +459,7 @@ def _load_targets(self, role: str, parent_role: str) -> Targets: # Avoid loading 'role' more than once during "get_targetinfo" if role in self._trusted_set: - return cast(Targets, self._trusted_set[role]) + return cast("Targets", self._trusted_set[role]) try: data = self._load_local_metadata(role) From 57010fb0b102d63af5724d2487ed30576f28cd90 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 19 Mar 2025 09:28:01 +0100 Subject: [PATCH 06/44] Rename hash algo global in repo simulator Remove the "default" prefix, because it's not a default but rather a fixed value. Signed-off-by: Lukas Puehringer --- tests/repository_simulator.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/repository_simulator.py b/tests/repository_simulator.py index 5e9ba18939..d0c50bc424 100644 --- a/tests/repository_simulator.py +++ b/tests/repository_simulator.py @@ -80,7 +80,7 @@ SPEC_VER = ".".join(SPECIFICATION_VERSION) -_DEFAULT_HASH_ALGORITHM = "sha256" +_HASH_ALGORITHM = "sha256" @dataclass @@ -294,9 +294,9 @@ def _compute_hashes_and_length( self, role: str ) -> tuple[dict[str, str], int]: data = self.fetch_metadata(role) - digest_object = hashlib.new(_DEFAULT_HASH_ALGORITHM) + digest_object = hashlib.new(_HASH_ALGORITHM) digest_object.update(data) - hashes = {_DEFAULT_HASH_ALGORITHM: digest_object.hexdigest()} + hashes = {_HASH_ALGORITHM: digest_object.hexdigest()} return hashes, len(data) def update_timestamp(self) -> None: From 535a18918bff8896642ac13602aa3c53e3bdb14b Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 19 Mar 2025 10:07:58 +0100 Subject: [PATCH 07/44] Refactor hash helpers Consolidate interface of bytes hash and file hash helpers. Signed-off-by: Lukas Puehringer --- tuf/api/_payload.py | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/tuf/api/_payload.py b/tuf/api/_payload.py index 72c66785a2..c190d132ec 100644 --- a/tuf/api/_payload.py +++ b/tuf/api/_payload.py @@ -49,28 +49,36 @@ T = TypeVar("T", "Root", "Timestamp", "Snapshot", "Targets") -def _hash(algo: str) -> Any: # noqa: ANN401 - """Returns new hash object, supporting custom "blake2b-256" algo name.""" +def _get_digest(algo: str) -> Any: # noqa: ANN401 + """New digest helper to support custom "blake2b-256" algo name.""" if algo == _BLAKE_HASH_ALGORITHM: return hashlib.blake2b(digest_size=32) return hashlib.new(algo) -def _file_hash(f: IO[bytes], algo: str) -> Any: # noqa: ANN401 - """Returns hashed file.""" +def _hash_bytes(data: bytes, algo: str) -> str: + """Returns hexdigest for data using algo.""" + digest = _get_digest(algo) + digest.update(data) + + return digest.hexdigest() + + +def _hash_file(f: IO[bytes], algo: str) -> str: + """Returns hexdigest for file using algo.""" f.seek(0) if sys.version_info >= (3, 11): - digest = hashlib.file_digest(f, lambda: _hash(algo)) # type: ignore[arg-type] + digest = hashlib.file_digest(f, lambda: _get_digest(algo)) # type: ignore[arg-type] else: # Fallback for older Pythons. Chunk size is taken from the previously # used and now deprecated `securesystemslib.hash.digest_fileobject`. - digest = _hash(algo) + digest = _get_digest(algo) for chunk in iter(lambda: f.read(4096), b""): digest.update(chunk) - return digest + return digest.hexdigest() class Signed(metaclass=abc.ABCMeta): @@ -695,17 +703,15 @@ def _verify_hashes( for algo, exp_hash in expected_hashes.items(): try: if isinstance(data, bytes): - digest_object = _hash(algo) - digest_object.update(data) + observed_hash = _hash_bytes(data, algo) else: # if data is not bytes, assume it is a file object - digest_object = _file_hash(data, algo) + observed_hash = _hash_file(data, algo) except (ValueError, TypeError) as e: raise LengthOrHashMismatchError( f"Unsupported algorithm '{algo}'" ) from e - observed_hash = digest_object.hexdigest() if observed_hash != exp_hash: raise LengthOrHashMismatchError( f"Observed hash {observed_hash} does not match " @@ -760,15 +766,12 @@ def _get_length_and_hashes( for algorithm in hash_algorithms: try: if isinstance(data, bytes): - digest_object = _hash(algorithm) - digest_object.update(data) + hashes[algorithm] = _hash_bytes(data, algorithm) else: - digest_object = _file_hash(data, algorithm) + hashes[algorithm] = _hash_file(data, algorithm) except (ValueError, TypeError) as e: raise ValueError(f"Unsupported algorithm '{algorithm}'") from e - hashes[algorithm] = digest_object.hexdigest() - return (length, hashes) From 6f50998c370f2524f9b5772a73987eaca4720c96 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 19 Mar 2025 10:34:35 +0100 Subject: [PATCH 08/44] Add tests for custom blake hash Signed-off-by: Lukas Puehringer --- tests/test_api.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/test_api.py b/tests/test_api.py index 53a13f14ff..8006cd48e7 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -895,6 +895,12 @@ def test_length_and_hash_validation(self) -> None: # test with data as bytes snapshot_metafile.verify_length_and_hashes(data) + # test with custom blake algorithm + snapshot_metafile.hashes = { + "blake2b-256": "963a3c31aad8e2a91cfc603fdba12555e48dd0312674ac48cce2c19c243236a1" + } + snapshot_metafile.verify_length_and_hashes(data) + # test exceptions expected_length = snapshot_metafile.length snapshot_metafile.length = 2345 @@ -987,6 +993,12 @@ def test_targetfile_from_data(self) -> None: targetfile_from_data = TargetFile.from_data(target_file_path, data) targetfile_from_data.verify_length_and_hashes(data) + # Test with custom blake hash algorithm + targetfile_from_data = TargetFile.from_data( + target_file_path, data, ["blake2b-256"] + ) + targetfile_from_data.verify_length_and_hashes(data) + def test_metafile_from_data(self) -> None: data = b"Inline test content" @@ -1010,6 +1022,10 @@ def test_metafile_from_data(self) -> None: ), ) + # Test with custom blake hash algorithm + metafile = MetaFile.from_data(1, data, ["blake2b-256"]) + metafile.verify_length_and_hashes(data) + def test_targetfile_get_prefixed_paths(self) -> None: target = TargetFile(100, {"sha256": "abc", "md5": "def"}, "a/b/f.ext") self.assertEqual( From 75e83b36d092a9daa395cac5067e2220df179584 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 19 Mar 2025 11:28:49 +0100 Subject: [PATCH 09/44] docs: Remove reference to securesystemslib hash Default hash sha256 is now defined locally. Signed-off-by: Lukas Puehringer --- tuf/api/_payload.