From c49bdb93228962545cc77b14fbc43348268f52dc Mon Sep 17 00:00:00 2001 From: 1seal Date: Sun, 25 Jan 2026 11:50:37 +0000 Subject: [PATCH 01/20] feat(ngclient): require explicit bootstrap argument make bootstrap required and explicit: callers must pass bootstrap= or bootstrap=None. also tighten docs, examples, and tests to reflect the explicit trust anchor choice. Signed-off-by: 1seal --- docs/CHANGELOG.md | 6 +++++ docs/INSTALLATION.rst | 33 +++++++++++++++++++++++ examples/client/client | 7 ++--- examples/uploader/_localrepo.py | 1 + tests/repository_simulator.py | 4 ++- tests/test_updater_consistent_snapshot.py | 1 + tests/test_updater_delegation_graphs.py | 1 + tests/test_updater_fetch_target.py | 1 + tests/test_updater_key_rotations.py | 1 + tests/test_updater_ng.py | 8 ++++-- tests/test_updater_validation.py | 14 +++++++++- tuf/ngclient/updater.py | 19 ++++++++----- 12 files changed, 82 insertions(+), 14 deletions(-) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 6beadca962..92f1bfc591 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -2,6 +2,12 @@ ## Unreleased +### Changed + +* ngclient: `Updater()` now requires an explicit `bootstrap` argument + * This is a breaking change: callers must pass `bootstrap=` or `bootstrap=None` + * `bootstrap=None` explicitly opts into using cached `root.json` as trust anchor + ## v6.0.0 This release is not strictly speaking an API break from 5.1 but it does contain some diff --git a/docs/INSTALLATION.rst b/docs/INSTALLATION.rst index 8e23e927f8..e4c5bd9805 100644 --- a/docs/INSTALLATION.rst +++ b/docs/INSTALLATION.rst @@ -53,6 +53,39 @@ from GitHub, change into the project root directory, and install with pip python3 -m pip install -r requirements/dev.txt +Bootstrap root metadata +----------------------- + +The initial trusted root metadata (``root.json``) is the trust anchor for all +subsequent metadata verification. Applications should deploy a trusted root +with the application and provide it to :class:`tuf.ngclient.Updater`. + +Recommended storage locations for bootstrap root metadata include: + +* a system-wide read-only path (e.g. ``/usr/share/your-app/root.json``) +* an application bundle with appropriate permissions +* a read-only mounted volume in containerized deployments + +Not recommended: + +* ``metadata_dir`` (the metadata cache) since it is writable by design +* user-writable install paths (e.g. a user site-packages directory) +* any location writable by the account running the updater + +Example:: + + from tuf.ngclient import Updater + + with open("/usr/share/your-app/root.json", "rb") as f: + bootstrap = f.read() + + updater = Updater( + metadata_dir="/var/lib/your-app/tuf/metadata", + metadata_base_url="https://example.com/metadata/", + bootstrap=bootstrap, + ) + + Verify release signatures ------------------------- diff --git a/examples/client/client b/examples/client/client index 883fd52cba..3a997a07d4 100755 --- a/examples/client/client +++ b/examples/client/client @@ -79,14 +79,15 @@ def download(base_url: str, target: str) -> bool: print(f"Using trusted root in {metadata_dir}") try: - # NOTE: initial root should be provided with ``bootstrap`` argument: - # This examples uses unsafe Trust-On-First-Use initialization so it is - # not possible here. + # NOTE: production deployments should provide embedded root metadata + # bytes via the ``bootstrap`` argument. This example uses Trust-On-First-Use + # initialization, so it explicitly opts into using cached root.json. updater = Updater( metadata_dir=metadata_dir, metadata_base_url=f"{base_url}/metadata/", target_base_url=f"{base_url}/targets/", target_dir=DOWNLOAD_DIR, + bootstrap=None, ) updater.refresh() diff --git a/examples/uploader/_localrepo.py b/examples/uploader/_localrepo.py index c4d746a34d..7d8181b44e 100644 --- a/examples/uploader/_localrepo.py +++ b/examples/uploader/_localrepo.py @@ -47,6 +47,7 @@ def __init__(self, metadata_dir: str, key_dir: str, base_url: str): self.updater = Updater( metadata_dir=metadata_dir, metadata_base_url=f"{base_url}/metadata/", + bootstrap=None, ) self.updater.refresh() diff --git a/tests/repository_simulator.py b/tests/repository_simulator.py index d0c50bc424..bd175e7244 100644 --- a/tests/repository_simulator.py +++ b/tests/repository_simulator.py @@ -36,8 +36,10 @@ updater = Updater( dir, "https://example.com/metadata/", + dir, "https://example.com/targets/", - sim + sim, + bootstrap=sim.signed_roots[0], ) updater.refresh() """ diff --git a/tests/test_updater_consistent_snapshot.py b/tests/test_updater_consistent_snapshot.py index 4ceb1fe7f9..9c91f18308 100644 --- a/tests/test_updater_consistent_snapshot.py +++ b/tests/test_updater_consistent_snapshot.py @@ -88,6 +88,7 @@ def _init_updater(self) -> Updater: self.targets_dir, "https://example.com/targets/", self.sim, + bootstrap=self.sim.signed_roots[-1], ) def _assert_metadata_files_exist(self, roles: Iterable[str]) -> None: diff --git a/tests/test_updater_delegation_graphs.py b/tests/test_updater_delegation_graphs.py index 770a1b3d71..c1606e30c6 100644 --- a/tests/test_updater_delegation_graphs.py +++ b/tests/test_updater_delegation_graphs.py @@ -130,6 +130,7 @@ def _init_updater(self) -> Updater: self.targets_dir, "https://example.com/targets/", self.sim, + bootstrap=self.sim.signed_roots[0], ) def _assert_files_exist(self, roles: Iterable[str]) -> None: diff --git a/tests/test_updater_fetch_target.py b/tests/test_updater_fetch_target.py index 5ab8567032..0ff268558d 100644 --- a/tests/test_updater_fetch_target.py +++ b/tests/test_updater_fetch_target.py @@ -65,6 +65,7 @@ def _init_updater(self) -> Updater: self.targets_dir, "https://example.com/targets/", self.sim, + bootstrap=self.sim.signed_roots[0], ) targets = { diff --git a/tests/test_updater_key_rotations.py b/tests/test_updater_key_rotations.py index f79c3dd997..4d0e0f22a4 100644 --- a/tests/test_updater_key_rotations.py +++ b/tests/test_updater_key_rotations.py @@ -79,6 +79,7 @@ def _run_refresh(self) -> None: self.metadata_dir, "https://example.com/metadata/", fetcher=self.sim, + bootstrap=self.sim.signed_roots[0], ) updater.refresh() diff --git a/tests/test_updater_ng.py b/tests/test_updater_ng.py index 5393aa3c21..6a0eb53d73 100644 --- a/tests/test_updater_ng.py +++ b/tests/test_updater_ng.py @@ -115,6 +115,7 @@ def setUp(self) -> None: metadata_base_url=self.metadata_url, target_dir=self.dl_dir, target_base_url=self.targets_url, + bootstrap=None, ) def tearDown(self) -> None: @@ -247,14 +248,16 @@ def test_implicit_refresh_with_only_local_root(self) -> None: def test_both_target_urls_not_set(self) -> None: # target_base_url = None and Updater._target_base_url = None - updater = Updater(self.client_directory, self.metadata_url, self.dl_dir) + updater = Updater( + self.client_directory, self.metadata_url, self.dl_dir, bootstrap=None + ) info = TargetFile(1, {"sha256": ""}, "targetpath") with self.assertRaises(ValueError): updater.download_target(info) def test_no_target_dir_no_filepath(self) -> None: # filepath = None and Updater.target_dir = None - updater = Updater(self.client_directory, self.metadata_url) + updater = Updater(self.client_directory, self.metadata_url, bootstrap=None) info = TargetFile(1, {"sha256": ""}, "targetpath") with self.assertRaises(ValueError): updater.find_cached_target(info) @@ -344,6 +347,7 @@ def test_user_agent(self) -> None: self.dl_dir, self.targets_url, config=UpdaterConfig(app_user_agent="MyApp/1.2.3"), + bootstrap=None, ) updater.refresh() poolmgr = updater._fetcher._proxy_env.get_pool_manager( diff --git a/tests/test_updater_validation.py b/tests/test_updater_validation.py index b9d6bb3cc7..5aa40d5f82 100644 --- a/tests/test_updater_validation.py +++ b/tests/test_updater_validation.py @@ -38,8 +38,18 @@ def _new_updater(self) -> Updater: self.targets_dir, "https://example.com/targets/", fetcher=self.sim, + bootstrap=self.sim.signed_roots[0], ) + def test_bootstrap_argument_required(self) -> None: + with self.assertRaises(TypeError) as ctx: + Updater( + self.metadata_dir, + "https://example.com/metadata/", + fetcher=self.sim, + ) + self.assertIn("bootstrap", str(ctx.exception)) + def test_local_target_storage_fail(self) -> None: self.sim.add_target("targets", b"content", "targetpath") self.sim.targets.version += 1 @@ -52,12 +62,14 @@ def test_local_target_storage_fail(self) -> None: updater.download_target(target_info, filepath="") def test_non_existing_metadata_dir(self) -> None: + non_existing_dir = os.path.join(self.temp_dir.name, "non-existing-dir") with