From 35b92324b30c0d54bd855a061eebba8eb84d4986 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 16:51:43 -0400 Subject: [PATCH 01/27] build(deps): bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 in the actions group (#152) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/schedule-selftest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml index b5f43e9..d259ddd 100644 --- a/.github/workflows/schedule-selftest.yml +++ b/.github/workflows/schedule-selftest.yml @@ -37,7 +37,7 @@ jobs: EOF - name: Open issue - uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0 + uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1 with: title: "[CI] Self-test failure" # created in the previous step From 2b042a8b3bf384a2c4f739f644281617576a91f1 Mon Sep 17 00:00:00 2001 From: Stefanie Molin <24376333+stefmolin@users.noreply.github.com> Date: Wed, 2 Oct 2024 02:41:59 -0400 Subject: [PATCH 02/27] Fix remaining reference to 2.1.1 in README (#154) Signed-off-by: Stefanie Molin <24376333+stefmolin@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 174d000..379ed05 100644 --- a/README.md +++ b/README.md @@ -274,7 +274,7 @@ permissions: # ... # no explicit settings needed, signs all pre-existing release artifacts -- uses: sigstore/gh-action-sigstore-python@v2.1.1 +- uses: sigstore/gh-action-sigstore-python@v3.0.0 ``` ### Internal options From ac25d5ac15463b74656819a832bc80401a37fa59 Mon Sep 17 00:00:00 2001 From: rindeal Date: Wed, 2 Oct 2024 15:49:17 +0000 Subject: [PATCH 03/27] Enable debugging also if ACTIONS_STEP_DEBUG==true (#151) Co-authored-by: William Woodruff --- action.py | 3 ++- setup/setup.bash | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/action.py b/action.py index b6231b7..b0a43aa 100755 --- a/action.py +++ b/action.py @@ -37,7 +37,8 @@ _SUMMARY = Path(_summary_path).open("a") _RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true" -_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" +_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" or \ + os.getenv("ACTIONS_STEP_DEBUG", "false") == "true" _RELEASE_SIGNING_ARTIFACTS = ( os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS", "true") == "true" diff --git a/setup/setup.bash b/setup/setup.bash index 62ece86..16785a6 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -22,8 +22,10 @@ die() { } debug() { - if [[ "${GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG}" = "true" ]]; then - echo -e "\033[93mDEBUG: ${1}\033[0m" + if [[ "${GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG:-false}" != "false" || \ + "${ACTIONS_STEP_DEBUG:-false}" == 'true' ]] + then + echo -e "\033[93mDEBUG: ${1}\033[0m" >&2 fi } From c76ee91c768f454d1d936d12241e4b7d51f2c63d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 10 Oct 2024 22:46:41 +0100 Subject: [PATCH 04/27] setup, requirements: bump to Python 3.9 sigstore >= 3.4 requires 3.9, so this action does as well. Signed-off-by: William Woodruff --- requirements.txt | 2 +- setup/setup.bash | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index 5ecd303..441ac5c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -sigstore ~= 3.0 +sigstore ~= 3.4 requests ~= 2.28 diff --git a/setup/setup.bash b/setup/setup.bash index 16785a6..01cec88 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -37,7 +37,7 @@ if [[ "${0}" == "${BASH_SOURCE[0]}" ]]; then die "Internal error: setup harness was executed instead of being sourced?" fi -# Check the Python version, making sure it's new enough (3.8+) +# Check the Python version, making sure it's new enough (3.9+) # The installation step immediately below will technically catch this, # but doing it explicitly gives us the opportunity to produce a better # error message. @@ -45,7 +45,7 @@ vers=$(python -V | cut -d ' ' -f2) maj_vers=$(cut -d '.' -f1 <<< "${vers}") min_vers=$(cut -d '.' -f2 <<< "${vers}") -[[ "${maj_vers}" == "3" && "${min_vers}" -ge 8 ]] || die "Bad Python version: ${vers}" +[[ "${maj_vers}" == "3" && "${min_vers}" -ge 9 ]] || die "Bad Python version: ${vers}" # If the user didn't explicitly configure a Python version with # `actions/setup-python`, then we might be using the distribution's Python and From a0d937b5bd2871dd2d415e4f7e0a2498cb6828ef Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 10 Oct 2024 22:47:47 +0100 Subject: [PATCH 05/27] CHANGELOG: record Signed-off-by: William Woodruff --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 04da74d..8cca774 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ All versions prior to 3.0.0 are untracked. ## [Unreleased] +### Changed + +* The minimum Python version supported by this action is now 3.9 + ## [3.0.0] ### Added From 40f3ae89b94598002f32b00421d592cb3cca24ea Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 10 Dec 2024 17:31:53 -0500 Subject: [PATCH 06/27] requirements: bump to sigstore ~= 3.6 (#157) --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 5ecd303..a9a2cad 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -sigstore ~= 3.0 +sigstore ~= 3.6 requests ~= 2.28 From 3f94c8b50e9ace8b06f6236612b4ed615b8a85c1 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 6 Jan 2025 14:58:23 -0500 Subject: [PATCH 07/27] ci: cleanup, fix zizmor findings Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 4 +++ .github/workflows/release.yml | 2 ++ .github/workflows/selftest.yml | 51 ++++++++++++++++++++++++++++++++-- .github/workflows/semgrep.yml | 11 +++++--- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++ 5 files changed, 98 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7fe68e7..91e5f8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,12 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: actions/setup-python@v5 with: python-version: "3.x" + - name: lint run: make lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eeed331..cff0909 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: sign uses: ./ diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index dc9b3f9..d70c5cf 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -8,11 +8,12 @@ on: workflow_dispatch: workflow_call: -permissions: - id-token: write +permissions: {} jobs: selftest: + permissions: + id-token: write strategy: matrix: os: @@ -25,6 +26,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: @@ -41,6 +44,8 @@ jobs: [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-runner-python: + permissions: + id-token: write strategy: matrix: os: @@ -51,6 +56,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -63,6 +70,8 @@ jobs: [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-whitespace: + permissions: + id-token: write strategy: matrix: os: @@ -73,6 +82,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: @@ -94,6 +105,8 @@ jobs: [[ -f ./test/more\ white\ space.txt ]] || exit 1 selftest-xfail-invalid-inputs: + permissions: + id-token: write runs-on: ubuntu-latest strategy: matrix: @@ -105,6 +118,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature continue-on-error: true uses: ./ @@ -122,10 +137,14 @@ jobs: [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } selftest-staging: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -138,10 +157,14 @@ jobs: [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-glob: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifacts and publish signatures uses: ./ id: sigstore-python @@ -156,12 +179,16 @@ jobs: [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 selftest-xfail-glob-input-expansion: + permissions: + id-token: write runs-on: ubuntu-latest env: TEST_DIR: test if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifacts and publish signatures continue-on-error: true uses: ./ @@ -182,10 +209,14 @@ jobs: [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } selftest-glob-multiple: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifacts and publish signatures uses: ./ id: sigstore-python @@ -205,10 +236,14 @@ jobs: [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1 selftest-upload-artifacts: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -228,10 +263,14 @@ jobs: working-directory: ./test/uploaded selftest-verify: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -244,6 +283,8 @@ jobs: internal-be-careful-debug: true selftest-xfail-verify-missing-options: + permissions: + id-token: write runs-on: ubuntu-latest strategy: matrix: @@ -268,6 +309,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature continue-on-error: true uses: ./ @@ -290,10 +333,14 @@ jobs: [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } selftest-identity-token: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get OIDC token id: get-oidc-token run: | diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1df680c..1353e78 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -12,11 +12,14 @@ name: Semgrep jobs: semgrep: name: Scan - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: returntocorp/semgrep + image: semgrep/semgrep + steps: - - uses: actions/checkout@v4 - - run: semgrep ci + - uses: actions/checkout@v4 + with: + persist-credentials: false + - run: semgrep ci diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..6830f8b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor From 07d6ec9fd47492e0f5c1b0a2881bf54dba0d55e2 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Jan 2025 14:27:05 -0500 Subject: [PATCH 08/27] README: add a notice about whether this action is needed Signed-off-by: William Woodruff --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 379ed05..cac60bd 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,12 @@ gh-action-sigstore-python A GitHub Action that uses [`sigstore-python`](https://github.com/sigstore/sigstore-python) to generate Sigstore signatures. +> [!IMPORTANT] +> +> Are you publishing a package? If so, you **do not need this action**: +> [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) +> will handle signing for you! + ## Index * [Usage](#usage) From bc0624bdf5503da10c29410d17cef8f91b191a45 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Jan 2025 14:36:09 -0500 Subject: [PATCH 09/27] fix formatting Signed-off-by: William Woodruff --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index