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tuf/api/_payload.py b/tuf/api/_payload.py index c190d132ec..89fcbfe812 100644 --- a/tuf/api/_payload.py +++ b/tuf/api/_payload.py @@ -854,7 +854,7 @@ def from_data( version: Version of the metadata file. data: Metadata bytes that the metafile represents. hash_algorithms: Hash algorithms to create the hashes with. If not - specified, the securesystemslib default hash algorithm is used. + specified, "sha256" is used. Raises: ValueError: The hash algorithms list contains an unsupported @@ -1564,7 +1564,7 @@ def from_file( targets URL. local_path: Local path to target file content. hash_algorithms: Hash algorithms to calculate hashes with. If not - specified the securesystemslib default hash algorithm is used. + specified, "sha256" is used. Raises: FileNotFoundError: The file doesn't exist. @@ -1588,7 +1588,7 @@ def from_data( targets URL. data: Target file content. hash_algorithms: Hash algorithms to create the hashes with. If not - specified the securesystemslib default hash algorithm is used. + specified, "sha256" is used. Raises: ValueError: The hash algorithms list contains an unsupported From d017fff422ad58082c4fdc2b8a811caf7f64a62f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 09:22:22 +0200 Subject: [PATCH 10/44] build(deps): bump coverage[toml] in the dependencies group (#2818) --- requirements/test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/test.txt b/requirements/test.txt index 928c264847..f3c80af5b6 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.7.0 +coverage[toml]==7.7.1 freezegun==1.5.1 From ab735655ccf2bc30f9af782c6d2c6728f35be13e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 09:23:10 +0200 Subject: [PATCH 11/44] build(deps): bump the test-and-lint-dependencies group with 2 updates (#2817) --- requirements/lint.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 51f9a2ca52..d6beb9c2b1 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.0 +ruff==0.11.2 mypy==1.15.0 -zizmor==1.5.1 +zizmor==1.5.2 # Required for type stubs freezegun==1.5.1 From 48262c9b2a48a14a7c493a8a48cb69d9c61f3377 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 09:23:38 +0200 Subject: [PATCH 12/44] build(deps): bump the action-dependencies group with 2 updates (#2816) --- .github/workflows/cd.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 623fae02b2..ff87d4210f 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -37,7 +37,7 @@ jobs: awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog - name: Store build artifacts - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: build-artifacts path: | @@ -54,7 +54,7 @@ jobs: release_id: ${{ steps.gh-release.outputs.result }} steps: - name: Fetch build artifacts - uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9 + uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: name: build-artifacts @@ -96,7 +96,7 @@ jobs: id-token: write # to authenticate as Trusted Publisher to pypi.org steps: - name: Fetch build artifacts - uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9 + uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: name: build-artifacts From 7df77118952d682e69bb111d7bd4b3d0c513b51d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 09:24:35 +0300 Subject: [PATCH 13/44] build(deps): bump coverage[toml] in the dependencies group (#2821) --- requirements/test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/test.txt b/requirements/test.txt index f3c80af5b6..c58b6c4210 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.7.1 +coverage[toml]==7.8.0 freezegun==1.5.1 From 63b2ca5b0787c457d9801809d54e058c0fcf93a9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 09:25:13 +0300 Subject: [PATCH 14/44] build(deps): bump actions/setup-python in the action-dependencies group (#2820) --- .github/workflows/_test.yml | 6 +++--- .github/workflows/_test_sslib_main.yml | 2 +- .github/workflows/cd.yml | 2 +- .github/workflows/specification-version-check.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index 624f6956b9..edf598d83c 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Set up Python (oldest supported version) - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: "3.9" cache: 'pip' @@ -55,7 +55,7 @@ jobs: persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: ${{ matrix.python-version }} cache: 'pip' @@ -99,7 +99,7 @@ jobs: run: touch requirements.txt - name: Set up Python - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: '3.x' cache: 'pip' diff --git a/.github/workflows/_test_sslib_main.yml b/.github/workflows/_test_sslib_main.yml index 86b4d946b7..feb049c5f8 100644 --- a/.github/workflows/_test_sslib_main.yml +++ b/.github/workflows/_test_sslib_main.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Set up Python - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: '3.x' cache: 'pip' diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index ff87d4210f..e893b3b209 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -24,7 +24,7 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} - name: Set up Python - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: '3.x' diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml index 9fcd5b4f88..3a7829b526 100644 --- a/.github/workflows/specification-version-check.yml +++ b/.github/workflows/specification-version-check.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: "3.x" - id: get-version From 2451af9f57ad4d777f671badfa274badac2c6a09 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Apr 2025 22:31:10 +0000 Subject: [PATCH 15/44] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.11.2 to 0.11.4 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.2...0.11.4) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index d6beb9c2b1..78840da0d9 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.2 +ruff==0.11.4 mypy==1.15.0 zizmor==1.5.2 From dc3f55664257ccfa9cb450132253bc44ab360d39 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Apr 2025 12:39:52 +0300 Subject: [PATCH 16/44] build(deps): bump urllib3 from 2.3.0 to 2.4.0 in the dependencies group (#2824) Bumps the dependencies group with 1 update: [urllib3](https://github.com/urllib3/urllib3). Updates `urllib3` from 2.3.0 to 2.4.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.3.0...2.4.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/pinned.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index d73f7fc7cc..8767e1aa3f 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -12,5 +12,5 @@ pycparser==2.22 # via cffi securesystemslib==1.2.0 # via -r requirements/main.txt -urllib3==2.3.0 +urllib3==2.4.0 # via -r requirements/main.txt From 9f8dc40a85d2354978b61eb92697260651fe73ac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Apr 2025 12:40:23 +0300 Subject: [PATCH 17/44] build(deps): bump ruff in the test-and-lint-dependencies group (#2823) Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.11.4 to 0.11.5 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.4...0.11.5) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 78840da0d9..e61bc1fd94 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.4 +ruff==0.11.5 mypy==1.15.0 zizmor==1.5.2 From 7660291ad1ac348fbeefb033c3d509609ba2766c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Apr 2025 21:10:40 +0000 Subject: [PATCH 18/44] build(deps): bump the test-and-lint-dependencies group with 2 updates Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/woodruffw/zizmor). Updates `ruff` from 0.11.5 to 0.11.6 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.5...0.11.6) Updates `zizmor` from 1.5.2 to 1.6.0 - [Release notes](https://github.com/woodruffw/zizmor/releases) - [Changelog](https://github.com/woodruffw/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/woodruffw/zizmor/compare/v1.5.2...v1.6.0) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies - dependency-name: zizmor dependency-version: 1.