self.assertRaises(FileNotFoundError): # Initialize Updater with non-existing metadata_dir Updater( - "non_existing_metadata_dir", + non_existing_dir, "https://example.com/metadata/", fetcher=self.sim, + bootstrap=None, ) diff --git a/tuf/ngclient/updater.py b/tuf/ngclient/updater.py index a98e799ce4..a253b18d4c 100644 --- a/tuf/ngclient/updater.py +++ b/tuf/ngclient/updater.py @@ -13,7 +13,8 @@ * Initializing an ``Updater`` loads and validates the trusted local root metadata: This root metadata is used as the source of trust for all other metadata. Updater should always be initialized with the ``bootstrap`` - argument: if this is not possible, it can be initialized from cache only. + argument: pass ``bootstrap=None`` only to explicitly opt into using the + cached root.json as the trust anchor. * ``refresh()`` can optionally be called to update and load all top-level metadata as described in the specification, using both locally cached metadata and metadata downloaded from the remote repository. If refresh is @@ -79,7 +80,8 @@ class Updater: Args: metadata_dir: Local metadata directory. Directory must be - writable and it must contain a trusted root.json file + writable. If ``bootstrap`` is ``None``, this directory must contain + a trusted root.json file. metadata_base_url: Base URL for all remote metadata downloads target_dir: Local targets directory. Directory must be writable. It will be used as the default target download directory by @@ -90,9 +92,11 @@ class Updater: download both metadata and targets. Default is ``Urllib3Fetcher`` config: ``Optional``; ``UpdaterConfig`` could be used to setup common configuration options. - bootstrap: ``Optional``; initial root metadata. A bootstrap root should - always be provided. If it is not, the current root.json in the - metadata cache is used as the initial root. + bootstrap: Initial root metadata bytes. This argument is required. + Pass the embedded root metadata bytes for secure initialization. + Pass ``None`` only if you explicitly want to use the cached + root.json as the trust anchor (not recommended for most + deployments). Raises: OSError: Local root.json cannot be read @@ -107,7 +111,8 @@ def __init__( target_base_url: str | None = None, fetcher: FetcherInterface | None = None, config: UpdaterConfig | None = None, - bootstrap: bytes | None = None, + *, + bootstrap: bytes | None, ): self._dir = metadata_dir self._metadata_base_url = _ensure_trailing_slash(metadata_base_url) @@ -131,7 +136,7 @@ def __init__( f"got '{self.config.envelope_type}'" ) - if not bootstrap: + if bootstrap is None: # if no root was provided, use the cached non-versioned root.json bootstrap = self._load_local_metadata(Root.type) From 0f495b85ef2b06777bc91367008b54f73bbffa55 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jan 2026 23:01:33 +0000 Subject: [PATCH 02/20] build(deps): bump the test-and-lint-dependencies group with 2 updates Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/zizmorcore/zizmor). Updates `ruff` from 0.14.11 to 0.14.13 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.14.11...0.14.13) Updates `zizmor` from 1.20.0 to 1.22.0 - [Release notes](https://github.com/zizmorcore/zizmor/releases) - [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/zizmorcore/zizmor/compare/v1.20.0...v1.22.0) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.14.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies - dependency-name: zizmor dependency-version: 1.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index dcbc97b83a..2119b97831 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.14.11 +ruff==0.14.13 mypy==1.19.1 -zizmor==1.20.0 +zizmor==1.22.0 # Required for type stubs freezegun==1.5.5 From 07de919f5f3f8538a70b8ca7d54e84fd85db0390 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jan 2026 23:02:38 +0000 Subject: [PATCH 03/20] build(deps): bump actions/checkout in the action-dependencies group Bumps the action-dependencies group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/_test.yml | 4 ++-- .github/workflows/_test_sslib_main.yml | 2 +- .github/workflows/cd.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/conformance.