Releases: theupdateframework/tuf-on-ci
v0.6.0
NOTE: please see upgrade instructions below.
Changes
- Signing events now happen in GitHub pull requests
- Signer now probes for PKCS11 module: configuring that is no longer required, as long as as the module is in one of the expected locations.
Upgrade instructions
- As usual we recommend copying your workflows from https://github.com/theupdateframework/tuf-on-ci-template/.
- signing event action no longer needs
issues: writepermission but instead requirespull-requests: write
- signing event action no longer needs
- Custom token users need to create a new token with an additional permission
Pull requests: write - Settings->Actions->General->Allow GitHub Actions to create and approve pull requests needs to be enabled in repository settings
(not required if a custom token is used)
v0.5.0
NOTE: Do not accept a dependabot upgrade, please see upgrade
instructions.
This release contains improved failure handling and testing.
Changes
- New action test-repository: This new action enables smoke testing
every published repository with a TUF client. - New action update-issue: This action enables automated filing of
issues when a TUF-on-CI workflow fails
Upgrade instructions
As usual we recommend copying your workflows from
https://github.com/theupdateframework/tuf-on-ci-template/ as there
are a number of changes, including a new reusable workflow.
v0.4.0
NOTE: This is a major Actions API break, users should not just accept a Dependabot update but should instead follow upgrade instructions below.
Changes
- Support for custom GitHub tokens: see [REPOSITORY-MAINTENANCE.md].
- Uses upload-artifact v4: this means publish workflow must use download-artifact v4 or deploy-pages v4
- All commits are now done with "Signed-Off-By"
Upgrade instructions from v0.3.0:
- We recommend using the workflows from tuf-on-ci-template (or to merge changes from there if you have local changes in your workflows) to ensure workflows stay compatible with the tuf-on-ci actions
v0.3.0
kommendorkapten
Fredrik Skogman
NOTE: This is a major API break, users should not just upgrade the action versions but
should replace their publish.yml workflow with the new workflow from tuf-on-ci-template.
Upgrade instructions from v0.2.0:
- When the Dependabot PR is created, update the PR to include the
updatedpublish.ymlfromtuf-on-ci-templaterepository. Then the
PR can be approved and merged without breaking any workflows.
See CHANGELOG.md for details.
v0.2.0
Upgrade instructions from v0.1.0:
- Dependabot version bump can be accepted as is
See CHANGELOG.md for details.
v0.1.0
NOTE: This is a major API break, users should not just upgrade the action versions but
should replace their workflows with new workflows from tuf-on-ci-template.
Release contains:
- Major refactoring of actions: New actions are more logical and enable separating publishing fron online signing. The repository now contains a new branch "publish" that always points to the newest publishable repository version
- Improved Sigstore signer registration flow
- Bug fixes
Upgrade instructions:
- Remove your existing tuf-on-ci workflows and replace them with the ones from current tuf-on-ci-template.
- In Settings->Environments->github-pages change deployment branch from
maintopublish - If you use the experimental sigstore online signing: After updating run
tuf-on-ci-delegate sign/update-online-key timestampre-select sigstore as the signing system: This creates a new signing event that is required for online signing to work.
Thanks to contributors Radoslav Dimitrov, Meredith Lancaster and lv291.
0.0.1
initial release of TUF-on-CI.
TUF-on-CI is a repository and signer implementation of
https://theupdateframework.io/ that runs on a Continuous Integration platform.
Features include:
- Threshold signing with hardware keys and Sigstore
- Automated online signing with multiple KMSs
- Polished signing user experience
- No custom code required
The signer is not available from PyPI in this release but will be in future releases.
See README.md for repository and signer setup instructions.
Upgrading an existing repository installation
- Start pinning tuf-on-ci actions in your workflows (see example in theupdateframework/tuf-on-ci-template#3)
- Use Dependabot in your GitHub project to get automatic update PRs in the future