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index e61bc1fd94..8ede6df0e1 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.5 +ruff==0.11.6 mypy==1.15.0 -zizmor==1.5.2 +zizmor==1.6.0 # Required for type stubs freezegun==1.5.1 From 394d47c2579c821e5847b9d180d5d92d93d71795 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Apr 2025 21:11:19 +0000 Subject: [PATCH 19/44] build(deps): bump securesystemslib in the dependencies group Bumps the dependencies group with 1 update: [securesystemslib](https://github.com/secure-systems-lab/securesystemslib). Updates `securesystemslib` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases) - [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md) - [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v1.2.0...v1.3.0) --- updated-dependencies: - dependency-name: securesystemslib dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/pinned.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index 8767e1aa3f..aa8483f0f1 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -10,7 +10,7 @@ cryptography==44.0.2 # via securesystemslib pycparser==2.22 # via cffi -securesystemslib==1.2.0 +securesystemslib==1.3.0 # via -r requirements/main.txt urllib3==2.4.0 # via -r requirements/main.txt From ee50fea0c6443eadca73cdf43f702aeee05e7f50 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Sat, 15 Mar 2025 17:08:45 +0200 Subject: [PATCH 20/44] annotation fixes * Start linting securesystemslib calls (this requires new securesystemslib) * Fix various issues that suddenly popup Signed-off-by: Jussi Kukkonen --- pyproject.toml | 1 - tests/test_api.py | 43 +++++++++++++++++++++++-------------------- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index a5c24fc987..266b2188f5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -135,7 +135,6 @@ disable_error_code = ["attr-defined"] [[tool.mypy.overrides]] module = [ "requests.*", - "securesystemslib.*", ] ignore_missing_imports = "True" diff --git a/tests/test_api.py b/tests/test_api.py index 8006cd48e7..dabf50c86c 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -22,6 +22,7 @@ Key, SecretsHandler, Signer, + SSlibKey, ) from tests import utils @@ -244,11 +245,11 @@ class FailingSigner(Signer): @classmethod def from_priv_key_uri( cls, - priv_key_uri: str, - public_key: Key, - secrets_handler: SecretsHandler | None = None, + _priv_key_uri: str, + _public_key: Key, + _secrets_handler: SecretsHandler | None = None, ) -> Signer: - pass + raise RuntimeError("Not a real signer") @property def public_key(self) -> Key: @@ -469,43 +470,45 @@ def test_signed_verify_delegate(self) -> None: ) def test_verification_result(self) -> None: - vr = VerificationResult(3, {"a": None}, {"b": None}) + key = SSlibKey("", "", "", {"public": ""}) + vr = VerificationResult(3, {"a": key}, {"b": key}) self.assertEqual(vr.missing, 2) self.assertFalse(vr.verified) self.assertFalse(vr) # Add a signature - vr.signed["c"] = None + vr.signed["c"] = key self.assertEqual(vr.missing, 1) self.assertFalse(vr.verified) self.assertFalse(vr) # Add last missing signature - vr.signed["d"] = None + vr.signed["d"] = key self.assertEqual(vr.missing, 0) self.assertTrue(vr.verified) self.assertTrue(vr) # Add one more signature - vr.signed["e"] = None + vr.signed["e"] = key self.assertEqual(vr.missing, 0) self.assertTrue(vr.verified) self.assertTrue(vr) def test_root_verification_result(self) -> None: - vr1 = VerificationResult(3, {"a": None}, {"b": None}) - vr2 = VerificationResult(1, {"c": None}, {"b": None}) + key = SSlibKey("", "", "", {"public": ""}) + vr1 = VerificationResult(3, {"a": key}, {"b": key}) + vr2 = VerificationResult(1, {"c": key}, {"b": key}) vr = RootVerificationResult(vr1, vr2) - self.assertEqual(vr.signed, {"a": None, "c": None}) - self.assertEqual(vr.unsigned, {"b": None}) + self.assertEqual(vr.signed, {"a": key, "c": key}) + self.assertEqual(vr.unsigned, {"b": key}) self.assertFalse(vr.verified) self.assertFalse(vr) - vr1.signed["c"] = None - vr1.signed["f"] = None - self.assertEqual(vr.signed, {"a": None, "c": None, "f": None}) - self.assertEqual(vr.unsigned, {"b": None}) + vr1.signed["c"] = key + vr1.signed["f"] = key + self.assertEqual(vr.signed, {"a": key, "c": key, "f": key}) + self.assertEqual(vr.unsigned, {"b": key}) self.assertTrue(vr.verified) self.assertTrue(vr) @@ -678,7 +681,7 @@ def test_root_add_key_and_revoke_key(self) -> None: # Assert that add_key with old argument order will raise an error with self.assertRaises(ValueError): - root.signed.add_key(Root.type, key) + root.signed.add_key(Root.type, key) # type: ignore [arg-type] # Add new root key root.signed.add_key(key, Root.type) @@ -778,7 +781,7 @@ def test_targets_key_api(self) -> None: # Assert that add_key with old argument order will raise an error with self.assertRaises(ValueError): - targets.add_key("role1", key) + targets.add_key(Root.type, key) # type: ignore [arg-type] # Assert that delegated role "role1" does not contain the new key self.assertNotIn(key.keyid, targets.delegations.roles["role1"].keyids) @@ -1178,7 +1181,7 @@ def test_serialization(self) -> None: self.assertEqual(metadata.signed, payload) def test_fail_envelope_serialization(self) -> None: - envelope = SimpleEnvelope(b"foo", "bar", ["baz"]) + envelope = SimpleEnvelope(b"foo", "bar", []) # type: ignore[arg-type] with self.assertRaises(SerializationError): envelope.to_bytes() @@ -1193,7 +1196,7 @@ def test_fail_payload_serialization(self) -> None: def test_fail_payload_deserialization(self) -> None: payloads = [b"[", b'{"_type": "foo"}'] for payload in payloads: - envelope = SimpleEnvelope(payload, "bar", []) + envelope = SimpleEnvelope(payload, "bar", {}) with self.assertRaises(DeserializationError): envelope.get_signed() From 96fd7bde4449ac879d1ed5517dc9e6c4a00e88f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Apr 2025 22:13:03 +0000 Subject: [PATCH 21/44] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.11.6 to 0.11.7 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.6...0.11.7) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 8ede6df0e1..875b4876ca 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.6 +ruff==0.11.7 mypy==1.15.0 zizmor==1.6.0 From ec50bc52b844ccafeb129e016dca1e75e6a22cca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Apr 2025 22:28:44 +0000 Subject: [PATCH 22/44] build(deps): bump the action-dependencies group with 2 updates Bumps the action-dependencies group with 2 updates: [actions/setup-python](https://github.com/actions/setup-python) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/setup-python` from 5.5.0 to 5.6.