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/specification-version-check.yml | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index 4fe5c77946..b6b9981e93 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout TUF - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -50,7 +50,7 @@ jobs: steps: - name: Checkout TUF - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/_test_sslib_main.yml b/.github/workflows/_test_sslib_main.yml index c84482f2e5..e80601745d 100644 --- a/.github/workflows/_test_sslib_main.yml +++ b/.github/workflows/_test_sslib_main.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout TUF - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 88294930e3..523de5c7c1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -18,7 +18,7 @@ jobs: needs: test steps: - name: Checkout release tag - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ github.event.workflow_run.head_branch }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b111f37e4e..9d4c54447e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 644ea0078a..3358297097 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout conformance client - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 115232723d..764d8e080c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: 'Dependency Review' diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index a44a4e81a5..29a5b81ba9 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml index aa8c1e685d..e43f6265d9 100644 --- a/.github/workflows/specification-version-check.yml +++ b/.github/workflows/specification-version-check.yml @@ -14,7 +14,7 @@ jobs: outputs: version: ${{ steps.get-version.outputs.version }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 From bf5ddf8a00ad57045fcfae11e3c5e89ccb9cfae8 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 30 Jan 2026 16:12:21 +0200 Subject: [PATCH 04/20] workflows: Add zizmor ignore comment Should be fine to use check-latest-spec-version from master. Signed-off-by: Jussi Kukkonen --- .github/workflows/specification-version-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml index aa8c1e685d..8a372cbe13 100644 --- a/.github/workflows/specification-version-check.yml +++ b/.github/workflows/specification-version-check.yml @@ -33,6 +33,6 @@ jobs: contents: read issues: write needs: get-supported-tuf-version - uses: theupdateframework/specification/.github/workflows/check-latest-spec-version.yml@master + uses: theupdateframework/specification/.github/workflows/check-latest-spec-version.yml@master # zizmor: ignore[unpinned-uses] with: tuf-version: ${{needs.get-supported-tuf-version.outputs.version}} From 1b0f94223539592009b86d92ebd4862cfbd65256 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Feb 2026 03:06:09 +0000 Subject: [PATCH 05/20] build(deps): bump the dependencies group with 2 updates Bumps the dependencies group with 2 updates: [pycparser](https://github.com/eliben/pycparser) and [coverage[toml]](https://github.com/coveragepy/coveragepy). Updates `pycparser` from 2.23 to 3.0 - [Release notes](https://github.com/eliben/pycparser/releases) - [Commits](https://github.com/eliben/pycparser/compare/release_v2.23...release_v3.00) Updates `coverage[toml]` from 7.13.1 to 7.13.2 - [Release notes](https://github.com/coveragepy/coveragepy/releases) - [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst) - [Commits](https://github.com/coveragepy/coveragepy/compare/7.13.1...7.13.2) --- updated-dependencies: - dependency-name: pycparser dependency-version: '3.0' dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: coverage[toml] dependency-version: 7.13.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/pinned.txt | 2 +- requirements/test.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index 6ab621aa78..3403570ece 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -8,7 +8,7 @@ cffi==2.0.0 # via cryptography cryptography==46.0.3 # via securesystemslib -pycparser==2.23 +pycparser==3.0 # via cffi securesystemslib==1.3.1 # via -r requirements/main.txt diff --git a/requirements/test.txt b/requirements/test.txt index a21d5258c0..57bc86a8de 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.13.1 +coverage[toml]==7.13.2 freezegun==1.5.5 From 8765473c0bfe11fa58a367017f9f22d9ba16fcee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Feb 2026 03:07:09 +0000 Subject: [PATCH 06/20] build(deps): bump actions/setup-python in the action-dependencies group Bumps the action-dependencies group with 1 update: [actions/setup-python](https://github.com/actions/setup-python). Updates `actions/setup-python` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/83679a892e2d95755f2dac6acb0bfd1e9ac5d548...a309ff8b426b58ec0e2a45f0f869d46889d02405) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/_test.yml | 6 +++--- .github/workflows/_test_sslib_main.yml | 2 +- .github/workflows/cd.yml | 2 +- .github/workflows/specification-version-check.