Skip to content

Releases: theupdateframework/tuf-on-ci

v0.14.0

02 Dec 14:05
v0.14.0
fce107e
Compare
Choose a tag to compare
  • Updates the status page to include expiration time for metadata (#431)
  • Compatibility updates for tuf-on-ci-sign, now runs on Python 3.9 (default macOS Python version) (#433)
  • Performance improvements to the signing-event action (#469)
  • Dependency updates

v0.13.0

02 Sep 08:49
27c49c0
Compare
Choose a tag to compare
  • Accept usernames without @ in .tuf-on-ci-sign.ini (#415)
  • Add workaround for Sigstore root-signing migration (#422)
  • Dependency updates

v0.12.0

19 Aug 10:52
89d2dad
Compare
Choose a tag to compare

In addition to dependency updates, this release contains one new (experimental) repository
feature: Online signed targets. Updating to this version does not require any changes to
GitHub workflow files.

The Online signed targets feature (#75) currently has some significant limitations
and may be changed in the future, see DELEGATION-MANUAL.md for details.

v0.11.0

15 Jul 13:38
v0.11.0
95dc66a
Compare
Choose a tag to compare

This release contains bug fixes, stability fixes and dependency
updates.

Updating to this version does not require any changes to GitHub
workflow files.

Changes

  • Increased the number of root rotations allowed in the client unsed by
    the test workflow (#377)
  • Versioned root metadata file is now created by the signing event (#352)

Fixes

  • TUF key ids are now updated only when the repository is successfully
    imported (#358)
  • Relative links in published TUF repository state are now correct
    (#354)

v0.10.0

27 May 11:29
a486e2d
Compare
Choose a tag to compare

Release includes several new features. It also fixes an issue with TUF keyids,
see issue #292 (note that existing keyids are not automatically made compliant:
tuf-on-ci-delegate --force-compliant-keyids can be used in a signing event to
make that happen).

GitHub workflows require no changes (but you may want to add a
.github/TUF_ON_CI_TEMPLATE/failure.md file, see below).

Changes

  • Artifact directories can now be up to 5 levels deep (#238)
  • actions: All action requirements are now version pinned (#248)
  • actions: .github/TUF_ON_CI_TEMPLATE/failure.md can now be used to
    define custom content for workflow failure issues (#270)
  • build-repository action: A human readable repository description
    is generated in index.html in the published metadata dir (#313)

Fixes

  • signer: keyid generation was fixed to be specification compliant (#294)
    • A feature was added to fix noncompliant keyids in repositories
      where they non-compliant keyids already present (#338)
  • test-repository action: Use a better default artifact-url (#275),
    handle a initial root in more cases (#346)
  • build-repository action: Delegation tree is now used to decide which
    metadata to include in published repo (#344)
  • tuf minimum dependency is now correctly set to 3.1 (#329)

v0.9.0

05 Apr 06:57
ebf63d4
Compare
Choose a tag to compare

GitHub Actions users are adviced to upgrade for safer dependency
pinning that should avoid breakage in future.

Changes

  • actions: test-repository action has many additional features (#239)
  • actions: python package versions are now in logs again (#247)
  • signer: Improve signing robustness (#237)
  • Dependency updates (including more strictly pinned securesystemslib)

GitHub Actions upgrade instructions

A plain version bump from 0.8 works: Workflows require no changes.

v0.8.0

27 Mar 10:01
b20b159
Compare
Choose a tag to compare

GitHub Actions upgrade instructions

A plain version bump from 0.7 works: Workflows require no changes.

Changes

  • Signer now opens PRs in a browser automatically when in non-maintainer signing flow
  • Signer now has runtime version checking: A message is printed out if a new version is available
  • Actions have dependency updates

v0.7.0

26 Feb 13:18
3a44844
Compare
Choose a tag to compare

Changes

  • Signer has improved signing error handling
  • Custom fields in TargetFile metadata are now preserved during target update
    (this is a workaround mostly for sigstore root-signing legacy artifacts)

Upgrade instructions

A plain version bump from 0.6 works: Workflows require no changes.

v0.6.0

16 Feb 14:39
38e31ce
Compare
Choose a tag to compare

NOTE: please see upgrade instructions below.

Changes

  • Signing events now happen in GitHub pull requests
  • Signer now probes for PKCS11 module: configuring that is no longer required, as long as as the module is in one of the expected locations.

Upgrade instructions

  • As usual we recommend copying your workflows from https://github.com/theupdateframework/tuf-on-ci-template/.
    • signing event action no longer needs issues: write permission but instead requires pull-requests: write
  • Custom token users need to create a new token with an additional permission Pull requests: write
  • Settings->Actions->General->Allow GitHub Actions to create and approve pull requests needs to be enabled in repository settings
    (not required if a custom token is used)

v0.5.0

30 Jan 12:46
4ae5fdf
Compare
Choose a tag to compare

NOTE: Do not accept a dependabot upgrade, please see upgrade
instructions.

This release contains improved failure handling and testing.

Changes

  • New action test-repository: This new action enables smoke testing
    every published repository with a TUF client.
  • New action update-issue: This action enables automated filing of
    issues when a TUF-on-CI workflow fails

Upgrade instructions

As usual we recommend copying your workflows from
https://github.com/theupdateframework/tuf-on-ci-template/ as there
are a number of changes, including a new reusable workflow.