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/8d9ed9ac5c53483de85588cdf95a591a75ab9f55...a26af69be951a213d495a4c3e4e4022e16d87065) Updates `actions/download-artifact` from 4.2.1 to 4.3.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/95815c38cf2ff2164869cbab79da8d1f422bc89e...d3f86a106a0bac45b974a628896c90dbdf5c8093) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 5.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: action-dependencies - dependency-name: actions/download-artifact dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/_test.yml | 6 +++--- .github/workflows/_test_sslib_main.yml | 2 +- .github/workflows/cd.yml | 6 +++--- .github/workflows/specification-version-check.yml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index edf598d83c..34ad5f2d4d 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Set up Python (oldest supported version) - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.9" cache: 'pip' @@ -55,7 +55,7 @@ jobs: persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} cache: 'pip' @@ -99,7 +99,7 @@ jobs: run: touch requirements.txt - name: Set up Python - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.x' cache: 'pip' diff --git a/.github/workflows/_test_sslib_main.yml b/.github/workflows/_test_sslib_main.yml index feb049c5f8..c8cf3107d9 100644 --- a/.github/workflows/_test_sslib_main.yml +++ b/.github/workflows/_test_sslib_main.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Set up Python - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.x' cache: 'pip' diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index e893b3b209..68ccb087b4 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -24,7 +24,7 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} - name: Set up Python - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.x' @@ -54,7 +54,7 @@ jobs: release_id: ${{ steps.gh-release.outputs.result }} steps: - name: Fetch build artifacts - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: build-artifacts @@ -96,7 +96,7 @@ jobs: id-token: write # to authenticate as Trusted Publisher to pypi.org steps: - name: Fetch build artifacts - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: build-artifacts diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml index 3a7829b526..ed4f6bbe1f 100644 --- a/.github/workflows/specification-version-check.yml +++ b/.github/workflows/specification-version-check.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.x" - id: get-version From 769a61b4051a02b37e013da3578c1c9f602e2555 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 May 2025 22:26:19 +0000 Subject: [PATCH 23/44] build(deps): bump cryptography in the dependencies group Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 44.0.2 to 44.0.3 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/44.0.2...44.0.3) --- updated-dependencies: - dependency-name: cryptography dependency-version: 44.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/pinned.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index aa8483f0f1..4be725daf5 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==1.17.1 # via cryptography -cryptography==44.0.2 +cryptography==44.0.3 # via securesystemslib pycparser==2.22 # via cffi From 29b482390e7d79f9216f69663f825ed9f7e5fac2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 May 2025 22:37:53 +0000 Subject: [PATCH 24/44] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.11.7 to 0.11.8 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.7...0.11.8) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 875b4876ca..e70f280835 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.7 +ruff==0.11.8 mypy==1.15.0 zizmor==1.6.0 From f5b2acf627cb9cd9ede1acab87d0c20e9e3a0e76 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 May 2025 21:09:04 +0000 Subject: [PATCH 25/44] build(deps): bump the test-and-lint-dependencies group with 2 updates Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/woodruffw/zizmor). Updates `ruff` from 0.11.8 to 0.11.9 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.8...0.11.9) Updates `zizmor` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/woodruffw/zizmor/releases) - [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/woodruffw/zizmor/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies - dependency-name: zizmor dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index e70f280835..5fbc2e9b93 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.8 +ruff==0.11.9 mypy==1.15.0 -zizmor==1.6.0 +zizmor==1.7.0 # Required for type stubs freezegun==1.5.1 From 5cec62cd036098b82f87bc1243faafd88ab322b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 May 2025 21:41:38 +0000 Subject: [PATCH 26/44] build(deps): bump the dependencies group across 1 directory with 2 updates Bumps the dependencies group with 2 updates in the / directory: [cryptography](https://github.com/pyca/cryptography) and [ruff](https://github.com/astral-sh/ruff). Updates `cryptography` from 44.0.3 to 45.0.2 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/44.0.3...45.0.2) Updates `ruff` from 0.11.9 to 0.11.10 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.9...0.11.10) --- updated-dependencies: - dependency-name: cryptography dependency-version: 45.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: ruff dependency-version: 0.11.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- requirements/pinned.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 5fbc2e9b93..5cc8858cb1 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.9 +ruff==0.11.10 mypy==1.15.0 zizmor==1.7.0 diff --git a/requirements/pinned.txt b/requirements/pinned.txt index 4be725daf5..38375f0496 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==1.17.1 # via cryptography -cryptography==44.0.3 +cryptography==45.0.2 # via securesystemslib pycparser==2.22 # via cffi From 566ed3e897bc66d1742f0b801c62a856eca0a8fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 May 2025 21:47:54 +0000 Subject: [PATCH 27/44] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.11.10 to 0.11.11 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.10...0.11.11) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 5cc8858cb1..f23cb63a2e 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.10 +ruff==0.11.11 mypy==1.15.0 zizmor==1.7.0 From 4e654fe698d85138e4f6440e8a00f362e1447ebb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 May 2025 11:32:36 +0300 Subject: [PATCH 28/44] build(deps): bump the dependencies group with 3 updates (#2837) Bumps the dependencies group with 3 updates: [cryptography](https://github.com/pyca/cryptography), [coverage[toml]](https://github.com/nedbat/coveragepy) and [freezegun](https://github.com/spulec/freezegun). Updates `cryptography` from 45.0.2 to 45.0.3 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/45.0.2...45.0.3) Updates `coverage[toml]` from 7.8.0 to 7.8.2 - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.8.0...7.8.2) Updates `freezegun` from 1.5.1 to 1.5.2 - [Release notes](https://github.com/spulec/freezegun/releases) - [Changelog](https://github.com/spulec/freezegun/blob/master/CHANGELOG) - [Commits](https://github.com/spulec/freezegun/compare/1.5.1...1.5.2) --- updated-dependencies: - dependency-name: cryptography dependency-version: 45.