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index b6b9981e93..029eba9dc2 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Set up Python (oldest supported version) - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10" cache: 'pip' @@ -55,7 +55,7 @@ jobs: persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} cache: 'pip' @@ -99,7 +99,7 @@ jobs: run: touch requirements.txt - name: Set up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' cache: 'pip' diff --git a/.github/workflows/_test_sslib_main.yml b/.github/workflows/_test_sslib_main.yml index e80601745d..8be70055b3 100644 --- a/.github/workflows/_test_sslib_main.yml +++ b/.github/workflows/_test_sslib_main.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Set up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' cache: 'pip' diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 523de5c7c1..534d166abc 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -24,7 +24,7 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} - name: Set up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml index e43f6265d9..ae89f1a556 100644 --- a/.github/workflows/specification-version-check.yml +++ b/.github/workflows/specification-version-check.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" - id: get-version From 37a47c05900ef9a9d1327676a574523b1c75a951 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Feb 2026 00:19:53 +0000 Subject: [PATCH 07/20] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.14.13 to 0.14.14 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/0.14.14/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.14.13...0.14.14) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.14.14 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 2119b97831..c4fed54c08 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.14.13 +ruff==0.14.14 mypy==1.19.1 zizmor==1.22.0 From ebd3929dca43c92f6ec197ab6dad5bb4aa0da9f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Feb 2026 00:20:18 +0000 Subject: [PATCH 08/20] build(deps): bump cryptography in the dependencies group Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 46.0.3 to 46.0.4 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/46.0.3...46.0.4) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/pinned.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index 3403570ece..f42ef17d06 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==2.0.0 # via cryptography -cryptography==46.0.3 +cryptography==46.0.4 # via securesystemslib pycparser==3.0 # via cffi From a7feb53975e15e69794357cbfa7e7b1d877d33cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Feb 2026 21:42:45 +0000 Subject: [PATCH 09/20] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.14.14 to 0.15.0 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.14.14...0.15.0) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index c4fed54c08..a18ac0b258 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.14.14 +ruff==0.15.0 mypy==1.19.1 zizmor==1.22.0 From 87493109549997512cbf10fc84bd0a686b21b914 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Feb 2026 21:43:12 +0000 Subject: [PATCH 10/20] build(deps): bump coverage[toml] in the dependencies group Bumps the dependencies group with 1 update: [coverage[toml]](https://github.com/coveragepy/coveragepy). Updates `coverage[toml]` from 7.13.2 to 7.13.4 - [Release notes](https://github.com/coveragepy/coveragepy/releases) - [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst) - [Commits](https://github.com/coveragepy/coveragepy/compare/7.13.2...7.13.4) --- updated-dependencies: - dependency-name: coverage[toml] dependency-version: 7.13.