cac60bd..73c497f 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ A GitHub Action that uses [`sigstore-python`](https://github.com/sigstore/sigsto to generate Sigstore signatures. > [!IMPORTANT] -> > Are you publishing a package? If so, you **do not need this action**: > [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) > will handle signing for you! From d7f0f7df11ae598d589bd416b9019009a8d7291f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Jan 2025 14:37:58 -0500 Subject: [PATCH 10/27] clarify we mean PyPI Signed-off-by: William Woodruff --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 73c497f..67222ea 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ A GitHub Action that uses [`sigstore-python`](https://github.com/sigstore/sigsto to generate Sigstore signatures. > [!IMPORTANT] -> Are you publishing a package? If so, you **do not need this action**: +> Are you publishing a package to PyPI? If so, you **do not need this action**: > [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) > will handle signing for you! From 300d3393a8effd58cc9e99f701c7c7238fb517d2 Mon Sep 17 00:00:00 2001 From: Hayley Denbraver Date: Tue, 4 Feb 2025 00:50:29 -0800 Subject: [PATCH 11/27] Linking to CI quickstart. (#163) --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 67222ea..14aab51 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,8 @@ gh-action-sigstore-python [![CI](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/ci.yml/badge.svg)](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/ci.yml) [![Self-test](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml/badge.svg)](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml) -A GitHub Action that uses [`sigstore-python`](https://github.com/sigstore/sigstore-python) -to generate Sigstore signatures. +This GitHub Action uses [`sigstore-python`](https://github.com/sigstore/sigstore-python) +to generate Sigstore signatures. `gh-action-sigstore-python` is the easiest way to [integrate Sigstore into your CI system](https://docs.sigstore.dev/quickstart/quickstart-ci/) and can be used for not only Python projects, but projects in other languages as well. > [!IMPORTANT] > Are you publishing a package to PyPI? If so, you **do not need this action**: @@ -31,7 +31,9 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + with: + persist-credentials: false - name: install run: python -m pip install . - uses: sigstore/gh-action-sigstore-python@v3.0.0 From ee10b534aeeb2fdac7d0d646c8a6057e964d8e83 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 22 Apr 2025 16:00:31 -0400 Subject: [PATCH 12/27] chore: hash-pin everything (#165) --- .github/workflows/ci.yml | 6 +- .github/workflows/release.yml | 2 +- .github/workflows/selftest.yml | 30 +++--- .github/workflows/semgrep.yml | 2 +- .github/workflows/zizmor.yml | 6 +- Makefile | 16 ++- action.py | 6 +- action.yml | 4 +- dev-requirements.txt => requirements/dev.in | 0 requirements/dev.txt | 114 ++++++++++++++++++++ requirements.txt => requirements/main.in | 0 requirements/main.txt | 95 ++++++++++++++++ setup/setup.bash | 2 +- 13 files changed, 249 insertions(+), 34 deletions(-) rename dev-requirements.txt => requirements/dev.in (100%) create mode 100644 requirements/dev.txt rename requirements.txt => requirements/main.in (100%) create mode 100644 requirements/main.txt diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 91e5f8e..c97e3b6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,13 +10,11 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - - uses: actions/setup-python@v5 - with: - python-version: "3.x" + - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 - name: lint run: make lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cff0909..b5c1b4e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index d70c5cf..f35e4e1 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -25,10 +25,10 @@ jobs: runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - - uses: actions/setup-python@v5 + - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: python-version: "3.x" @@ -55,7 +55,7 @@ jobs: runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifact and publish signature @@ -81,10 +81,10 @@ jobs: runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - - uses: actions/setup-python@v5 + - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: python-version: "3.x" @@ -117,7 +117,7 @@ jobs: - "/tmp/extremely-nonexistent-file" if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifact and publish signature @@ -142,7 +142,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifact and publish signature @@ -162,7 +162,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifacts and publish signatures @@ -186,7 +186,7 @@ jobs: TEST_DIR: test if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifacts and publish signatures @@ -214,7 +214,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifacts and publish signatures @@ -241,7 +241,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifact and publish signature @@ -252,7 +252,7 @@ jobs: staging: true upload-signing-artifacts: true internal-be-careful-debug: true - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4 with: name: "signing-artifacts-${{ github.job }}" path: ./test/uploaded @@ -268,7 +268,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifact and publish signature @@ -308,7 +308,7 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Sign artifact and publish signature @@ -338,7 +338,7 @@ jobs: runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Get OIDC token diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1353e78..f32255c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -19,7 +19,7 @@ jobs: image: semgrep/semgrep steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - run: semgrep ci diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 6830f8b..15db6df 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -17,12 +17,12 @@ jobs: actions: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif @@ -30,7 +30,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3 with: sarif_file: results.sarif category: zizmor diff --git a/Makefile b/Makefile index 8b88c26..35f7099 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,24 @@ + .PHONY: all all: @echo "Run my targets individually!" -env/pyvenv.cfg: dev-requirements.txt - python3 -m venv env - ./env/bin/python -m pip install --upgrade pip - ./env/bin/python -m pip install --requirement dev-requirements.txt +.PHONY: requirements +requirements: requirements/main.txt requirements/dev.txt + +requirements/%.txt: requirements/%.in + uv pip compile --generate-hashes --prerelease=allow --output-file=$@ $< + +env/pyvenv.cfg: requirements/dev.txt requirements/main.txt + uv venv + uv pip install -r requirements/main.txt -r requirements/dev.txt .PHONY: dev dev: env/pyvenv.cfg .PHONY: lint lint: env/pyvenv.cfg action.py - . ./env/bin/activate && \ + . ./.venv/bin/activate && \ black action.py && \ isort action.py && \ mypy action.py && \ diff --git a/action.py b/action.py index b0a43aa..d92f7a3 100755 --- a/action.py +++ b/action.py @@ -37,8 +37,10 @@ _SUMMARY = Path(_summary_path).open("a") _RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true" -_DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" or \ - os.getenv("ACTIONS_STEP_DEBUG", "false") == "true" +_DEBUG = ( + os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" + or os.getenv("ACTIONS_STEP_DEBUG", "false") == "true" +) _RELEASE_SIGNING_ARTIFACTS = ( os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS", "true") == "true" diff --git a/action.yml b/action.yml index 2fd642b..9234832 100644 --- a/action.yml +++ b/action.yml @@ -101,13 +101,13 @@ runs: GHA_SIGSTORE_PYTHON_INPUTS: "${{ inputs.inputs }}" shell: bash - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: inputs.upload-signing-artifacts == 'true' with: name: "signing-artifacts-${{ github.job }}" path: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" - - uses: softprops/action-gh-release@v2 + - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2 if: inputs.release-signing-artifacts == 'true' && github.event_name == 'release' && github.event.action == 'published' with: files: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" diff --git a/dev-requirements.txt b/requirements/dev.in similarity index 100% rename from dev-requirements.txt rename to requirements/dev.in diff --git a/requirements/dev.txt b/requirements/dev.txt new file mode 100644 index 0000000..c3b3585 --- /dev/null +++ b/requirements/dev.txt @@ -0,0 +1,114 @@ +# This file was autogenerated by uv via the following command: +# uv pip compile --generate-hashes --prerelease=allow --output-file=requirements/dev.txt requirements/dev.in +black==25.1.0 \ + --hash=sha256:030b9759066a4ee5e5aca28c3c77f9c64789cdd4de8ac1df642c40b708be6171 \ + --hash=sha256:055e59b198df7ac0b7efca5ad7ff2516bca343276c466be72eb04a3bcc1f82d7 \ + --hash=sha256:0e519ecf93120f34243e6b0054db49c00a35f84f195d5bce7e9f5cfc578fc2da \ + --hash=sha256:172b1dbff09f86ce6f4eb8edf9dede08b1fce58ba194c87d7a4f1a5aa2f5b3c2 \ + --hash=sha256:1e2978f6df243b155ef5fa7e558a43037c3079093ed5d10fd84c43900f2d8ecc \ + --hash=sha256:33496d5cd1222ad73391352b4ae8da15253c5de89b93a80b3e2c8d9a19ec2666 \ + --hash=sha256:3b48735872ec535027d979e8dcb20bf4f70b5ac75a8ea99f127c106a7d7aba9f \ + --hash=sha256:4b60580e829091e6f9238c848ea6750efed72140b91b048770b64e74fe04908b \ + --hash=sha256:759e7ec1e050a15f89b770cefbf91ebee8917aac5c20483bc2d80a6c3a04df32 \ + --hash=sha256:8f0b18a02996a836cc9c9c78e5babec10930862827b1b724ddfe98ccf2f2fe4f \ + --hash=sha256:95e8176dae143ba9097f351d174fdaf0ccd29efb414b362ae3fd72bf0f710717 \ + --hash=sha256:96c1c7cd856bba8e20094e36e0f948718dc688dba4a9d78c3adde52b9e6c2299 \ + --hash=sha256:a1ee0a0c330f7b5130ce0caed9936a904793576ef4d2b98c40835d6a65afa6a0 \ + --hash=sha256:a22f402b410566e2d1c950708c77ebf5ebd5d0d88a6a2e87c86d9fb48afa0d18 \ + --hash=sha256:a39337598244de4bae26475f77dda852ea00a93bd4c728e09eacd827ec929df0 \ + --hash=sha256:afebb7098bfbc70037a053b91ae8437c3857482d3a690fefc03e9ff7aa9a5fd3 \ + --hash=sha256:bacabb307dca5ebaf9c118d2d2f6903da0d62c9faa82bd21a33eecc319559355 \ + --hash=sha256:bce2e264d59c91e52d8000d507eb20a9aca4a778731a08cfff7e5ac4a4bb7096 \ + --hash=sha256:d9e6827d563a2c820772b32ce8a42828dc6790f095f441beef18f96aa6f8294e \ + --hash=sha256:db8ea9917d6f8fc62abd90d944920d95e73c83a5ee3383493e35d271aca872e9 \ + --hash=sha256:ea0213189960bda9cf99be5b8c8ce66bb054af5e9e861249cd23471bd7b0b3ba \ + --hash=sha256:f3df5f1bf91d36002b0a75389ca8663510cf0531cca8aa5c1ef695b46d98655f + # via -r requirements/dev.in +click==8.1.8 \ + --hash=sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2 \ + --hash=sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a + # via black +flake8==7.2.0 \ + --hash=sha256:93b92ba5bdb60754a6da14fa3b93a9361fd00a59632ada61fd7b130436c40343 \ + --hash=sha256:fa558ae3f6f7dbf2b4f22663e5343b6b6023620461f8d4ff2019ef4b5ee70426 + # via -r requirements/dev.in +isort==6.0.1 \ + --hash=sha256:1cb5df28dfbc742e490c5e41bad6da41b805b0a8be7bc93cd0fb2a8a890ac450 \ + --hash=sha256:2dc5d7f65c9678d94c88dfc29161a320eec67328bc97aad576874cb4be1e9615 + # via -r requirements/dev.in +mccabe==0.7.0 \ + --hash=sha256:348e0240c33b60bbdf4e523192ef919f28cb2c3d7d5c7794f74009290f236325 \ + --hash=sha256:6c2d30ab6be0e4a46919781807b4f0d834ebdd6c6e3dca0bda5a15f863427b6e + # via flake8 +mypy==1.15.0 \ + --hash=sha256:1124a18bc11a6a62887e3e137f37f53fbae476dc36c185d549d4f837a2a6a14e \ + --hash=sha256:171a9ca9a40cd1843abeca0e405bc1940cd9b305eaeea2dda769ba096932bb22 \ + --hash=sha256:1905f494bfd7d85a23a88c5d97840888a7bd516545fc5aaedff0267e0bb54e2f \ + --hash=sha256:1fbb8da62dc352133d7d7ca90ed2fb0e9d42bb1a32724c287d3c76c58cbaa9c2 \ + --hash=sha256:2922d42e16d6de288022e5ca321cd0618b238cfc5570e0263e5ba0a77dbef56f \ + --hash=sha256:2e2c2e6d3593f6451b18588848e66260ff62ccca522dd231cd4dd59b0160668b \ + --hash=sha256:2ee2d57e01a7c35de00f4634ba1bbf015185b219e4dc5909e281016df43f5ee5 \ + --hash=sha256:2f2147ab812b75e5b5499b01ade1f4a81489a147c01585cda36019102538615f \ + --hash=sha256:404534629d51d3efea5c800ee7c42b72a6554d6c400e6a79eafe15d11341fd43 \ + --hash=sha256:5469affef548bd1895d86d3bf10ce2b44e33d86923c29e4d675b3e323437ea3e \ + --hash=sha256:5a95fb17c13e29d2d5195869262f8125dfdb5c134dc8d9a9d0aecf7525b10c2c \ + --hash=sha256:6983aae8b2f653e098edb77f893f7b6aca69f6cffb19b2cc7443f23cce5f4828 \ + --hash=sha256:712e962a6357634fef20412699a3655c610110e01cdaa6180acec7fc9f8513ba \ + --hash=sha256:8023ff13985661b50a5928fc7a5ca15f3d1affb41e5f0a9952cb68ef090b31ee \ + --hash=sha256:811aeccadfb730024c5d3e326b2fbe9249bb7413553f15499a4050f7c30e801d \ + --hash=sha256:8f8722560a14cde92fdb1e31597760dc35f9f5524cce17836c0d22841830fd5b \ + --hash=sha256:93faf3fdb04768d44bf28693293f3904bbb555d076b781ad2530214ee53e3445 \ + --hash=sha256:973500e0774b85d9689715feeffcc980193086551110fd678ebe1f4342fb7c5e \ + --hash=sha256:979e4e1a006511dacf628e36fadfecbcc0160a8af6ca7dad2f5025529e082c13 \ + --hash=sha256:98b7b9b9aedb65fe628c62a6dc57f6d5088ef2dfca37903a7d9ee374d03acca5 \ + --hash=sha256:aea39e0583d05124836ea645f412e88a5c7d0fd77a6d694b60d9b6b2d9f184fd \ + --hash=sha256:b9378e2c00146c44793c98b8d5a61039a048e31f429fb0eb546d93f4b000bedf \ + --hash=sha256:baefc32840a9f00babd83251560e0ae1573e2f9d1b067719479bfb0e987c6357 \ + --hash=sha256:be68172e9fd9ad8fb876c6389f16d1c1b5f100ffa779f77b1fb2176fcc9ab95b \ + --hash=sha256:c43a7682e24b4f576d93072216bf56eeff70d9140241f9edec0c104d0c515036 \ + --hash=sha256:c4bb0e1bd29f7d34efcccd71cf733580191e9a264a2202b0239da95984c5b559 \ + --hash=sha256:c7be1e46525adfa0d97681432ee9fcd61a3964c2446795714699a998d193f1a3 \ + --hash=sha256:c9817fa23833ff189db061e6d2eff49b2f3b6ed9856b4a0a73046e41932d744f \ + --hash=sha256:ce436f4c6d218a070048ed6a44c0bbb10cd2cc5e272b29e7845f6a2f57ee4464 \ + --hash=sha256:d10d994b41fb3497719bbf866f227b3489048ea4bbbb5015357db306249f7980 \ + --hash=sha256:e601a7fa172c2131bff456bb3ee08a88360760d0d2f8cbd7a75a65497e2df078 \ + --hash=sha256:f95579473af29ab73a10bada2f9722856792a36ec5af5399b653aa28360290a5 + # via -r requirements/dev.in +mypy-extensions==1.1.0 \ + --hash=sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505 \ + --hash=sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558 + # via + # black + # mypy +packaging==25.0 \ + --hash=sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484 \ + --hash=sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f + # via black +pathspec==0.12.1 \ + --hash=sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08 \ + --hash=sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712 + # via black +platformdirs==4.3.7 \ + --hash=sha256:a03875334331946f13c549dbd8f4bac7a13a50a895a0eb1e8c6a8ace80d40a94 \ + --hash=sha256:eb437d586b6a0986388f0d6f74aa0cde27b48d0e3d66843640bfb6bdcdb6e351 + # via black +pycodestyle==2.13.0 \ + --hash=sha256:35863c5974a271c7a726ed228a14a4f6daf49df369d8c50cd9a6f58a5e143ba9 \ + --hash=sha256:c8415bf09abe81d9c7f872502a6eee881fbe85d8763dd5b9924bb0a01d67efae + # via flake8 +pyflakes==3.3.2 \ + --hash=sha256:5039c8339cbb1944045f4ee5466908906180f13cc99cc9949348d10f82a5c32a \ + --hash=sha256:6dfd61d87b97fba5dcfaaf781171ac16be16453be6d816147989e7f6e6a9576b + # via flake8 +types-requests==2.32.0.20250328 \ + --hash=sha256:72ff80f84b15eb3aa7a8e2625fffb6a93f2ad5a0c20215fc1dcfa61117bcb2a2 \ + --hash=sha256:c9e67228ea103bd811c96984fac36ed2ae8da87a36a633964a21f199d60baf32 + # via -r requirements/dev.in +typing-extensions==4.13.2 \ + --hash=sha256:a439e7c04b49fec3e5d3e2beaa21755cadbbdc391694e28ccdd36ca4a1408f8c \ + --hash=sha256:e6c81219bd689f51865d9e372991c540bda33a0379d5573cddb9a3a23f7caaef + # via mypy +urllib3==2.4.0 \ + --hash=sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466 \ + --hash=sha256:4e16665048960a0900c702d4a66415956a584919c03361cac9f1df5c5dd7e813 + # via types-requests diff --git a/requirements.txt b/requirements/main.in similarity index 100% rename from requirements.txt rename to requirements/main.in diff --git a/requirements/main.txt b/requirements/main.txt new file mode 100644 index 0000000..6a18359 --- /dev/null +++ b/requirements/main.txt @@ -0,0 +1,95 @@ +# This file was autogenerated by uv via the following command: +# uv pip compile --prerelease=allow --output-file=requirements/main.txt requirements/main.in +annotated-types==0.7.0 + # via pydantic +betterproto==2.0.0b6 + # via sigstore-protobuf-specs +certifi==2025.1.31 + # via requests +cffi==1.17.1 + # via cryptography +charset-normalizer==3.4.1 + # via requests +cryptography==44.0.2 + # via + # pyopenssl + # rfc3161-client + # sigstore +dnspython==2.7.0 + # via email-validator +email-validator==2.2.0 + # via pydantic +grpclib==0.4.8rc2 + # via betterproto +h2==4.2.0 + # via grpclib +hpack==4.1.0 + # via h2 +hyperframe==6.1.0 + # via h2 +id==1.5.0 + # via sigstore +idna==3.10 + # via + # email-validator + # requests +markdown-it-py==3.0.0 + # via rich +mdurl==0.1.2 + # via markdown-it-py +multidict==6.4.3 + # via grpclib +platformdirs==4.3.7 + # via sigstore +pyasn1==0.6.1 + # via sigstore +pycparser==2.22 + # via cffi +pydantic==2.11.3 + # via + # sigstore + # sigstore-rekor-types +pydantic-core==2.33.1 + # via pydantic +pygments==2.19.1 + # via rich +pyjwt==2.10.1 + # via sigstore +pyopenssl==25.0.0 + # via sigstore +python-dateutil==2.9.0.post0 + # via betterproto +requests==2.32.3 + # via + # -r requirements/main.in + # id + # sigstore +rfc3161-client==1.0.1 + # via sigstore +rfc8785==0.1.4 + # via sigstore +rich==14.0.0 + # via sigstore +securesystemslib==1.3.0 + # via tuf +sigstore==3.6.2 + # via -r requirements/main.in +sigstore-protobuf-specs==0.3.2 + # via sigstore +sigstore-rekor-types==0.0.18 + # via sigstore +six==1.17.0 + # via python-dateutil +tuf==6.0.0 + # via sigstore +typing-extensions==4.13.2 + # via + # pydantic + # pydantic-core + # typing-inspection +typing-inspection==0.4.0 + # via pydantic +urllib3==2.4.0 + # via + # requests + # tuf diff --git a/setup/setup.bash b/setup/setup.bash index 01cec88..55babf6 100644 --- a/setup/setup.bash +++ b/setup/setup.bash @@ -60,7 +60,7 @@ else VENV_PYTHON_PATH="${GITHUB_ACTION_PATH}/.action-env/Scripts/python" fi -"${VENV_PYTHON_PATH}" -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements.txt" +"${VENV_PYTHON_PATH}" -m pip install --requirement "${GITHUB_ACTION_PATH}/requirements/main.txt" debug "sigstore-python: $("${VENV_PYTHON_PATH}" -m sigstore --version)" From 81b8ec7fe9ba0173e9217d8ef42786d77b51dce5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Apr 2025 16:37:30 -0400 Subject: [PATCH 13/27] build(deps): bump github/codeql-action in the actions group (#166) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 15db6df..e4d553a 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3 with: sarif_file: results.sarif category: zizmor From dc5fdb3a4e5a6876692c8d17a6d236acb57502b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Apr 2025 20:59:28 +0000 Subject: [PATCH 14/27] build(deps): bump the actions group with 3 updates Bumps the actions group with 3 updates: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv), [actions/setup-python](https://github.com/actions/setup-python) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `astral-sh/setup-uv` from 5.4.2 to 6.0.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86...c7f87aa956e4c323abf06d5dec078e358f6b4d04) Updates `actions/setup-python` from 5.5.0 to 5.6.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/8d9ed9ac5c53483de85588cdf95a591a75ab9f55...a26af69be951a213d495a4c3e4e4022e16d87065) Updates `actions/download-artifact` from 4.2.1 to 4.3.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/95815c38cf2ff2164869cbab79da8d1f422bc89e...d3f86a106a0bac45b974a628896c90dbdf5c8093) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-python dependency-version: 5.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/download-artifact dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 2 +- .github/workflows/selftest.yml | 6 +++--- .github/workflows/zizmor.