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: coverage[toml] dependency-version: 7.8.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: freezegun dependency-version: 1.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/lint.txt | 2 +- requirements/pinned.txt | 2 +- requirements/test.txt | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index f23cb63a2e..3d11438e62 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -11,4 +11,4 @@ mypy==1.15.0 zizmor==1.7.0 # Required for type stubs -freezegun==1.5.1 +freezegun==1.5.2 diff --git a/requirements/pinned.txt b/requirements/pinned.txt index 38375f0496..464dd5c641 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==1.17.1 # via cryptography -cryptography==45.0.2 +cryptography==45.0.3 # via securesystemslib pycparser==2.22 # via cffi diff --git a/requirements/test.txt b/requirements/test.txt index c58b6c4210..7a299e5a75 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.8.0 -freezegun==1.5.1 +coverage[toml]==7.8.2 +freezegun==1.5.2 From 8f10e91463b1cc7cdd9420f878752724db2211b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jun 2025 12:34:06 +0300 Subject: [PATCH 29/44] build(deps): bump ossf/scorecard-action in the action-dependencies group (#2840) Bumps the action-dependencies group with 1 update: [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `ossf/scorecard-action` from 2.4.1 to 2.4.2 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/f49aabe0b5af0936a0987cfb85d86b75731b0186...05b42c624433fc40578a4040d5cf5e36ddca8cde) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 7940418b33..955c0c11b4 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 with: results_file: results.sarif # sarif format required by upload-sarif action From c4df52468ea19010a1f9c681f1bac1c504b6450c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jun 2025 12:34:36 +0300 Subject: [PATCH 30/44] build(deps): bump the test-and-lint-dependencies group with 3 updates (#2839) Bumps the test-and-lint-dependencies group with 3 updates: [ruff](https://github.com/astral-sh/ruff), [mypy](https://github.com/python/mypy) and [zizmor](https://github.com/zizmorcore/zizmor). Updates `ruff` from 0.11.11 to 0.11.12 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.11...0.11.12) Updates `mypy` from 1.15.0 to 1.16.0 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.15.0...v1.16.0) Updates `zizmor` from 1.7.0 to 1.9.0 - [Release notes](https://github.com/zizmorcore/zizmor/releases) - [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/zizmorcore/zizmor/compare/v1.7.0...v1.9.0) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies - dependency-name: mypy dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies - dependency-name: zizmor dependency-version: 1.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/lint.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 3d11438e62..d93b602728 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.11 -mypy==1.15.0 -zizmor==1.7.0 +ruff==0.11.12 +mypy==1.16.0 +zizmor==1.9.0 # Required for type stubs freezegun==1.5.2 From e0f4ef78adc67cd0174cb5726330c6c55665cf0e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Jun 2025 21:52:33 +0000 Subject: [PATCH 31/44] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.11.12 to 0.11.13 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.12...0.11.13) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index d93b602728..3f2a880a91 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.12 +ruff==0.11.13 mypy==1.16.0 zizmor==1.9.0 From 7ff3af36a4a666ec4007d6e8c83e5b9e5a080ca1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Jun 2025 22:33:39 +0000 Subject: [PATCH 32/44] build(deps): bump mypy in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [mypy](https://github.com/python/mypy). Updates `mypy` from 1.16.0 to 1.16.1 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.16.0...v1.16.1) --- updated-dependencies: - dependency-name: mypy dependency-version: 1.16.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 3f2a880a91..2626c6a233 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -7,7 +7,7 @@ # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) ruff==0.11.13 -mypy==1.16.0 +mypy==1.16.1 zizmor==1.9.0 # Required for type stubs From c408066c9f3a83fa3b849e3820454dab3a8f2cc0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Jun 2025 22:45:56 +0000 Subject: [PATCH 33/44] build(deps): bump the dependencies group with 2 updates Bumps the dependencies group with 2 updates: [cryptography](https://github.com/pyca/cryptography) and [coverage[toml]](https://github.com/nedbat/coveragepy). Updates `cryptography` from 45.0.3 to 45.0.4 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/45.0.3...45.0.4) Updates `coverage[toml]` from 7.8.2 to 7.9.1 - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.8.2...7.9.1) --- updated-dependencies: - dependency-name: cryptography dependency-version: 45.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: coverage[toml] dependency-version: 7.9.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/pinned.txt | 2 +- requirements/test.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index 464dd5c641..cd13272e92 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==1.17.1 # via cryptography -cryptography==45.0.3 +cryptography==45.0.4 # via securesystemslib pycparser==2.22 # via cffi diff --git a/requirements/test.txt b/requirements/test.txt index 7a299e5a75..c79e128976 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.8.2 +coverage[toml]==7.9.1 freezegun==1.5.2 From 16d1486d9d8a6c8c9d29cf2b9bfda3494e06e182 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Jun 2025 23:10:36 +0000 Subject: [PATCH 34/44] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.11.13 to 0.12.0 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.11.13...0.12.0) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 2626c6a233..1ab9845122 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.11.13 +ruff==0.12.0 mypy==1.16.1 zizmor==1.9.0 From 71de7dd956f8d785e45c3c171bff9799c29f0c31 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Jun 2025 10:16:39 +0300 Subject: [PATCH 35/44] build(deps): bump urllib3 from 2.4.0 to 2.5.0 in the dependencies group (#2846) Bumps the dependencies group with 1 update: [urllib3](https://github.com/urllib3/urllib3). Updates `urllib3` from 2.4.0 to 2.5.