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/test.txt b/requirements/test.txt index 57bc86a8de..cea102cff1 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -4,5 +4,5 @@ -r pinned.txt # coverage measurement -coverage[toml]==7.13.2 +coverage[toml]==7.13.4 freezegun==1.5.5 From 927a598877aebb5d76d6622da5f6fc6b982e23ed Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 17 Feb 2026 12:15:12 +0200 Subject: [PATCH 11/20] tests: Keep linter happy Signed-off-by: Jussi Kukkonen --- tests/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/utils.py b/tests/utils.py index f4310d0aec..cc35af0447 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -115,7 +115,7 @@ def wait_for_server( pass except OSError as e: # ECONNREFUSED is expected while the server is not started - if e.errno not in [errno.ECONNREFUSED]: + if e.errno != errno.ECONNREFUSED: logger.warning( "Unexpected error while waiting for server: %s", str(e) ) From d5fa0b05943fc81f654ed8e5236704c5de5f4820 Mon Sep 17 00:00:00 2001 From: 1seal Date: Fri, 6 Feb 2026 12:58:53 +0000 Subject: [PATCH 12/20] address review feedback: remove redundant root.json writes, rename docs section Signed-off-by: 1seal --- .github/scripts/conformance-client.py | 2 ++ docs/INSTALLATION.rst | 4 ++-- tests/test_updater_consistent_snapshot.py | 4 ---- tests/test_updater_delegation_graphs.py | 4 ---- tests/test_updater_fetch_target.py | 4 +--- tests/test_updater_key_rotations.py | 2 -- tests/test_updater_ng.py | 9 +++++++-- tests/test_updater_validation.py | 6 ++---- 8 files changed, 14 insertions(+), 21 deletions(-) diff --git a/.github/scripts/conformance-client.py b/.github/scripts/conformance-client.py index 0c44c7ff84..1f80ad6ce7 100755 --- a/.github/scripts/conformance-client.py +++ b/.github/scripts/conformance-client.py @@ -27,6 +27,7 @@ def refresh(metadata_url: str, metadata_dir: str) -> None: updater = Updater( metadata_dir, metadata_url, + bootstrap=None, ) updater.refresh() print(f"python-tuf test client: Refreshed metadata in {metadata_dir}") @@ -46,6 +47,7 @@ def download_target( metadata_url, download_dir, target_base_url, + bootstrap=None, ) target_info = updater.get_targetinfo(target_name) if not target_info: diff --git a/docs/INSTALLATION.rst b/docs/INSTALLATION.rst index e4c5bd9805..012f0878da 100644 --- a/docs/INSTALLATION.rst +++ b/docs/INSTALLATION.rst @@ -53,8 +53,8 @@ from GitHub, change into the project root directory, and install with pip python3 -m pip install -r requirements/dev.txt -Bootstrap root metadata ------------------------ +Application deployment +---------------------- The initial trusted root metadata (``root.json``) is the trust anchor for all subsequent metadata verification. Applications should deploy a trusted root diff --git a/tests/test_updater_consistent_snapshot.py b/tests/test_updater_consistent_snapshot.py index 9c91f18308..abf6fb4a9b 100644 --- a/tests/test_updater_consistent_snapshot.py +++ b/tests/test_updater_consistent_snapshot.py @@ -74,10 +74,6 @@ def _init_repo( sim.publish_root() sim.prefix_targets_with_hash = prefix_targets - # Init trusted root with the latest consistent_snapshot - with open(os.path.join(self.metadata_dir, "root.json"), "bw") as f: - f.write(sim.signed_roots[-1]) - return sim def _init_updater(self) -> Updater: diff --git a/tests/test_updater_delegation_graphs.py b/tests/test_updater_delegation_graphs.py index c1606e30c6..536bb13a2d 100644 --- a/tests/test_updater_delegation_graphs.py +++ b/tests/test_updater_delegation_graphs.py @@ -120,10 +120,6 @@ def _init_repo(self, test_case: DelegationsTestCase) -> None: def _init_updater(self) -> Updater: """Create a new Updater instance""" - # Init trusted root for Updater - with open(os.path.join(self.metadata_dir, "root.json"), "bw") as f: - f.write(self.sim.signed_roots[0]) - return Updater( self.metadata_dir, "https://example.com/metadata/", diff --git a/tests/test_updater_fetch_target.py b/tests/test_updater_fetch_target.py index 0ff268558d..ecf777c6f1 100644 --- a/tests/test_updater_fetch_target.py +++ b/tests/test_updater_fetch_target.py @@ -40,10 +40,8 @@ def setUp(self) -> None: os.mkdir(self.metadata_dir) os.mkdir(self.targets_dir) - # Setup the repository, bootstrap client root.json + # Setup the repository self.sim = RepositorySimulator() - with