Releases: theupdateframework/tuf-on-ci
v0.15.1
v0.15.0
v0.14.0
kommendorkapten
Fredrik Skogman
v0.13.0
v0.12.0
In addition to dependency updates, this release contains one new (experimental) repository
feature: Online signed targets. Updating to this version does not require any changes to
GitHub workflow files.
The Online signed targets feature (#75) currently has some significant limitations
and may be changed in the future, see DELEGATION-MANUAL.md for details.
v0.11.0
kommendorkapten
Fredrik Skogman
This release contains bug fixes, stability fixes and dependency
updates.
Updating to this version does not require any changes to GitHub
workflow files.
Changes
- Increased the number of root rotations allowed in the client unsed by
the test workflow (#377) - Versioned root metadata file is now created by the signing event (#352)
Fixes
v0.10.0
Release includes several new features. It also fixes an issue with TUF keyids,
see issue #292 (note that existing keyids are not automatically made compliant:
tuf-on-ci-delegate --force-compliant-keyids can be used in a signing event to
make that happen).
GitHub workflows require no changes (but you may want to add a
.github/TUF_ON_CI_TEMPLATE/failure.md file, see below).
Changes
- Artifact directories can now be up to 5 levels deep (#238)
- actions: All action requirements are now version pinned (#248)
- actions:
.github/TUF_ON_CI_TEMPLATE/failure.mdcan now be used to
define custom content for workflow failure issues (#270) build-repositoryaction: A human readable repository description
is generated in index.html in the published metadata dir (#313)
Fixes
- signer: keyid generation was fixed to be specification compliant (#294)
- A feature was added to fix noncompliant keyids in repositories
where they non-compliant keyids already present (#338)
- A feature was added to fix noncompliant keyids in repositories
test-repositoryaction: Use a better default artifact-url (#275),
handle a initial root in more cases (#346)build-repositoryaction: Delegation tree is now used to decide which
metadata to include in published repo (#344)- tuf minimum dependency is now correctly set to 3.1 (#329)
v0.9.0
GitHub Actions users are adviced to upgrade for safer dependency
pinning that should avoid breakage in future.
Changes
- actions: test-repository action has many additional features (#239)
- actions: python package versions are now in logs again (#247)
- signer: Improve signing robustness (#237)
- Dependency updates (including more strictly pinned securesystemslib)
GitHub Actions upgrade instructions
A plain version bump from 0.8 works: Workflows require no changes.
v0.8.0
GitHub Actions upgrade instructions
A plain version bump from 0.7 works: Workflows require no changes.
Changes
- Signer now opens PRs in a browser automatically when in non-maintainer signing flow
- Signer now has runtime version checking: A message is printed out if a new version is available
- Actions have dependency updates
v0.7.0
Changes
- Signer has improved signing error handling
- Custom fields in TargetFile metadata are now preserved during target update
(this is a workaround mostly for sigstore root-signing legacy artifacts)
Upgrade instructions
A plain version bump from 0.6 works: Workflows require no changes.