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.4.0...2.5.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/pinned.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index cd13272e92..bcd139c19b 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -12,5 +12,5 @@ pycparser==2.22 # via cffi securesystemslib==1.3.0 # via -r requirements/main.txt -urllib3==2.4.0 +urllib3==2.5.0 # via -r requirements/main.txt From 88cc98420e4d1dcd2d80e0a08e453f577ca0eecc Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 24 Jun 2025 10:56:32 +0300 Subject: [PATCH 36/44] lint fixes Fixes for ruff 0.12 * Tweak some annotations * Add __hash__() implementations to api classes: These really should be hashable * My use of "super().__hash__()" is not very optimized but avoids some repetition Signed-off-by: Jussi Kukkonen --- tuf/api/_payload.py | 68 +++++++++++++++++++++++++++++++++++ tuf/api/metadata.py | 9 +++-- tuf/api/serialization/json.py | 3 -- verify_release | 2 +- 4 files changed, 75 insertions(+), 7 deletions(-) diff --git a/tuf/api/_payload.py b/tuf/api/_payload.py index 89fcbfe812..8a8c40ffdb 100644 --- a/tuf/api/_payload.py +++ b/tuf/api/_payload.py @@ -181,6 +181,17 @@ def __eq__(self, other: object) -> bool: and self.unrecognized_fields == other.unrecognized_fields ) + def __hash__(self) -> int: + return hash( + ( + self.type, + self.version, + self.spec_version, + self.expires, + self.unrecognized_fields, + ) + ) + @abc.abstractmethod def to_dict(self) -> dict[str, Any]: """Serialize and return a dict representation of self.""" @@ -299,6 +310,9 @@ def __eq__(self, other: object) -> bool: and self.unrecognized_fields == other.unrecognized_fields ) + def __hash__(self) -> int: + return hash((self.keyids, self.threshold, self.unrecognized_fields)) + @classmethod def from_dict(cls, role_dict: dict[str, Any]) -> Role: """Create ``Role`` object from its json/dict representation. @@ -551,6 +565,17 @@ def __eq__(self, other: object) -> bool: and self.consistent_snapshot == other.consistent_snapshot ) + def __hash__(self) -> int: + return hash( + ( + super().__hash__(), + self.keys, + self.roles, + self.consistent_snapshot, + self.unrecognized_fields, + ) + ) + @classmethod def from_dict(cls, signed_dict: dict[str, Any]) -> Root: """Create ``Root`` object from its json/dict representation. @@ -826,6 +851,11 @@ def __eq__(self, other: object) -> bool: and self.unrecognized_fields == other.unrecognized_fields ) + def __hash__(self) -> int: + return hash( + (self.version, self.length, self.hashes, self.unrecognized_fields) + ) + @classmethod def from_dict(cls, meta_dict: dict[str, Any]) -> MetaFile: """Create ``MetaFile`` object from its json/dict representation. @@ -940,6 +970,9 @@ def __eq__(self, other: object) -> bool: super().__eq__(other) and self.snapshot_meta == other.snapshot_meta ) + def __hash__(self) -> int: + return hash((super().__hash__(), self.snapshot_meta)) + @classmethod def from_dict(cls, signed_dict: dict[str, Any]) -> Timestamp: """Create ``Timestamp`` object from its json/dict representation. @@ -1001,6 +1034,9 @@ def __eq__(self, other: object) -> bool: return super().__eq__(other) and self.meta == other.meta + def __hash__(self) -> int: + return hash((super().__hash__(), self.meta)) + @classmethod def from_dict(cls, signed_dict: dict[str, Any]) -> Snapshot: """Create ``Snapshot`` object from its json/dict representation. @@ -1098,6 +1134,17 @@ def __eq__(self, other: object) -> bool: and self.path_hash_prefixes == other.path_hash_prefixes ) + def __hash__(self) -> int: + return hash( + ( + super().__hash__(), + self.name, + self.terminating, + self.path, + self.path_hash_prefixes, + ) + ) + @classmethod def from_dict(cls, role_dict: dict[str, Any]) -> DelegatedRole: """Create ``DelegatedRole`` object from its json/dict representation. @@ -1256,6 +1303,9 @@ def __eq__(self, other: object) -> bool: and self.name_prefix == other.name_prefix ) + def __hash__(self) -> int: + return hash((super().__hash__(), self.bit_length, self.name_prefix)) + @classmethod def from_dict(cls, role_dict: dict[str, Any]) -> SuccinctRoles: """Create ``SuccinctRoles`` object from its json/dict representation. @@ -1408,6 +1458,16 @@ def __eq__(self, other: object) -> bool: return all_attributes_check + def __hash__(self) -> int: + return hash( + ( + self.keys, + self.roles, + self.succinct_roles, + self.unrecognized_fields, + ) + ) + @classmethod def from_dict(cls, delegations_dict: dict[str, Any]) -> Delegations: """Create ``Delegations`` object from its json/dict representation. @@ -1529,6 +1589,11 @@ def __eq__(self, other: object) -> bool: and self.unrecognized_fields == other.unrecognized_fields ) + def __hash__(self) -> int: + return hash( + (self.length, self.hashes, self.path, self.unrecognized_fields) + ) + @classmethod def from_dict(cls, target_dict: dict[str, Any], path: str) -> TargetFile: """Create ``TargetFile`` object from its json/dict representation. @@ -1672,6 +1737,9 @@ def __eq__(self, other: object) -> bool: and self.delegations == other.delegations ) + def __hash__(self) -> int: + return hash((super().__hash__(), self.targets, self.delegations)) + @classmethod def from_dict(cls, signed_dict: dict[str, Any]) -> Targets: """Create ``Targets`` object from its json/dict representation. diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py index d03a501546..85433e73a7 100644 --- a/tuf/api/metadata.py +++ b/tuf/api/metadata.py @@ -147,12 +147,15 @@ def __eq__(self, other: object) -> bool: and self.unrecognized_fields == other.unrecognized_fields ) + def __hash__(self) -> int: + return hash((self.signatures, self.signed, self.unrecognized_fields)) + @property def signed_bytes(self) -> bytes: """Default canonical json byte representation of ``self.signed``.""" # Use local scope import to avoid circular import errors - from tuf.api.serialization.json import CanonicalJSONSerializer + from tuf.api.serialization.json import CanonicalJSONSerializer # noqa: I001, PLC0415 return CanonicalJSONSerializer().serialize(self.signed) @@ -261,7 +264,7 @@ def from_bytes( if deserializer is None: # Use local scope import to avoid circular import errors - from tuf.api.serialization.json import JSONDeserializer + from tuf.api.serialization.json import JSONDeserializer # noqa: I001, PLC0415 deserializer = JSONDeserializer() @@ -288,7 +291,7 @@ def to_bytes(self, serializer: MetadataSerializer | None = None) -> bytes: if serializer is None: # Use local scope import to avoid circular import errors - from tuf.api.serialization.json import JSONSerializer + from tuf.api.serialization.json import JSONSerializer # noqa: I001, PLC0415 serializer = JSONSerializer(compact=True) diff --git a/tuf/api/serialization/json.py b/tuf/api/serialization/json.py index f311907149..9b411eb99f 100644 --- a/tuf/api/serialization/json.py +++ b/tuf/api/serialization/json.py @@ -8,9 +8,6 @@ verification. """ -# We should not have shadowed stdlib json but that milk spilled already -# ruff: noqa: A005 - from __future__ import annotations import json diff --git a/verify_release b/verify_release index 0c7cdaa81c..7bf43e345e 100755 --- a/verify_release +++ b/verify_release @@ -108,7 +108,7 @@ def verify_github_release(version: str, compare_dir: str) -> bool: "GET", url, preload_content=False, timeout=HTTP_TIMEOUT ) with open(os.path.join(github_dir, filename), "wb") as f: - for data in response.stream(): + for data in response.stream(): # noqa: FURB122 f.write(data) return cmp( From 92dc2a28d46d26ef0a09082232427f20417ff9d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Jul 2025 10:47:59 +0300 Subject: [PATCH 37/44] build(deps): bump the dependencies group with 2 updates (#2848) --- updated-dependencies: - dependency-name: cryptography dependency-version: 45.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: coverage[toml] dependency-version: 7.9.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/pinned.txt | 2 +- requirements/test.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index bcd139c19b..6a312eab92 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==1.17.1 # via cryptography -cryptography==45.0.4 +cryptography==45.0.5 # via securesystemslib pycparser==2.22 # via cffi diff --git a/requirements/test.txt b/requirements/test.txt index c79e128976..153de6f33c 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.9.1 +coverage[toml]==7.9.2 freezegun==1.5.2 From a01210b4ba631f8ca895594d21094dfd96c67d90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Jul 2025 09:34:31 +0300 Subject: [PATCH 38/44] build(deps): bump freezegun in the dependencies group (#2849) Bumps the dependencies group with 1 update: [freezegun](https://github.com/spulec/freezegun). Updates `freezegun` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/spulec/freezegun/releases) - [Changelog](https://github.com/spulec/freezegun/blob/master/CHANGELOG) - [Commits](https://github.com/spulec/freezegun/compare/1.5.2...1.5.3) --- updated-dependencies: - dependency-name: freezegun dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/lint.txt | 2 +- requirements/test.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 1ab9845122..16b9222674 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -11,4 +11,4 @@ mypy==1.16.1 zizmor==1.9.0 # Required for type stubs -freezegun==1.5.2 +freezegun==1.5.3 diff --git a/requirements/test.txt b/requirements/test.txt index 153de6f33c..0c6c8bc994 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -5,4 +5,4 @@ # coverage measurement coverage[toml]==7.9.2 -freezegun==1.5.2 +freezegun==1.5.3 From 5f60ee52e5138fc04787f0d6ada9c647079cf836 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 11:20:34 +0300 Subject: [PATCH 39/44] build(deps): bump the action-dependencies group with 2 updates (#2856) Bumps the action-dependencies group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/checkout` from 4.2.2 to 5.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/11bd71901bbe5b1630ceea73d27597364c9af683...08c6903cd8c0fde910a37f88322edcfb5dd907a8) Updates `actions/download-artifact` from 4.3.0 to 5.0.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...634f93cb2916e3fdff6788551b99b062d0335ce0) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: action-dependencies - dependency-name: actions/download-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/_test.yml | 4 ++-- .github/workflows/_test_sslib_main.yml | 2 +- .github/workflows/cd.yml | 6 +++--- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/conformance.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/specification-version-check.yml | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index 34ad5f2d4d..f00b8d7ed4 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout TUF - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -50,7 +50,7 @@ jobs: steps: - name: Checkout TUF - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/_test_sslib_main.yml b/.github/workflows/_test_sslib_main.yml index c8cf3107d9..61a5ea9de5 100644 --- a/.github/workflows/_test_sslib_main.yml +++ b/.github/workflows/_test_sslib_main.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout TUF - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 68ccb087b4..c2f0e03452 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -18,7 +18,7 @@ jobs: needs: test steps: - name: Checkout release tag - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false ref: ${{ github.event.workflow_run.head_branch }} @@ -54,7 +54,7 @@ jobs: release_id: ${{ steps.gh-release.outputs.result }} steps: - name: Fetch build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: build-artifacts @@ -96,7 +96,7 @@ jobs: id-token: write # to authenticate as Trusted Publisher to pypi.org steps: - name: Fetch build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: build-artifacts diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0253fbafd4..d724fc3cf5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 1c3a414dd6..c17e3e13a9 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout conformance client - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 1400d25cf6..ac7f18c891 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: 'Dependency Review' diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 955c0c11b4..1089a350d7 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml index ed4f6bbe1f..8320666959 100644 --- a/.github/workflows/specification-version-check.yml +++ b/.github/workflows/specification-version-check.yml @@ -14,7 +14,7 @@ jobs: outputs: version: ${{ steps.get-version.outputs.version }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 From ca979a6abc6a380ecb5141305b9547c9502a2228 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Aug 2025 12:24:08 +0300 Subject: [PATCH 40/44] build(deps): bump the dependencies group across 1 directory with 7 updates (#2855) * build(deps): bump the dependencies group across 1 directory with 7 updates Bumps the dependencies