open(os.path.join(self.metadata_dir, "root.json"), "bw") as f: - f.write(self.sim.signed_roots[0]) if self.dump_dir is not None: # create test specific dump directory diff --git a/tests/test_updater_key_rotations.py b/tests/test_updater_key_rotations.py index 4d0e0f22a4..90dbd262f9 100644 --- a/tests/test_updater_key_rotations.py +++ b/tests/test_updater_key_rotations.py @@ -72,8 +72,6 @@ def _run_refresh(self) -> None: # bootstrap with initial root self.metadata_dir = tempfile.mkdtemp(dir=self.temp_dir.name) - with open(os.path.join(self.metadata_dir, "root.json"), "bw") as f: - f.write(self.sim.signed_roots[0]) updater = Updater( self.metadata_dir, diff --git a/tests/test_updater_ng.py b/tests/test_updater_ng.py index 6a0eb53d73..5fc436ba97 100644 --- a/tests/test_updater_ng.py +++ b/tests/test_updater_ng.py @@ -249,7 +249,10 @@ def test_implicit_refresh_with_only_local_root(self) -> None: def test_both_target_urls_not_set(self) -> None: # target_base_url = None and Updater._target_base_url = None updater = Updater( - self.client_directory, self.metadata_url, self.dl_dir, bootstrap=None + self.client_directory, + self.metadata_url, + self.dl_dir, + bootstrap=None, ) info = TargetFile(1, {"sha256": ""}, "targetpath") with self.assertRaises(ValueError): @@ -257,7 +260,9 @@ def test_both_target_urls_not_set(self) -> None: def test_no_target_dir_no_filepath(self) -> None: # filepath = None and Updater.target_dir = None - updater = Updater(self.client_directory, self.metadata_url, bootstrap=None) + updater = Updater( + self.client_directory, self.metadata_url, bootstrap=None + ) info = TargetFile(1, {"sha256": ""}, "targetpath") with self.assertRaises(ValueError): updater.find_cached_target(info) diff --git a/tests/test_updater_validation.py b/tests/test_updater_validation.py index 5aa40d5f82..7417b67c5d 100644 --- a/tests/test_updater_validation.py +++ b/tests/test_updater_validation.py @@ -23,10 +23,8 @@ def setUp(self) -> None: os.mkdir(self.metadata_dir) os.mkdir(self.targets_dir) - # Setup the repository, bootstrap client root.json + # Setup the repository self.sim = RepositorySimulator() - with open(os.path.join(self.metadata_dir, "root.json"), "bw") as f: - f.write(self.sim.signed_roots[0]) def tearDown(self) -> None: self.temp_dir.cleanup() @@ -47,7 +45,7 @@ def test_bootstrap_argument_required(self) -> None: self.metadata_dir, "https://example.com/metadata/", fetcher=self.sim, - ) + ) # type: ignore[call-arg] self.assertIn("bootstrap", str(ctx.exception)) def test_local_target_storage_fail(self) -> None: From d1c149fab34fd5b9eeef4a6041640ef630923a73 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:57:47 +0000 Subject: [PATCH 13/20] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.15.0 to 0.15.1 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.15.0...0.15.1) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index a18ac0b258..306ef8d44f 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.15.0 +ruff==0.15.1 mypy==1.19.1 zizmor==1.22.0 From c46b820dc5ab47779f53d9f6753759d37e7d7687 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:58:12 +0000 Subject: [PATCH 14/20] build(deps): bump cryptography in the dependencies group Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 46.0.4 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/46.0.4...46.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- requirements/pinned.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/pinned.txt b/requirements/pinned.txt index f42ef17d06..5430cb54d1 100644 --- a/requirements/pinned.txt +++ b/requirements/pinned.txt @@ -6,7 +6,7 @@ # cffi==2.0.0 # via cryptography -cryptography==46.0.4 +cryptography==46.0.5 # via securesystemslib pycparser==3.0 # via cffi From 104ce4a0de234b5a4087065c8bd224211b28e413 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Mar 2026 23:15:01 +0000 Subject: [PATCH 15/20] build(deps-dev): bump hatchling Bumps the build-and-release-dependencies group with 1 update: [hatchling](https://github.com/pypa/hatch). Updates `hatchling` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/pypa/hatch/releases) - [Commits](https://github.com/pypa/hatch/compare/hatchling-v1.28.0...hatchling-v1.29.0) --- updated-dependencies: - dependency-name: hatchling dependency-version: 1.29.