…#1511)

Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 3.29.9 to 3.29.10
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@df55935...96f518a)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 3.29.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Makefile: Update the TUF root update rules

* Include the new signingconfig file
* Add a rule for updating staging

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* Update embedded TUF root

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* Update embedded staging root

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* tests: Stop mocking TUF

The mock was useful to ensure we don't e.g. end up downloading files
multiple times but maintaining it is a bit of a hassle: the mock files
have to be kept in sync with actual staging tuf (alternatively we'd
have to create our own local tuf repository which would be another kind
of hassle).

Remove the uses of mock_staging_tuf (except for test_trust_root_tuf_offline
that ensures we do not call tuf repo when offline).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

---------

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Checkpoint can have multiple signatures from multiple keys.
We just want one of them to be the log key.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

…#1519)

…#1517)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ore#1520)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* cli: Add --rekor-version to sign arguments

This should not be needed... but it could be handy if
* SigningConfig already contains rekor v2
* user for some reason does not want rekor v2 entries in
  the bundle

This option only does anything if there are multiple Rekor versions
listed in SigningConfig.

The test is changed since the "ANY" selector is now considered to not be
an error if there are 0 services:
* This is not a problem since for both TSAs and tlogs we have a check
  that there is at least one service
* This improves the error message when --rekor-version is used with
  a version that is not found in signingconfig

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* README: Update help output

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* cli: Improve help output for --rekor-version

Avoid saying "default: None", mention the valid values instead.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

---------

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Bumps [platformdirs](https://github.com/tox-dev/platformdirs) from 4.3.8 to 4.4.0.
- [Release notes](https://github.com/tox-dev/platformdirs/releases)
- [Changelog](https://github.com/tox-dev/platformdirs/blob/main/CHANGES.rst)
- [Commits](tox-dev/platformdirs@4.3.8...4.4.0)

---
updated-dependencies:
- dependency-name: platformdirs
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jussi Kukkonen <jkukkonen@google.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ore#1527)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>