group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [cryptography](https://github.com/pyca/cryptography) | `45.0.5` | `45.0.6` | | [ruff](https://github.com/astral-sh/ruff) | `0.12.0` | `0.12.8` | | [mypy](https://github.com/python/mypy) | `1.16.1` | `1.17.1` | | [zizmor](https://github.com/zizmorcore/zizmor) | `1.9.0` | `1.11.0` | | [freezegun](https://github.com/spulec/freezegun) | `1.5.3` | `1.5.5` | | [build](https://github.com/pypa/build) | `1.2.2.post1` | `1.3.0` | | [coverage[toml]](https://github.com/nedbat/coveragepy) | `7.9.2` | `7.10.3` | Updates `cryptography` from 45.0.5 to 45.0.6 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/45.0.5...45.0.6) Updates `ruff` from 0.12.0 to 0.12.8 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.12.0...0.12.8) Updates `mypy` from 1.16.1 to 1.17.1 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.16.1...v1.17.1) Updates `zizmor` from 1.9.0 to 1.11.0 - [Release notes](https://github.com/zizmorcore/zizmor/releases) - [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/zizmorcore/zizmor/compare/v1.9.0...v1.11.0) Updates `freezegun` from 1.5.3 to 1.5.5 - [Release notes](https://github.com/spulec/freezegun/releases) - [Changelog](https://github.com/spulec/freezegun/blob/master/CHANGELOG) - [Commits](https://github.com/spulec/freezegun/compare/1.5.3...1.5.5) Updates `build` from 1.2.2.post1 to 1.3.0 - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.2.2.post1...1.3.0) Updates `coverage[toml]` from 7.9.2 to 7.10.3 - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.9.2...7.10.3) --- updated-dependencies: - dependency-name: cryptography dependency-version: 45.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: ruff dependency-version: 0.12.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: mypy dependency-version: 1.17.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: zizmor dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: freezegun dependency-version: 1.5.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: build dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: coverage[toml] dependency-version: 7.10.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] * lint: Set zizmor to lower pedantry level pedantic means a little too much churn. Signed-off-by: Jussi Kukkonen --------- Signed-off-by: dependabot[bot] Signed-off-by: Jussi Kukkonen Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jussi Kukkonen --- requirements/build.txt | 2 +- requirements/lint.txt | 8 ++++---- requirements/pinned.txt | 2 +- requirements/test.txt | 4 ++-- tox.ini | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/requirements/build.txt b/requirements/build.txt index 2d7aef17f9..fc5bb56b8e 100644 --- a/requirements/build.txt +++ b/requirements/build.txt @@ -1,4 +1,4 @@ # The build and tox versions specified here are also used as constraints # during CI and CD Github workflows -build==1.2.2.post1 +build==1.3.0 tox==4.1.2 diff --git a/requirements/lint.txt b/requirements/lint.txt index 16b9222674..fd68243e6c 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.12.0 -mypy==1.16.1 -zizmor==1.9.0 +ruff==0.12.8 +mypy==1.17.1 +zizmor==1.11.0 # Required for type stubs -freezegun==1.5.3 +freezegun==1.5.5 diff --git a/requirements/pinned.txt b/requirements/pinned.txt index 6a312eab92..47ef14e382 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==1.17.1 # via cryptography -cryptography==45.0.5 +cryptography==45.0.6 # via securesystemslib pycparser==2.22 # via cffi diff --git a/requirements/test.txt b/requirements/test.txt index 0c6c8bc994..2ac691c1b4 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.9.2 -freezegun==1.5.3 +coverage[toml]==7.10.3 +freezegun==1.5.5 diff --git a/tox.ini b/tox.ini index 5eae84cfba..7ef098ba3c 100644 --- a/tox.ini +++ b/tox.ini @@ -42,7 +42,7 @@ commands = ruff format --diff {[testenv:lint]lint_dirs} mypy {[testenv:lint]lint_dirs} - zizmor --persona=pedantic -q . + zizmor -q . [testenv:fix] deps = {[testenv:lint]deps} From 3c66266d699351236da4561c66d4d1f67fc28afd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 14:15:48 +0300 Subject: [PATCH 41/44] build(deps): bump coverage[toml] in the dependencies group (#2857) Bumps the dependencies group with 1 update: [coverage[toml]](https://github.com/nedbat/coveragepy). Updates `coverage[toml]` from 7.10.3 to 7.10.4 - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.10.3...7.10.4) --- updated-dependencies: - dependency-name: coverage[toml] dependency-version: 7.10.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/test.txt b/requirements/test.txt index 2ac691c1b4..f08829fa3b 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.10.3 +coverage[toml]==7.10.4 freezegun==1.5.5 From e4e841ffd3d5b2cc472a5c9a3676d4351e91e184 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 14:15:57 +0300 Subject: [PATCH 42/44] build(deps): bump the test-and-lint-dependencies group with 2 updates (#2858) Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/zizmorcore/zizmor). Updates `ruff` from 0.12.8 to 0.12.9 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.12.8...0.12.9) Updates `zizmor` from 1.11.0 to 1.12.1 - [Release notes](https://github.com/zizmorcore/zizmor/releases) - [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/zizmorcore/zizmor/compare/v1.11.0...v1.12.1) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.12.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies - dependency-name: zizmor dependency-version: 1.12.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/lint.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index fd68243e6c..b5d824a16c 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.12.8 +ruff==0.12.9 mypy==1.17.1 -zizmor==1.11.0 +zizmor==1.12.1 # Required for type stubs freezegun==1.5.5 From 92af46de069b8ef056d203590e99409e4eecc571 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 18:27:45 +0300 Subject: [PATCH 43/44] build(deps): bump coverage[toml] in the dependencies group (#2859) Bumps the dependencies group with 1 update: [coverage[toml]](https://github.com/nedbat/coveragepy). Updates `coverage[toml]` from 7.10.4 to 7.10.5 - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.10.4...7.10.5) --- updated-dependencies: - dependency-name: coverage[toml] dependency-version: 7.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/test.txt b/requirements/test.txt index f08829fa3b..e7e04ebfee 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.10.4 +coverage[toml]==7.10.5 freezegun==1.5.5 From 7ad10ada92be041000a28d4c1e2d751f6be10d3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 18:33:38 +0300 Subject: [PATCH 44/44] build(deps): bump ruff in the test-and-lint-dependencies group (#2860) Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.12.9 to 0.12.10 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.12.9...0.12.10) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.12.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index b5d824a16c..d162dead45 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.12.9 +ruff==0.12.10 mypy==1.17.1 zizmor==1.12.1