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: build-and-release-dependencies ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index cce1fc5487..e51626f22b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,5 +1,5 @@ [build-system] -requires = ["hatchling==1.28.0"] +requires = ["hatchling==1.29.0"] build-backend = "hatchling.build" [project] From 0e31c525aea5f3fe61e3f583765e44608909c0bf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Mar 2026 23:15:19 +0000 Subject: [PATCH 16/20] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.15.1 to 0.15.2 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.15.1...0.15.2) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 306ef8d44f..8bcf80a6c5 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.15.1 +ruff==0.15.2 mypy==1.19.1 zizmor==1.22.0 From 4c720e1f41e49e2000daf55c190e4ce25c24e120 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Mar 2026 23:22:48 +0000 Subject: [PATCH 17/20] build(deps): bump actions/download-artifact Bumps the action-dependencies group with 1 update: [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/download-artifact` from 7.0.0 to 8.0.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/cd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 534d166abc..305bf8a839 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -54,7 +54,7 @@ jobs: release_id: ${{ steps.gh-release.outputs.result }} steps: - name: Fetch build artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: build-artifacts @@ -96,7 +96,7 @@ jobs: id-token: write # to authenticate as Trusted Publisher to pypi.org steps: - name: Fetch build artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: build-artifacts From e5ec1307567de58fe3c24ee44963bebc2810322f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:22:27 +0000 Subject: [PATCH 18/20] build(deps): bump ruff in the test-and-lint-dependencies group Bumps the test-and-lint-dependencies group with 1 update: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.15.2 to 0.15.4 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.15.2...0.15.4) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index 8bcf80a6c5..d120b0dc5b 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,7 +6,7 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.15.2 +ruff==0.15.4 mypy==1.19.1 zizmor==1.22.0 From 51b3ee780009154e11e5bd94b57dfe9c38dc6bb5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:24:05 +0000 Subject: [PATCH 19/20] build(deps): bump actions/upload-artifact Bumps the action-dependencies group with 1 update: [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 305bf8a839..b1820770d1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -37,7 +37,7 @@ jobs: awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog - name: Store build artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-artifacts path: | From 312bee6a8426e9906b604d22592a907ea7d0ad17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 21:45:19 +0000 Subject: [PATCH 20/20] build(deps): bump the test-and-lint-dependencies group with 2 updates Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/zizmorcore/zizmor). Updates `ruff` from 0.15.4 to 0.15.5 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.15.4...0.15.5) Updates `zizmor` from 1.22.0 to 1.23.1 - [Release notes](https://github.com/zizmorcore/zizmor/releases) - [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md) - [Commits](https://github.com/zizmorcore/zizmor/compare/v1.22.0...v1.23.1) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: test-and-lint-dependencies - dependency-name: zizmor dependency-version: 1.23.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: test-and-lint-dependencies ... Signed-off-by: dependabot[bot] --- requirements/lint.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/lint.txt b/requirements/lint.txt index d120b0dc5b..c65fa9c57e 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -6,9 +6,9 @@ # Lint tools # (We are not so interested in the specific versions of the tools: the versions # are pinned to prevent unexpected linting failures when tools update) -ruff==0.15.4 +ruff==0.15.5 mypy==1.19.1 -zizmor==1.22.0 +zizmor==1.23.1 # Required for type stubs freezegun==1.5.5