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c97e3b6..b84c489 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: with: persist-credentials: false - - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 + - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v5 - name: lint run: make lint diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index f35e4e1..d1c5217 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: python-version: "3.x" @@ -84,7 +84,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false - - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: python-version: "3.x" @@ -252,7 +252,7 @@ jobs: staging: true upload-signing-artifacts: true internal-be-careful-debug: true - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: "signing-artifacts-${{ github.job }}" path: ./test/uploaded diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e4d553a..ffe2b89 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 + uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v5 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif From 58e403ada344410e055ae3d4906922d043f279bf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 00:23:24 -0400 Subject: [PATCH 15/27] build(deps): bump astral-sh/setup-uv in the actions group (#168) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b84c489..24570cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: with: persist-credentials: false - - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v5 + - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v5 - name: lint run: make lint diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index ffe2b89..0040eba 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v5 + uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v5 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif From f95e75ef8307ebc0904cc8809151c7efed451a35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 May 2025 16:50:01 -0400 Subject: [PATCH 16/27] build(deps): bump github/codeql-action in the actions group (#169) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0040eba..878ed67 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3 + uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 with: sarif_file: results.sarif category: zizmor From bad42396ede20a0919aa58c6bde007bcd41c46da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 17 May 2025 23:32:50 -0400 Subject: [PATCH 17/27] build(deps): bump github/codeql-action in the actions group (#170) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 878ed67..39a8686 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: sarif_file: results.sarif category: zizmor From 42bbcff08f93bc51a1e4b48a19b633ab975d10a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 May 2025 17:05:53 -0400 Subject: [PATCH 18/27] build(deps): bump astral-sh/setup-uv in the actions group (#171) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24570cb..c144820 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: with: persist-credentials: false - - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v5 + - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v5 - name: lint run: make lint diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 39a8686..ed665ee 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v5 + uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v5 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif From 250d1740e0d24c4565c8a5b94f10a952e06e9063 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Jun 2025 10:06:20 +0300 Subject: [PATCH 19/27] build(deps): bump github/codeql-action in the actions group (#172) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.28.18 to 3.28.19 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ff0a06e83cb2de871e5a09832bc6a81e7276941f...fca7ace96b7d713c7035871441bd52efbe39e27e) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.28.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index ed665ee..136895e 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3 with: sarif_file: results.sarif category: zizmor From cbd4d80b10f2b708b7be83cdf2318a15ae9cf632 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 6 Jun 2025 17:39:43 +0300 Subject: [PATCH 20/27] Update Python dependencies (#174) --- requirements/dev.txt | 94 +++---- requirements/main.txt | 559 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 567 insertions(+), 86 deletions(-) diff --git a/requirements/dev.txt b/requirements/dev.txt index c3b3585..813c8f6 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -24,9 +24,9 @@ black==25.1.0 \ --hash=sha256:ea0213189960bda9cf99be5b8c8ce66bb054af5e9e861249cd23471bd7b0b3ba \ --hash=sha256:f3df5f1bf91d36002b0a75389ca8663510cf0531cca8aa5c1ef695b46d98655f # via -r requirements/dev.in -click==8.1.8 \ - --hash=sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2 \ - --hash=sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a +click==8.2.1 \ + --hash=sha256:27c491cc05d968d271d5a1db13e3b5a184636d9d930f148c50b038f0d0646202 \ + --hash=sha256:61a3265b914e850b85317d0b3109c7f8cd35a670f963866005d6ef1d5175a12b # via black flake8==7.2.0 \ --hash=sha256:93b92ba5bdb60754a6da14fa3b93a9361fd00a59632ada61fd7b130436c40343 \ @@ -40,39 +40,39 @@ mccabe==0.7.0 \ --hash=sha256:348e0240c33b60bbdf4e523192ef919f28cb2c3d7d5c7794f74009290f236325 \ --hash=sha256:6c2d30ab6be0e4a46919781807b4f0d834ebdd6c6e3dca0bda5a15f863427b6e # via flake8 -mypy==1.15.0 \ - --hash=sha256:1124a18bc11a6a62887e3e137f37f53fbae476dc36c185d549d4f837a2a6a14e \ - --hash=sha256:171a9ca9a40cd1843abeca0e405bc1940cd9b305eaeea2dda769ba096932bb22 \ - --hash=sha256:1905f494bfd7d85a23a88c5d97840888a7bd516545fc5aaedff0267e0bb54e2f \ - --hash=sha256:1fbb8da62dc352133d7d7ca90ed2fb0e9d42bb1a32724c287d3c76c58cbaa9c2 \ - --hash=sha256:2922d42e16d6de288022e5ca321cd0618b238cfc5570e0263e5ba0a77dbef56f \ - --hash=sha256:2e2c2e6d3593f6451b18588848e66260ff62ccca522dd231cd4dd59b0160668b \ - --hash=sha256:2ee2d57e01a7c35de00f4634ba1bbf015185b219e4dc5909e281016df43f5ee5 \ - --hash=sha256:2f2147ab812b75e5b5499b01ade1f4a81489a147c01585cda36019102538615f \ - --hash=sha256:404534629d51d3efea5c800ee7c42b72a6554d6c400e6a79eafe15d11341fd43 \ - --hash=sha256:5469affef548bd1895d86d3bf10ce2b44e33d86923c29e4d675b3e323437ea3e \ - --hash=sha256:5a95fb17c13e29d2d5195869262f8125dfdb5c134dc8d9a9d0aecf7525b10c2c \ - --hash=sha256:6983aae8b2f653e098edb77f893f7b6aca69f6cffb19b2cc7443f23cce5f4828 \ - --hash=sha256:712e962a6357634fef20412699a3655c610110e01cdaa6180acec7fc9f8513ba \ - --hash=sha256:8023ff13985661b50a5928fc7a5ca15f3d1affb41e5f0a9952cb68ef090b31ee \ - --hash=sha256:811aeccadfb730024c5d3e326b2fbe9249bb7413553f15499a4050f7c30e801d \ - --hash=sha256:8f8722560a14cde92fdb1e31597760dc35f9f5524cce17836c0d22841830fd5b \ - --hash=sha256:93faf3fdb04768d44bf28693293f3904bbb555d076b781ad2530214ee53e3445 \ - --hash=sha256:973500e0774b85d9689715feeffcc980193086551110fd678ebe1f4342fb7c5e \ - --hash=sha256:979e4e1a006511dacf628e36fadfecbcc0160a8af6ca7dad2f5025529e082c13 \ - --hash=sha256:98b7b9b9aedb65fe628c62a6dc57f6d5088ef2dfca37903a7d9ee374d03acca5 \ - --hash=sha256:aea39e0583d05124836ea645f412e88a5c7d0fd77a6d694b60d9b6b2d9f184fd \ - --hash=sha256:b9378e2c00146c44793c98b8d5a61039a048e31f429fb0eb546d93f4b000bedf \ - --hash=sha256:baefc32840a9f00babd83251560e0ae1573e2f9d1b067719479bfb0e987c6357 \ - --hash=sha256:be68172e9fd9ad8fb876c6389f16d1c1b5f100ffa779f77b1fb2176fcc9ab95b \ - --hash=sha256:c43a7682e24b4f576d93072216bf56eeff70d9140241f9edec0c104d0c515036 \ - --hash=sha256:c4bb0e1bd29f7d34efcccd71cf733580191e9a264a2202b0239da95984c5b559 \ - --hash=sha256:c7be1e46525adfa0d97681432ee9fcd61a3964c2446795714699a998d193f1a3 \ - --hash=sha256:c9817fa23833ff189db061e6d2eff49b2f3b6ed9856b4a0a73046e41932d744f \ - --hash=sha256:ce436f4c6d218a070048ed6a44c0bbb10cd2cc5e272b29e7845f6a2f57ee4464 \ - --hash=sha256:d10d994b41fb3497719bbf866f227b3489048ea4bbbb5015357db306249f7980 \ - --hash=sha256:e601a7fa172c2131bff456bb3ee08a88360760d0d2f8cbd7a75a65497e2df078 \ - --hash=sha256:f95579473af29ab73a10bada2f9722856792a36ec5af5399b653aa28360290a5 +mypy==1.16.0 \ + --hash=sha256:021a68568082c5b36e977d54e8f1de978baf401a33884ffcea09bd8e88a98f4c \ + --hash=sha256:089bedc02307c2548eb51f426e085546db1fa7dd87fbb7c9fa561575cf6eb1ff \ + --hash=sha256:09a8da6a0ee9a9770b8ff61b39c0bb07971cda90e7297f4213741b48a0cc8d93 \ + --hash=sha256:0b07e107affb9ee6ce1f342c07f51552d126c32cd62955f59a7db94a51ad12c0 \ + --hash=sha256:15486beea80be24ff067d7d0ede673b001d0d684d0095803b3e6e17a886a2a92 \ + --hash=sha256:29e1499864a3888bca5c1542f2d7232c6e586295183320caa95758fc84034031 \ + --hash=sha256:2e7e0ad35275e02797323a5aa1be0b14a4d03ffdb2e5f2b0489fa07b89c67b21 \ + --hash=sha256:4086883a73166631307fdd330c4a9080ce24913d4f4c5ec596c601b3a4bdd777 \ + --hash=sha256:54066fed302d83bf5128632d05b4ec68412e1f03ef2c300434057d66866cea4b \ + --hash=sha256:55f9076c6ce55dd3f8cd0c6fff26a008ca8e5131b89d5ba6d86bd3f47e736eeb \ + --hash=sha256:6a2322896003ba66bbd1318c10d3afdfe24e78ef12ea10e2acd985e9d684a666 \ + --hash=sha256:7909541fef256527e5ee9c0a7e2aeed78b6cda72ba44298d1334fe7881b05c5c \ + --hash=sha256:82d056e6faa508501af333a6af192c700b33e15865bda49611e3d7d8358ebea2 \ + --hash=sha256:84b94283f817e2aa6350a14b4a8fb2a35a53c286f97c9d30f53b63620e7af8ab \ + --hash=sha256:936ccfdd749af4766be824268bfe22d1db9eb2f34a3ea1d00ffbe5b5265f5491 \ + --hash=sha256:9f826aaa7ff8443bac6a494cf743f591488ea940dd360e7dd330e30dd772a5ab \ + --hash=sha256:a5fcfdb7318c6a8dd127b14b1052743b83e97a970f0edb6c913211507a255e20 \ + --hash=sha256:a7e32297a437cc915599e0578fa6bc68ae6a8dc059c9e009c628e1c47f91495d \ + --hash=sha256:a9e056237c89f1587a3be1a3a70a06a698d25e2479b9a2f57325ddaaffc3567b \ + --hash=sha256:afe420c9380ccec31e744e8baff0d406c846683681025db3531b32db56962d52 \ + --hash=sha256:b4968f14f44c62e2ec4a038c8797a87315be8df7740dc3ee8d3bfe1c6bf5dba8 \ + --hash=sha256:bd4e1ebe126152a7bbaa4daedd781c90c8f9643c79b9748caa270ad542f12bec \ + --hash=sha256:c5436d11e89a3ad16ce8afe752f0f373ae9620841c50883dc96f8b8805620b13 \ + --hash=sha256:c6fb60cbd85dc65d4d63d37cb5c86f4e3a301ec605f606ae3a9173e5cf34997b \ + --hash=sha256:d045d33c284e10a038f5e29faca055b90eee87da3fc63b8889085744ebabb5a1 \ + --hash=sha256:e71d6f0090c2256c713ed3d52711d01859c82608b5d68d4fa01a3fe30df95571 \ + --hash=sha256:eb14a4a871bb8efb1e4a50360d4e3c8d6c601e7a31028a2c79f9bb659b63d730 \ + --hash=sha256:eb5fbc8063cb4fde7787e4c0406aa63094a34a2daf4673f359a1fb64050e9cb2 \ + --hash=sha256:f2622af30bf01d8fc36466231bdd203d120d7a599a6d88fb22bdcb9dbff84090 \ + --hash=sha256:f2ed0e0847a80655afa2c121835b848ed101cc7b8d8d6ecc5205aedc732b1436 \ + --hash=sha256:f56236114c425620875c7cf71700e3d60004858da856c6fc78998ffe767b73d3 \ + --hash=sha256:feec38097f71797da0231997e0de3a58108c51845399669ebc532c815f93866b # via -r requirements/dev.in mypy-extensions==1.1.0 \ --hash=sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505 \ @@ -87,10 +87,12 @@ packaging==25.0 \ pathspec==0.12.1 \ --hash=sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08 \ --hash=sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712 - # via black -platformdirs==4.3.7 \ - --hash=sha256:a03875334331946f13c549dbd8f4bac7a13a50a895a0eb1e8c6a8ace80d40a94 \ - --hash=sha256:eb437d586b6a0986388f0d6f74aa0cde27b48d0e3d66843640bfb6bdcdb6e351 + # via + # black + # mypy +platformdirs==4.3.8 \ + --hash=sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc \ + --hash=sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4 # via black pycodestyle==2.13.0 \ --hash=sha256:35863c5974a271c7a726ed228a14a4f6daf49df369d8c50cd9a6f58a5e143ba9 \ @@ -100,13 +102,13 @@ pyflakes==3.3.2 \ --hash=sha256:5039c8339cbb1944045f4ee5466908906180f13cc99cc9949348d10f82a5c32a \ --hash=sha256:6dfd61d87b97fba5dcfaaf781171ac16be16453be6d816147989e7f6e6a9576b # via flake8 -types-requests==2.32.0.20250328 \ - --hash=sha256:72ff80f84b15eb3aa7a8e2625fffb6a93f2ad5a0c20215fc1dcfa61117bcb2a2 \ - --hash=sha256:c9e67228ea103bd811c96984fac36ed2ae8da87a36a633964a21f199d60baf32 +types-requests==2.32.0.20250602 \ + --hash=sha256:ee603aeefec42051195ae62ca7667cd909a2f8128fdf8aad9e8a5219ecfab3bf \ + --hash=sha256:f4f335f87779b47ce10b8b8597b409130299f6971ead27fead4fe7ba6ea3e726 # via -r requirements/dev.in -typing-extensions==4.13.2 \ - --hash=sha256:a439e7c04b49fec3e5d3e2beaa21755cadbbdc391694e28ccdd36ca4a1408f8c \ - --hash=sha256:e6c81219bd689f51865d9e372991c540bda33a0379d5573cddb9a3a23f7caaef +typing-extensions==4.14.0 \ + --hash=sha256:8676b788e32f02ab42d9e7c61324048ae4c6d844a399eebace3d4979d75ceef4 \ + --hash=sha256:a1514509136dd0b477638fc68d6a91497af5076466ad0fa6c338e44e359944af # via mypy urllib3==2.4.0 \ --hash=sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466 \ diff --git a/requirements/main.txt b/requirements/main.txt index 6a18359..8ff8073 100644 --- a/requirements/main.txt +++ b/requirements/main.txt @@ -1,95 +1,574 @@ # This file was autogenerated by uv via the following command: -# uv pip compile --prerelease=allow --output-file=requirements/main.txt requirements/main.in -annotated-types==0.7.0 +# uv pip compile --generate-hashes --prerelease=allow --output-file=requirements/main.txt requirements/main.in +annotated-types==0.7.0 \ + --hash=sha256:1f02e8b43a8fbbc3f3e0d4f0f4bfc8131bcb4eebe8849b8e5c773f3a1c582a53 \ + --hash=sha256:aff07c09a53a08bc8cfccb9c85b05f1aa9a2a6f23728d790723543408344ce89 # via pydantic -betterproto==2.0.0b6 +betterproto==2.0.0b6 \ + --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ + --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf # via sigstore-protobuf-specs -certifi==2025.1.31 +certifi==2025.4.26 \ + --hash=sha256:0a816057ea3cdefcef70270d2c515e4506bbc954f417fa5ade2021213bb8f0c6 \ + --hash=sha256:30350364dfe371162649852c63336a15c70c6510c2ad5015b21c2345311805f3 # via requests -cffi==1.17.1 +cffi==1.17.1 \ + --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ + --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ + --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ + --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ + --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ + --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ + --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ + --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ + --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ + --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ + --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ + --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ + --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ + --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ + --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ + --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ + --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ + --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ + --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ + --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ + --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ + --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ + --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ + --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ + --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ + --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ + --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ + --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ + --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ + --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ + --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ + --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ + --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ + --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ + --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ + --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ + --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ + --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ + --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ + --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ + --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ + --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ + --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ + --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ + --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ + --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ + --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ + --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ + --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ + --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ + --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ + --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ + --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ + --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ + --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ + --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ + --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ + --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ + --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ + --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ + --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ + --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ + --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ + --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ + --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ + --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ + --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b # via cryptography -charset-normalizer==3.4.1 +charset-normalizer==3.4.2 \ + --hash=sha256:005fa3432484527f9732ebd315da8da8001593e2cf46a3d817669f062c3d9ed4 \ + --hash=sha256:046595208aae0120559a67693ecc65dd75d46f7bf687f159127046628178dc45 \ + --hash=sha256:0c29de6a1a95f24b9a1aa7aefd27d2487263f00dfd55a77719b530788f75cff7 \ + --hash=sha256:0c8c57f84ccfc871a48a47321cfa49ae1df56cd1d965a09abe84066f6853b9c0 \ + --hash=sha256:0f5d9ed7f254402c9e7d35d2f5972c9bbea9040e99cd2861bd77dc68263277c7 \ + --hash=sha256:18dd2e350387c87dabe711b86f83c9c78af772c748904d372ade190b5c7c9d4d \ + --hash=sha256:1b1bde144d98e446b056ef98e59c256e9294f6b74d7af6846bf5ffdafd687a7d \ + --hash=sha256:1c95a1e2902a8b722868587c0e1184ad5c55631de5afc0eb96bc4b0d738092c0 \ + --hash=sha256:1cad5f45b3146325bb38d6855642f6fd609c3f7cad4dbaf75549bf3b904d3184 \ + --hash=sha256:21b2899062867b0e1fde9b724f8aecb1af14f2778d69aacd1a5a1853a597a5db \ + --hash=sha256:24498ba8ed6c2e0b56d4acbf83f2d989720a93b41d712ebd4f4979660db4417b \ + --hash=sha256:25a23ea5c7edc53e0f29bae2c44fcb5a1aa10591aae107f2a2b2583a9c5cbc64 \ + --hash=sha256:289200a18fa698949d2b39c671c2cc7a24d44096784e76614899a7ccf2574b7b \ + --hash=sha256:28a1005facc94196e1fb3e82a3d442a9d9110b8434fc1ded7a24a2983c9888d8 \ + --hash=sha256:32fc0341d72e0f73f80acb0a2c94216bd704f4f0bce10aedea38f30502b271ff \ + --hash=sha256:36b31da18b8890a76ec181c3cf44326bf2c48e36d393ca1b72b3f484113ea344 \ + --hash=sha256:3c21d4fca343c805a52c0c78edc01e3477f6dd1ad7c47653241cf2a206d4fc58 \ + --hash=sha256:3fddb7e2c84ac87ac3a947cb4e66d143ca5863ef48e4a5ecb83bd48619e4634e \ + --hash=sha256:43e0933a0eff183ee85833f341ec567c0980dae57c464d8a508e1b2ceb336471 \ + --hash=sha256:4a476b06fbcf359ad25d34a057b7219281286ae2477cc5ff5e3f70a246971148 \ + --hash=sha256:4e594135de17ab3866138f496755f302b72157d115086d100c3f19370839dd3a \ + --hash=sha256:50bf98d5e563b83cc29471fa114366e6806bc06bc7a25fd59641e41445327836 \ + --hash=sha256:5a9979887252a82fefd3d3ed2a8e3b937a7a809f65dcb1e068b090e165bbe99e \ + --hash=sha256:5baececa9ecba31eff645232d59845c07aa030f0c81ee70184a90d35099a0e63 \ + --hash=sha256:5bf4545e3b962767e5c06fe1738f951f77d27967cb2caa64c28be7c4563e162c \ + --hash=sha256:6333b3aa5a12c26b2a4d4e7335a28f1475e0e5e17d69d55141ee3cab736f66d1 \ + --hash=sha256:65c981bdbd3f57670af8b59777cbfae75364b483fa8a9f420f08094531d54a01 \ + --hash=sha256:68a328e5f55ec37c57f19ebb1fdc56a248db2e3e9ad769919a58672958e8f366 \ + --hash=sha256:6a0289e4589e8bdfef02a80478f1dfcb14f0ab696b5a00e1f4b8a14a307a3c58 \ + --hash=sha256:6b66f92b17849b85cad91259efc341dce9c1af48e2173bf38a85c6329f1033e5 \ + --hash=sha256:6c9379d65defcab82d07b2a9dfbfc2e95bc8fe0ebb1b176a3190230a3ef0e07c \ + --hash=sha256:6fc1f5b51fa4cecaa18f2bd7a003f3dd039dd615cd69a2afd6d3b19aed6775f2 \ + --hash=sha256:70f7172939fdf8790425ba31915bfbe8335030f05b9913d7ae00a87d4395620a \ + --hash=sha256:721c76e84fe669be19c5791da68232ca2e05ba5185575086e384352e2c309597 \ + --hash=sha256:7222ffd5e4de8e57e03ce2cef95a4c43c98fcb72ad86909abdfc2c17d227fc1b \ + --hash=sha256:75d10d37a47afee94919c4fab4c22b9bc2a8bf7d4f46f87363bcf0573f3ff4f5 \ + --hash=sha256:76af085e67e56c8816c3ccf256ebd136def2ed9654525348cfa744b6802b69eb \ + --hash=sha256:770cab594ecf99ae64c236bc9ee3439c3f46be49796e265ce0cc8bc17b10294f \ + --hash=sha256:7a6ab32f7210554a96cd9e33abe3ddd86732beeafc7a28e9955cdf22ffadbab0 \ + --hash=sha256:7c48ed483eb946e6c04ccbe02c6b4d1d48e51944b6db70f697e089c193404941 \ + --hash=sha256:7f56930ab0abd1c45cd15be65cc741c28b1c9a34876ce8c17a2fa107810c0af0 \ + --hash=sha256:8075c35cd58273fee266c58c0c9b670947c19df5fb98e7b66710e04ad4e9ff86 \ + --hash=sha256:8272b73e1c5603666618805fe821edba66892e2870058c94c53147602eab29c7 \ + --hash=sha256:82d8fd25b7f4675d0c47cf95b594d4e7b158aca33b76aa63d07186e13c0e0ab7 \ + --hash=sha256:844da2b5728b5ce0e32d863af26f32b5ce61bc4273a9c720a9f3aa9df73b1455 \ + --hash=sha256:8755483f3c00d6c9a77f490c17e6ab0c8729e39e6390328e42521ef175380ae6 \ + --hash=sha256:915f3849a011c1f593ab99092f3cecfcb4d65d8feb4a64cf1bf2d22074dc0ec4 \ + --hash=sha256:926ca93accd5d36ccdabd803392ddc3e03e6d4cd1cf17deff3b989ab8e9dbcf0 \ + --hash=sha256:982bb1e8b4ffda883b3d0a521e23abcd6fd17418f6d2c4118d257a10199c0ce3 \ + --hash=sha256:98f862da73774290f251b9df8d11161b6cf25b599a66baf087c1ffe340e9bfd1 \ + --hash=sha256:9cbfacf36cb0ec2897ce0ebc5d08ca44213af24265bd56eca54bee7923c48fd6 \ + --hash=sha256:a370b3e078e418187da8c3674eddb9d983ec09445c99a3a263c2011993522981 \ + --hash=sha256:a955b438e62efdf7e0b7b52a64dc5c3396e2634baa62471768a64bc2adb73d5c \ + --hash=sha256:aa6af9e7d59f9c12b33ae4e9450619cf2488e2bbe9b44030905877f0b2324980 \ + --hash=sha256:aa88ca0b1932e93f2d961bf3addbb2db902198dca337d88c89e1559e066e7645 \ + --hash=sha256:aaeeb6a479c7667fbe1099af9617c83aaca22182d6cf8c53966491a0f1b7ffb7 \ + --hash=sha256:aaf27faa992bfee0264dc1f03f4c75e9fcdda66a519db6b957a3f826e285cf12 \ + --hash=sha256:b2680962a4848b3c4f155dc2ee64505a9c57186d0d56b43123b17ca3de18f0fa \ + --hash=sha256:b2d318c11350e10662026ad0eb71bb51c7812fc8590825304ae0bdd4ac283acd \ + --hash=sha256:b33de11b92e9f75a2b545d6e9b6f37e398d86c3e9e9653c4864eb7e89c5773ef \ + --hash=sha256:b3daeac64d5b371dea99714f08ffc2c208522ec6b06fbc7866a450dd446f5c0f \ + --hash=sha256:be1e352acbe3c78727a16a455126d9ff83ea2dfdcbc83148d2982305a04714c2 \ + --hash=sha256:bee093bf902e1d8fc0ac143c88902c3dfc8941f7ea1d6a8dd2bcb786d33db03d \ + --hash=sha256:c72fbbe68c6f32f251bdc08b8611c7b3060612236e960ef848e0a517ddbe76c5 \ + --hash=sha256:c9e36a97bee9b86ef9a1cf7bb96747eb7a15c2f22bdb5b516434b00f2a599f02 \ + --hash=sha256:cddf7bd982eaa998934a91f69d182aec997c6c468898efe6679af88283b498d3 \ + --hash=sha256:cf713fe9a71ef6fd5adf7a79670135081cd4431c2943864757f0fa3a65b1fafd \ + --hash=sha256:d11b54acf878eef558599658b0ffca78138c8c3655cf4f3a4a673c437e67732e \ + --hash=sha256:d41c4d287cfc69060fa91cae9683eacffad989f1a10811995fa309df656ec214 \ + --hash=sha256:d524ba3f1581b35c03cb42beebab4a13e6cdad7b36246bd22541fa585a56cccd \ + --hash=sha256:daac4765328a919a805fa5e2720f3e94767abd632ae410a9062dff5412bae65a \ + --hash=sha256:db4c7bf0e07fc3b7d89ac2a5880a6a8062056801b83ff56d8464b70f65482b6c \ + --hash=sha256:dc7039885fa1baf9be153a0626e337aa7ec8bf96b0128605fb0d77788ddc1681 \ + --hash=sha256:dccab8d5fa1ef9bfba0590ecf4d46df048d18ffe3eec01eeb73a42e0d9e7a8ba \ + --hash=sha256:dedb8adb91d11846ee08bec4c8236c8549ac721c245678282dcb06b221aab59f \ + --hash=sha256:e45ba65510e2647721e35323d6ef54c7974959f6081b58d4ef5d87c60c84919a \ + --hash=sha256:e53efc7c7cee4c1e70661e2e112ca46a575f90ed9ae3fef200f2a25e954f4b28 \ + --hash=sha256:e635b87f01ebc977342e2697d05b56632f5f879a4f15955dfe8cef2448b51691 \ + --hash=sha256:e70e990b2137b29dc5564715de1e12701815dacc1d056308e2b17e9095372a82 \ + --hash=sha256:e8082b26888e2f8b36a042a58307d5b917ef2b1cacab921ad3323ef91901c71a \ + --hash=sha256:e8323a9b031aa0393768b87f04b4164a40037fb2a3c11ac06a03ffecd3618027 \ + --hash=sha256:e92fca20c46e9f5e1bb485887d074918b13543b1c2a1185e69bb8d17ab6236a7 \ + --hash=sha256:eb30abc20df9ab0814b5a2524f23d75dcf83cde762c161917a2b4b7b55b1e518 \ + --hash=sha256:eba9904b0f38a143592d9fc0e19e2df0fa2e41c3c3745554761c5f6447eedabf \ + --hash=sha256:ef8de666d6179b009dce7bcb2ad4c4a779f113f12caf8dc77f0162c29d20490b \ + --hash=sha256:efd387a49825780ff861998cd959767800d54f8308936b21025326de4b5a42b9 \ + --hash=sha256:f0aa37f3c979cf2546b73e8222bbfa3dc07a641585340179d768068e3455e544 \ + --hash=sha256:f4074c5a429281bf056ddd4c5d3b740ebca4d43ffffe2ef4bf4d2d05114299da \ + --hash=sha256:f69a27e45c43520f5487f27627059b64aaf160415589230992cec34c5e18a509 \ + --hash=sha256:fb707f3e15060adf5b7ada797624a6c6e0138e2a26baa089df64c68ee98e040f \ + --hash=sha256:fcbe676a55d7445b22c10967bceaaf0ee69407fbe0ece4d032b6eb8d4565982a \ + --hash=sha256:fdb20a30fe1175ecabed17cbf7812f7b804b8a315a25f24678bcdf120a90077f # via requests -cryptography==44.0.2 +cryptography==44.0.3 \ + --hash=sha256:02f55fb4f8b79c1221b0961488eaae21015b69b210e18c386b69de182ebb1259 \ + --hash=sha256:157f1f3b8d941c2bd8f3ffee0af9b049c9665c39d3da9db2dc338feca5e98a43 \ + --hash=sha256:192ed30fac1728f7587c6f4613c29c584abdc565d7417c13904708db10206645 \ + --hash=sha256:21a83f6f35b9cc656d71b5de8d519f566df01e660ac2578805ab245ffd8523f8 \ + --hash=sha256:25cd194c39fa5a0aa4169125ee27d1172097857b27109a45fadc59653ec06f44 \ + --hash=sha256:3883076d5c4cc56dbef0b898a74eb6992fdac29a7b9013870b34efe4ddb39a0d \ + --hash=sha256:3bb0847e6363c037df8f6ede57d88eaf3410ca2267fb12275370a76f85786a6f \ + --hash=sha256:3be3f649d91cb182c3a6bd336de8b61a0a71965bd13d1a04a0e15b39c3d5809d \ + --hash=sha256:3f07943aa4d7dad689e3bb1638ddc4944cc5e0921e3c227486daae0e31a05e54 \ + --hash=sha256:479d92908277bed6e1a1c69b277734a7771c2b78633c224445b5c60a9f4bc1d9 \ + --hash=sha256:4ffc61e8f3bf5b60346d89cd3d37231019c17a081208dfbbd6e1605ba03fa137 \ + --hash=sha256:5639c2b16764c6f76eedf722dbad9a0914960d3489c0cc38694ddf9464f1bb2f \ + --hash=sha256:58968d331425a6f9eedcee087f77fd3c927c88f55368f43ff7e0a19891f2642c \ + --hash=sha256:5d186f32e52e66994dce4f766884bcb9c68b8da62d61d9d215bfe5fb56d21334 \ + --hash=sha256:5d20cc348cca3a8aa7312f42ab953a56e15323800ca3ab0706b8cd452a3a056c \ + --hash=sha256:6866df152b581f9429020320e5eb9794c8780e90f7ccb021940d7f50ee00ae0b \ + --hash=sha256:7d5fe7195c27c32a64955740b949070f21cba664604291c298518d2e255931d2 \ + --hash=sha256:896530bc9107b226f265effa7ef3f21270f18a2026bc09fed1ebd7b66ddf6375 \ + --hash=sha256:962bc30480a08d133e631e8dfd4783ab71cc9e33d5d7c1e192f0b7c06397bb88 \ + --hash=sha256:978631ec51a6bbc0b7e58f23b68a8ce9e5f09721940933e9c217068388789fe5 \ + --hash=sha256:9b4d4a5dbee05a2c390bf212e78b99434efec37b17a4bff42f50285c5c8c9647 \ + --hash=sha256:ab0b005721cc0039e885ac3503825661bd9810b15d4f374e473f8c89b7d5460c \ + --hash=sha256:af653022a0c25ef2e3ffb2c673a50e5a0d02fecc41608f4954176f1933b12359 \ + --hash=sha256:b0cc66c74c797e1db750aaa842ad5b8b78e14805a9b5d1348dc603612d3e3ff5 \ + --hash=sha256:b424563394c369a804ecbee9b06dfb34997f19d00b3518e39f83a5642618397d \ + --hash=sha256:c138abae3a12a94c75c10499f1cbae81294a6f983b3af066390adee73f433028 \ + --hash=sha256:c6cd67722619e4d55fdb42ead64ed8843d64638e9c07f4011163e46bc512cf01 \ + --hash=sha256:c91fc8e8fd78af553f98bc7f2a1d8db977334e4eea302a4bfd75b9461c2d8904 \ + --hash=sha256:cad399780053fb383dc067475135e41c9fe7d901a97dd5d9c5dfb5611afc0d7d \ + --hash=sha256:cb90f60e03d563ca2445099edf605c16ed1d5b15182d21831f58460c48bffb93 \ + --hash=sha256:dad80b45c22e05b259e33ddd458e9e2ba099c86ccf4e88db7bbab4b747b18d06 \ + --hash=sha256:dd3db61b8fe5be220eee484a17233287d0be6932d056cf5738225b9c05ef4fff \ + --hash=sha256:e28d62e59a4dbd1d22e747f57d4f00c459af22181f0b2f787ea83f5a876d7c76 \ + --hash=sha256:e909df4053064a97f1e6565153ff8bb389af12c5c8d29c343308760890560aff \ + --hash=sha256:f3ffef566ac88f75967d7abd852ed5f182da252d23fac11b4766da3957766759 \ + --hash=sha256:fc3c9babc1e1faefd62704bb46a69f359a9819eb0292e40df3fb6e3574715cd4 \ + --hash=sha256:fe19d8bc5536a91a24a8133328880a41831b6c5df54599a8417b62fe015d3053 # via # pyopenssl # rfc3161-client # sigstore -dnspython==2.7.0 +dnspython==2.7.0 \ + --hash=sha256:b4c34b7d10b51bcc3a5071e7b8dee77939f1e878477eeecc965e9835f63c6c86 \ + --hash=sha256:ce9c432eda0dc91cf618a5cedf1a4e142651196bbcd2c80e89ed5a907e5cfaf1 # via email-validator -email-validator==2.2.0 +email-validator==2.2.0 \ + --hash=sha256:561977c2d73ce3611850a06fa56b414621e0c8faa9d66f2611407d87465da631 \ + --hash=sha256:cb690f344c617a714f22e66ae771445a1ceb46821152df8e165c5f9a364582b7 # via pydantic -grpclib==0.4.8rc2 +grpclib==0.4.8 \ + --hash=sha256:a5047733a7acc1c1cee6abf3c841c7c6fab67d2844a45a853b113fa2e6cd2654 \ + --hash=sha256:d8823763780ef94fed8b2c562f7485cf0bbee15fc7d065a640673667f7719c9a # via betterproto -h2==4.2.0 +h2==4.2.0 \ + --hash=sha256:479a53ad425bb29af087f3458a61d30780bc818e4ebcf01f0b536ba916462ed0 \ + --hash=sha256:c8a52129695e88b1a0578d8d2cc6842bbd79128ac685463b887ee278126ad01f # via grpclib -hpack==4.1.0 +hpack==4.1.0 \ + --hash=sha256:157ac792668d995c657d93111f46b4535ed114f0c9c8d672271bbec7eae1b496 \ + --hash=sha256:ec5eca154f7056aa06f196a557655c5b009b382873ac8d1e66e79e87535f1dca # via h2 -hyperframe==6.1.0 +hyperframe==6.1.0 \ + --hash=sha256:b03380493a519fce58ea5af42e4a42317bf9bd425596f7a0835ffce80f1a42e5 \ + --hash=sha256:f630908a00854a7adeabd6382b43923a4c4cd4b821fcb527e6ab9e15382a3b08 # via h2 -id==1.5.0 +id==1.5.0 \ + --hash=sha256:292cb8a49eacbbdbce97244f47a97b4c62540169c976552e497fd57df0734c1d \ + --hash=sha256:f1434e1cef91f2cbb8a4ec64663d5a23b9ed43ef44c4c957d02583d61714c658 # via sigstore -idna==3.10 +idna==3.10 \ + --hash=sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9 \ + --hash=sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3 # via # email-validator # requests -markdown-it-py==3.0.0 +markdown-it-py==3.0.0 \ + --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ + --hash=sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb # via rich -mdurl==0.1.2 +mdurl==0.1.2 \ + --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ + --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -multidict==6.4.3 +multidict==6.4.4 \ + --hash=sha256:0327ad2c747a6600e4797d115d3c38a220fdb28e54983abe8964fd17e95ae83c \ + --hash=sha256:058cc59b9e9b143cc56715e59e22941a5d868c322242278d28123a5d09cdf6b0 \ + --hash=sha256:0d2b9712211b860d123815a80b859075d86a4d54787e247d7fbee9db6832cf1c \ + --hash=sha256:0e05c39962baa0bb19a6b210e9b1422c35c093b651d64246b6c2e1a7e242d9fd \ + --hash=sha256:0f14ea68d29b43a9bf37953881b1e3eb75b2739e896ba4a6aa4ad4c5b9ffa145 \ + --hash=sha256:169c4ba7858176b797fe551d6e99040c531c775d2d57b31bcf4de6d7a669847f \ + --hash=sha256:19d08b4f22eae45bb018b9f06e2838c1e4b853c67628ef8ae126d99de0da6395 \ + --hash=sha256:1d0121ccce8c812047d8d43d691a1ad7641f72c4f730474878a5aeae1b8ead8c \ + --hash=sha256:232b7237e57ec3c09be97206bfb83a0aa1c5d7d377faa019c68a210fa35831f1 \ + --hash=sha256:2e543a40e4946cf70a88a3be87837a3ae0aebd9058ba49e91cacb0b2cd631e2b \ + --hash=sha256:329ae97fc2f56f44d91bc47fe0972b1f52d21c4b7a2ac97040da02577e2daca2 \ + --hash=sha256:3312f63261b9df49be9d57aaa6abf53a6ad96d93b24f9cc16cf979956355ce6e \ + --hash=sha256:33a12ebac9f380714c298cbfd3e5b9c0c4e89c75fe612ae496512ee51028915f \ + --hash=sha256:343892a27d1a04d6ae455ecece12904d242d299ada01633d94c4f431d68a8c49 \ + --hash=sha256:3e9f1cd61a0ab857154205fb0b1f3d3ace88d27ebd1409ab7af5096e409614cd \ + --hash=sha256:3ef4e9096ff86dfdcbd4a78253090ba13b1d183daa11b973e842465d94ae1772 \ + --hash=sha256:4219390fb5bf8e548e77b428bb36a21d9382960db5321b74d9d9987148074d6b \ + --hash=sha256:496bcf01c76a70a31c3d746fd39383aad8d685ce6331e4c709e9af4ced5fa221 \ + --hash=sha256:49a29d7133b1fc214e818bbe025a77cc6025ed9a4f407d2850373ddde07fd04a \ + --hash=sha256:4d7b50b673ffb4ff4366e7ab43cf1f0aef4bd3608735c5fbdf0bdb6f690da411 \ + --hash=sha256:4efc31dfef8c4eeb95b6b17d799eedad88c4902daba39ce637e23a17ea078915 \ + --hash=sha256:4f5f29794ac0e73d2a06ac03fd18870adc0135a9d384f4a306a951188ed02f95 \ + --hash=sha256:4ffc3c6a37e048b5395ee235e4a2a0d639c2349dffa32d9367a42fc20d399772 \ + --hash=sha256:50855d03e9e4d66eab6947ba688ffb714616f985838077bc4b490e769e48da51 \ + --hash=sha256:51d662c072579f63137919d7bb8fc250655ce79f00c82ecf11cab678f335062e \ + --hash=sha256:530d86827a2df6504526106b4c104ba19044594f8722d3e87714e847c74a0275 \ + --hash=sha256:5363f9b2a7f3910e5c87d8b1855c478c05a2dc559ac57308117424dfaad6805c \ + --hash=sha256:55ae0721c1513e5e3210bca4fc98456b980b0c2c016679d3d723119b6b202c42 \ + --hash=sha256:5883d6ee0fd9d8a48e9174df47540b7545909841ac82354c7ae4cbe9952603bd \ + --hash=sha256:5bce06b83be23225be1905dcdb6b789064fae92499fbc458f59a8c0e68718601 \ + --hash=sha256:5e0ba18a9afd495f17c351d08ebbc4284e9c9f7971d715f196b79636a4d0de44 \ + --hash=sha256:5e2bcda30d5009996ff439e02a9f2b5c3d64a20151d34898c000a6281faa3781 \ + --hash=sha256:603f39bd1cf85705c6c1ba59644b480dfe495e6ee2b877908de93322705ad7cf \ + --hash=sha256:60d849912350da557fe7de20aa8cf394aada6980d0052cc829eeda4a0db1c1db \ + --hash=sha256:622f26ea6a7e19b7c48dd9228071f571b2fbbd57a8cd71c061e848f281550e6b \ + --hash=sha256:632a3bf8f1787f7ef7d3c2f68a7bde5be2f702906f8b5842ad6da9d974d0aab3 \ + --hash=sha256:66ed0731f8e5dfd8369a883b6e564aca085fb9289aacabd9decd70568b9a30de \ + --hash=sha256:69133376bc9a03f8c47343d33f91f74a99c339e8b58cea90433d8e24bb298031 \ + --hash=sha256:69ee9e6ba214b5245031b76233dd95408a0fd57fdb019ddcc1ead4790932a8e8 \ + --hash=sha256:6a2f58a66fe2c22615ad26156354005391e26a2f3721c3621504cd87c1ea87bf \ + --hash=sha256:6a602151dbf177be2450ef38966f4be3467d41a86c6a845070d12e17c858a156 \ + --hash=sha256:6ed5ae5605d4ad5a049fad2a28bb7193400700ce2f4ae484ab702d1e3749c3f9 \ + --hash=sha256:73484a94f55359780c0f458bbd3c39cb9cf9c182552177d2136e828269dee529 \ + --hash=sha256:75493f28dbadecdbb59130e74fe935288813301a8554dc32f0c631b6bdcdf8b0 \ + --hash=sha256:7cf3bd54c56aa16fdb40028d545eaa8d051402b61533c21e84046e05513d5780 \ + --hash=sha256:7e23f2f841fcb3ebd4724a40032d32e0892fbba4143e43d2a9e7695c5e50e6bd \ + --hash=sha256:7f3d3b3c34867579ea47cbd6c1f2ce23fbfd20a273b6f9e3177e256584f1eacc \ + --hash=sha256:82ffabefc8d84c2742ad19c37f02cde5ec2a1ee172d19944d380f920a340e4b9 \ + --hash=sha256:83ec4967114295b8afd120a8eec579920c882831a3e4c3331d591a8e5bfbbc0f \ + --hash=sha256:87a728af265e08f96b6318ebe3c0f68b9335131f461efab2fc64cc84a44aa6ed \ + --hash=sha256:87cb72263946b301570b0f63855569a24ee8758aaae2cd182aae7d95fbc92ca7 \ + --hash=sha256:8adee3ac041145ffe4488ea73fa0a622b464cc25340d98be76924d0cda8545ff \ + --hash=sha256:8cc403092a49509e8ef2d2fd636a8ecefc4698cc57bbe894606b14579bc2a955 \ + --hash=sha256:8cd8f81f1310182362fb0c7898145ea9c9b08a71081c5963b40ee3e3cac589b1 \ + --hash=sha256:8ffb40b74400e4455785c2fa37eba434269149ec525fc8329858c862e4b35373 \ + --hash=sha256:93ec84488a384cd7b8a29c2c7f467137d8a73f6fe38bb810ecf29d1ade011a7c \ + --hash=sha256:941f1bec2f5dbd51feeb40aea654c2747f811ab01bdd3422a48a4e4576b7d76a \ + --hash=sha256:98af87593a666f739d9dba5d0ae86e01b0e1a9cfcd2e30d2d361fbbbd1a9162d \ + --hash=sha256:995f985e2e268deaf17867801b859a282e0448633f1310e3704b30616d269d69 \ + --hash=sha256:9abcf56a9511653fa1d052bfc55fbe53dbee8f34e68bd6a5a038731b0ca42d15 \ + --hash=sha256:9bbf7bd39822fd07e3609b6b4467af4c404dd2b88ee314837ad1830a7f4a8299 \ + --hash=sha256:9c17341ee04545fd962ae07330cb5a39977294c883485c8d74634669b1f7fe04 \ + --hash=sha256:9f193eeda1857f8e8d3079a4abd258f42ef4a4bc87388452ed1e1c4d2b0c8740 \ + --hash=sha256:9faf1b1dcaadf9f900d23a0e6d6c8eadd6a95795a0e57fcca73acce0eb912065 \ + --hash=sha256:9fcad2945b1b91c29ef2b4050f590bfcb68d8ac8e0995a74e659aa57e8d78e01 \ + --hash=sha256:a145c550900deb7540973c5cdb183b0d24bed6b80bf7bddf33ed8f569082535e \ + --hash=sha256:a4d1cb1327c6082c4fce4e2a438483390964c02213bc6b8d782cf782c9b1471f \ + --hash=sha256:a887b77f51d3d41e6e1a63cf3bc7ddf24de5939d9ff69441387dfefa58ac2e26 \ + --hash=sha256:a920f9cf2abdf6e493c519492d892c362007f113c94da4c239ae88429835bad1 \ + --hash=sha256:aff4cafea2d120327d55eadd6b7f1136a8e5a0ecf6fb3b6863e8aca32cd8e50a \ + --hash=sha256:b0f1987787f5f1e2076b59692352ab29a955b09ccc433c1f6b8e8e18666f608b \ + --hash=sha256:b308402608493638763abc95f9dc0030bbd6ac6aff784512e8ac3da73a88af08 \ + --hash=sha256:b61e98c3e2a861035aaccd207da585bdcacef65fe01d7a0d07478efac005e028 \ + --hash=sha256:b9eb4c59c54421a32b3273d4239865cb14ead53a606db066d7130ac80cc8ec93 \ + --hash=sha256:ba852168d814b2c73333073e1c7116d9395bea69575a01b0b3c89d2d5a87c8fb \ + --hash=sha256:bb5ac9e5bfce0e6282e7f59ff7b7b9a74aa8e5c60d38186a4637f5aa764046ad \ + --hash=sha256:bb61ffd3ab8310d93427e460f565322c44ef12769f51f77277b4abad7b6f7223 \ + --hash=sha256:bbfcb60396f9bcfa63e017a180c3105b8c123a63e9d1428a36544e7d37ca9e20 \ + --hash=sha256:bd4557071b561a8b3b6075c3ce93cf9bfb6182cb241805c3d66ced3b75eff4ac \ + --hash=sha256:be06e73c06415199200e9a2324a11252a3d62030319919cde5e6950ffeccf72e \ + --hash=sha256:c04157266344158ebd57b7120d9b0b35812285d26d0e78193e17ef57bfe2979a \ + --hash=sha256:c10d17371bff801af0daf8b073c30b6cf14215784dc08cd5c43ab5b7b8029bbc \ + --hash=sha256:c27e5dcf520923d6474d98b96749e6805f7677e93aaaf62656005b8643f907ab \ + --hash=sha256:c93a6fb06cc8e5d3628b2b5fda215a5db01e8f08fc15fadd65662d9b857acbe4 \ + --hash=sha256:cbebaa076aaecad3d4bb4c008ecc73b09274c952cf6a1b78ccfd689e51f5a5b0 \ + --hash=sha256:cc5d83c6619ca5c9672cb78b39ed8542f1975a803dee2cda114ff73cbb076edd \ + --hash=sha256:d1a20707492db9719a05fc62ee215fd2c29b22b47c1b1ba347f9abc831e26683 \ + --hash=sha256:d1f7cbd4f1f44ddf5fd86a8675b7679176eae770f2fc88115d6dddb6cefb59bc \ + --hash=sha256:d21c1212171cf7da703c5b0b7a0e85be23b720818aef502ad187d627316d5645 \ + --hash=sha256:d2fa86af59f8fc1972e121ade052145f6da22758f6996a197d69bb52f8204e7e \ + --hash=sha256:d5b1cc3ab8c31d9ebf0faa6e3540fb91257590da330ffe6d2393d4208e638925 \ + --hash=sha256:d693307856d1ef08041e8b6ff01d5b4618715007d288490ce2c7e29013c12b9a \ + --hash=sha256:d6b15c55721b1b115c5ba178c77104123745b1417527ad9641a4c5e2047450f0 \ + --hash=sha256:d832c608f94b9f92a0ec8b7e949be7792a642b6e535fcf32f3e28fab69eeb046 \ + --hash=sha256:d83f18315b9fca5db2452d1881ef20f79593c4aa824095b62cb280019ef7aa3d \ + --hash=sha256:d877447e7368c7320832acb7159557e49b21ea10ffeb135c1077dbbc0816b598 \ + --hash=sha256:dc388f75a1c00000824bf28b7633e40854f4127ede80512b44c3cfeeea1839a2 \ + --hash=sha256:dc8c9736d8574b560634775ac0def6bdc1661fc63fa27ffdfc7264c565bcb4f2 \ + --hash=sha256:e32053d6d3a8b0dfe49fde05b496731a0e6099a4df92154641c00aa76786aef5 \ + --hash=sha256:e5f8a146184da7ea12910a4cec51ef85e44f6268467fb489c3caf0cd512f29c2 \ + --hash=sha256:ecde56ea2439b96ed8a8d826b50c57364612ddac0438c39e473fafad7ae1c23b \ + --hash=sha256:f682c42003c7264134bfe886376299db4cc0c6cd06a3295b41b347044bcb5482 \ + --hash=sha256:fad6daaed41021934917f4fb03ca2db8d8a4d79bf89b17ebe77228eb6710c003 \ + --hash=sha256:fc60f91c02e11dfbe3ff4e1219c085695c339af72d1641800fe6075b91850c8f # via grpclib -platformdirs==4.3.7 +platformdirs==4.3.8 \ + --hash=sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc \ + --hash=sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4 # via sigstore -pyasn1==0.6.1 +pyasn1==0.6.1 \ + --hash=sha256:0d632f46f2ba09143da3a8afe9e33fb6f92fa2320ab7e886e2d0f7672af84629 \ + --hash=sha256:6f580d2bdd84365380830acf45550f2511469f673cb4a5ae3857a3170128b034 # via sigstore -pycparser==2.22 +pycparser==2.22 \ + --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ + --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -pydantic==2.11.3 +pydantic==2.11.5 \ + --hash=sha256:7f853db3d0ce78ce8bbb148c401c2cdd6431b3473c0cdff2755c7690952a7b7a \ + --hash=sha256:f9c26ba06f9747749ca1e5c94d6a85cb84254577553c8785576fd38fa64dc0f7 # via # sigstore # sigstore-rekor-types -pydantic-core==2.33.1 +pydantic-core==2.33.2 \ + --hash=sha256:0069c9acc3f3981b9ff4cdfaf088e98d83440a4c7ea1bc07460af3d4dc22e72d \ + --hash=sha256:031c57d67ca86902726e0fae2214ce6770bbe2f710dc33063187a68744a5ecac \ + --hash=sha256:0405262705a123b7ce9f0b92f123334d67b70fd1f20a9372b907ce1080c7ba02 \ + --hash=sha256:04a1a413977ab517154eebb2d326da71638271477d6ad87a769102f7c2488c56 \ + --hash=sha256:09fb9dd6571aacd023fe6aaca316bd01cf60ab27240d7eb39ebd66a3a15293b4 \ + --hash=sha256:0a39979dcbb70998b0e505fb1556a1d550a0781463ce84ebf915ba293ccb7e22 \ + --hash=sha256:0a9f2c9dd19656823cb8250b0724ee9c60a82f3cdf68a080979d13092a3b0fef \ + --hash=sha256:0e03262ab796d986f978f79c943fc5f620381be7287148b8010b4097f79a39ec \ + --hash=sha256:0e5b2671f05ba48b94cb90ce55d8bdcaaedb8ba00cc5359f6810fc918713983d \ + --hash=sha256:0e6116757f7959a712db11f3e9c0a99ade00a5bbedae83cb801985aa154f071b \ + --hash=sha256:0fb2d542b4d66f9470e8065c5469ec676978d625a8b7a363f07d9a501a9cb36a \ + --hash=sha256:1082dd3e2d7109ad8b7da48e1d4710c8d06c253cbc4a27c1cff4fbcaa97a9e3f \ + --hash=sha256:1a8695a8d00c73e50bff9dfda4d540b7dee29ff9b8053e38380426a85ef10052 \ + --hash=sha256:1e063337ef9e9820c77acc768546325ebe04ee38b08703244c1309cccc4f1bab \ + --hash=sha256:1ea40a64d23faa25e62a70ad163571c0b342b8bf66d5fa612ac0dec4f069d916 \ + --hash=sha256:2058a32994f1fde4ca0480ab9d1e75a0e8c87c22b53a3ae66554f9af78f2fe8c \ + --hash=sha256:235f45e5dbcccf6bd99f9f472858849f73d11120d76ea8707115415f8e5ebebf \ + --hash=sha256:2807668ba86cb38c6817ad9bc66215ab8584d1d304030ce4f0887336f28a5e27 \ + --hash=sha256:2b0a451c263b01acebe51895bfb0e1cc842a5c666efe06cdf13846c7418caa9a \ + --hash=sha256:2b3d326aaef0c0399d9afffeb6367d5e26ddc24d351dbc9c636840ac355dc5d8 \ + --hash=sha256:2bfb5112df54209d820d7bf9317c7a6c9025ea52e49f46b6a2060104bba37de7 \ + --hash=sha256:2f82865531efd18d6e07a04a17331af02cb7a651583c418df8266f17a63c6612 \ + --hash=sha256:329467cecfb529c925cf2bbd4d60d2c509bc2fb52a20c1045bf09bb70971a9c1 \ + --hash=sha256:3a1c81334778f9e3af2f8aeb7a960736e5cab1dfebfb26aabca09afd2906c039 \ + --hash=sha256:3abcd9392a36025e3bd55f9bd38d908bd17962cc49bc6da8e7e96285336e2bca \ + --hash=sha256:3c6db6e52c6d70aa0d00d45cdb9b40f0433b96380071ea80b09277dba021ddf7 \ + --hash=sha256:3dc625f4aa79713512d1976fe9f0bc99f706a9dee21dfd1810b4bbbf228d0e8a \ + --hash=sha256:3eb3fe62804e8f859c49ed20a8451342de53ed764150cb14ca71357c765dc2a6 \ + --hash=sha256:44857c3227d3fb5e753d5fe4a3420d6376fa594b07b621e220cd93703fe21782 \ + --hash=sha256:4b25d91e288e2c4e0662b8038a28c6a07eaac3e196cfc4ff69de4ea3db992a1b \ + --hash=sha256:4c5b0a576fb381edd6d27f0a85915c6daf2f8138dc5c267a57c08a62900758c7 \ + --hash=sha256:4e61206137cbc65e6d5256e1166f88331d3b6238e082d9f74613b9b765fb9025 \ + --hash=sha256:52fb90784e0a242bb96ec53f42196a17278855b0f31ac7c3cc6f5c1ec4811849 \ + --hash=sha256:53a57d2ed685940a504248187d5685e49eb5eef0f696853647bf37c418c538f7 \ + --hash=sha256:572c7e6c8bb4774d2ac88929e3d1f12bc45714ae5ee6d9a788a9fb35e60bb04b \ + --hash=sha256:5c4aa4e82353f65e548c476b37e64189783aa5384903bfea4f41580f255fddfa \ + --hash=sha256:5c92edd15cd58b3c2d34873597a1e20f13094f59cf88068adb18947df5455b4e \ + --hash=sha256:5f483cfb75ff703095c59e365360cb73e00185e01aaea067cd19acffd2ab20ea \ + --hash=sha256:61c18fba8e5e9db3ab908620af374db0ac1baa69f0f32df4f61ae23f15e586ac \ + --hash=sha256:6368900c2d3ef09b69cb0b913f9f8263b03786e5b2a387706c5afb66800efd51 \ + --hash=sha256:64632ff9d614e5eecfb495796ad51b0ed98c453e447a76bcbeeb69615079fc7e \ + --hash=sha256:65132b7b4a1c0beded5e057324b7e16e10910c106d43675d9bd87d4f38dde162 \ + --hash=sha256:6b99022f1d19bc32a4c2a0d544fc9a76e3be90f0b3f4af413f87d38749300e65 \ + --hash=sha256:6bdfe4b3789761f3bcb4b1ddf33355a71079858958e3a552f16d5af19768fef2 \ + --hash=sha256:6fa6dfc3e4d1f734a34710f391ae822e0a8eb8559a85c6979e14e65ee6ba2954 \ + --hash=sha256:73662edf539e72a9440129f231ed3757faab89630d291b784ca99237fb94db2b \ + --hash=sha256:73cf6373c21bc80b2e0dc88444f41ae60b2f070ed02095754eb5a01df12256de \ + --hash=sha256:7cb8bc3605c29176e1b105350d2e6474142d7c1bd1d9327c4a9bdb46bf827acc \ + --hash=sha256:7f92c15cd1e97d4b12acd1cc9004fa092578acfa57b67ad5e43a197175d01a64 \ + --hash=sha256:82f68293f055f51b51ea42fafc74b6aad03e70e191799430b90c13d643059ebb \ + --hash=sha256:83aa99b1285bc8f038941ddf598501a86f1536789740991d7d8756e34f1e74d9 \ + --hash=sha256:87acbfcf8e90ca885206e98359d7dca4bcbb35abdc0ff66672a293e1d7a19101 \ + --hash=sha256:87b31b6846e361ef83fedb187bb5b4372d0da3f7e28d85415efa92d6125d6e6d \ + --hash=sha256:881b21b5549499972441da4758d662aeea93f1923f953e9cbaff14b8b9565aef \ + --hash=sha256:8d55ab81c57b8ff8548c3e4947f119551253f4e3787a7bbc0b6b3ca47498a9d3 \ + --hash=sha256:8f57a69461af2a5fa6e6bbd7a5f60d3b7e6cebb687f55106933188e79ad155c1 \ + --hash=sha256:95237e53bb015f67b63c91af7518a62a8660376a6a0db19b89acc77a4d6199f5 \ + --hash=sha256:96081f1605125ba0855dfda83f6f3df5ec90c61195421ba72223de35ccfb2f88 \ + --hash=sha256:970919794d126ba8645f3837ab6046fb4e72bbc057b3709144066204c19a455d \ + --hash=sha256:9cb1da0f5a471435a7bc7e439b8a728e8b61e59784b2af70d7c169f8dd8ae290 \ + --hash=sha256:9fcd347d2cc5c23b06de6d3b7b8275be558a0c90549495c699e379a80bf8379e \ + --hash=sha256:9fdac5d6ffa1b5a83bca06ffe7583f5576555e6c8b3a91fbd25ea7780f825f7d \ + --hash=sha256:a11c8d26a50bfab49002947d3d237abe4d9e4b5bdc8846a63537b6488e197808 \ + --hash=sha256:a144d4f717285c6d9234a66778059f33a89096dfb9b39117663fd8413d582dcc \ + --hash=sha256:a2b911a5b90e0374d03813674bf0a5fbbb7741570dcd4b4e85a2e48d17def29d \ + --hash=sha256:a7ec89dc587667f22b6a0b6579c249fca9026ce7c333fc142ba42411fa243cdc \ + --hash=sha256:aa9d91b338f2df0508606f7009fde642391425189bba6d8c653afd80fd6bb64e \ + --hash=sha256:b0379a2b24882fef529ec3b4987cb5d003b9cda32256024e6fe1586ac45fc640 \ + --hash=sha256:bc7aee6f634a6f4a95676fcb5d6559a2c2a390330098dba5e5a5f28a2e4ada30 \ + --hash=sha256:bdc25f3681f7b78572699569514036afe3c243bc3059d3942624e936ec93450e \ + --hash=sha256:c083a3bdd5a93dfe480f1125926afcdbf2917ae714bdb80b36d34318b2bec5d9 \ + --hash=sha256:c20c462aa4434b33a2661701b861604913f912254e441ab8d78d30485736115a \ + --hash=sha256:c2fc0a768ef76c15ab9238afa6da7f69895bb5d1ee83aeea2e3509af4472d0b9 \ + --hash=sha256:c52b02ad8b4e2cf14ca7b3d918f3eb0ee91e63b3167c32591e57c4317e134f8f \ + --hash=sha256:c54c939ee22dc8e2d545da79fc5381f1c020d6d3141d3bd747eab59164dc89fb \ + --hash=sha256:c8e7af2f4e0194c22b5b37205bfb293d166a7344a5b0d0eaccebc376546d77d5 \ + --hash=sha256:cca3868ddfaccfbc4bfb1d608e2ccaaebe0ae628e1416aeb9c4d88c001bb45ab \ + --hash=sha256:d3f26877a748dc4251cfcfda9dfb5f13fcb034f5308388066bcfe9031b63ae7d \ + --hash=sha256:d53b22f2032c42eaaf025f7c40c2e3b94568ae077a606f006d206a463bc69572 \ + --hash=sha256:d87c561733f66531dced0da6e864f44ebf89a8fba55f31407b00c2f7f9449593 \ + --hash=sha256:d946c8bf0d5c24bf4fe333af284c59a19358aa3ec18cb3dc4370080da1e8ad29 \ + --hash=sha256:dac89aea9af8cd672fa7b510e7b8c33b0bba9a43186680550ccf23020f32d535 \ + --hash=sha256:db4b41f9bd95fbe5acd76d89920336ba96f03e149097365afe1cb092fceb89a1 \ + --hash=sha256:dc46a01bf8d62f227d5ecee74178ffc448ff4e5197c756331f71efcc66dc980f \ + --hash=sha256:dd14041875d09cc0f9308e37a6f8b65f5585cf2598a53aa0123df8b129d481f8 \ + --hash=sha256:de4b83bb311557e439b9e186f733f6c645b9417c84e2eb8203f3f820a4b988bf \ + --hash=sha256:e799c050df38a639db758c617ec771fd8fb7a5f8eaaa4b27b101f266b216a246 \ + --hash=sha256:e80b087132752f6b3d714f041ccf74403799d3b23a72722ea2e6ba2e892555b9 \ + --hash=sha256:eb8c529b2819c37140eb51b914153063d27ed88e3bdc31b71198a198e921e011 \ + --hash=sha256:eb9b459ca4df0e5c87deb59d37377461a538852765293f9e6ee834f0435a93b9 \ + --hash=sha256:efec8db3266b76ef9607c2c4c419bdb06bf335ae433b80816089ea7585816f6a \ + --hash=sha256:f481959862f57f29601ccced557cc2e817bce7533ab8e01a797a48b49c9692b3 \ + --hash=sha256:f517ca031dfc037a9c07e748cefd8d96235088b83b4f4ba8939105d20fa1dcd6 \ + --hash=sha256:f889f7a40498cc077332c7ab6b4608d296d852182211787d4f3ee377aaae66e8 \ + --hash=sha256:f8de619080e944347f5f20de29a975c2d815d9ddd8be9b9b7268e2e3ef68605a \ + --hash=sha256:f941635f2a3d96b2973e867144fde513665c87f13fe0e193c158ac51bfaaa7b2 \ + --hash=sha256:fa754d1850735a0b0e03bcffd9d4b4343eb417e47196e4485d9cca326073a42c \ + --hash=sha256:fa854f5cf7e33842a892e5c73f45327760bc7bc516339fda888c75ae60edaeb6 \ + --hash=sha256:fe5b32187cbc0c862ee201ad66c30cf218e5ed468ec8dc1cf49dec66e160cc4d # via pydantic -pygments==2.19.1 +pygments==2.19.1 \ + --hash=sha256:61c16d2a8576dc0649d9f39e089b5f02bcd27fba10d8fb4dcc28173f7a45151f \ + --hash=sha256:9ea1544ad55cecf4b8242fab6dd35a93bbce657034b0611ee383099054ab6d8c # via rich -pyjwt==2.10.1 +pyjwt==2.10.1 \ + --hash=sha256:3cc5772eb20009233caf06e9d8a0577824723b44e6648ee0a2aedb6cf9381953 \ + --hash=sha256:dcdd193e30abefd5debf142f9adfcdd2b58004e644f25406ffaebd50bd98dacb # via sigstore -pyopenssl==25.0.0 +pyopenssl==25.1.0 \ + --hash=sha256:2b11f239acc47ac2e5aca04fd7fa829800aeee22a2eb30d744572a157bd8a1ab \ + --hash=sha256:8d031884482e0c67ee92bf9a4d8cceb08d92aba7136432ffb0703c5280fc205b # via sigstore -python-dateutil==2.9.0.post0 +python-dateutil==2.9.0.post0 \ + --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ + --hash=sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427 # via betterproto -requests==2.32.3 +requests==2.32.3 \ + --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ + --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 # via # -r requirements/main.in # id # sigstore -rfc3161-client==1.0.1 +rfc3161-client==1.0.2 \ + --hash=sha256:03bb5c92a59dd028959142a2dba8edfbf7575d3ccd74ac50eaf2c0ada45e3a40 \ + --hash=sha256:19cf1cdfa7a3c189d10e58ffdc9553f78972b45bce9dc713c78752b6dd696b5a \ + --hash=sha256:24653746e2d3868ac53bb47a46d2b891ffddd7fa939954df47301566919ed7e3 \ + --hash=sha256:37c78277d78aab02baf17393c30f66d1c2ab1a398d3540b0657792c0ceb81858 \ + --hash=sha256:714b5fd21b56b5d47136e4ca2ad346db26320a47b282b20d14337711e2bdec5b \ + --hash=sha256:8397241db132602e38bc6c4e416cb47d541528b6665aee9788705949487560f7 \ + --hash=sha256:8cb9d6aa413362b98f40ce4c6667e69ae29a31c91c657547de99203e353ebc43 \ + --hash=sha256:8db097d98b9e3bca4ca68babbeaed8436c4f8d455623c46821bf0cfd8492533f \ + --hash=sha256:8fe3c05f050b18719dac4accce6fdae88e7d5309eb36292eac0cad2f989d159e \ + --hash=sha256:9cf9a8f813028ef2d5d737f738f27c7abe41a4c5c0570fbc2ddfd5e4d03aee7a \ + --hash=sha256:a93b3b3f79f83fefd5399004d3cd522fe93f49dbbb4865dba2c6ac6d8190ab60 \ + --hash=sha256:af30b5e46db8b88c1bf7eae182e1bd4080f5d2475044f6ae04ab545e0faaa217 \ + --hash=sha256:b5a2e502d60176c3d376a7c81a3748b96df64c3c7ff46934f8f0e35b72f9922d # via sigstore -rfc8785==0.1.4 +rfc8785==0.1.4 \ + --hash=sha256:520d690b448ecf0703691c76e1a34a24ddcd4fc5bc41d589cb7c58ec651bcd48 \ + --hash=sha256:e545841329fe0eee4f6a3b44e7034343100c12b4ec566dc06ca9735681deb4da # via sigstore -rich==14.0.0 +rich==14.0.0 \ + --hash=sha256:1c9491e1951aac09caffd42f448ee3d04e58923ffe14993f6e83068dc395d7e0 \ + --hash=sha256:82f1bc23a6a21ebca4ae0c45af9bdbc492ed20231dcb63f297d6d1021a9d5725 # via sigstore -securesystemslib==1.3.0 +securesystemslib==1.3.0 \ + --hash=sha256:5b53e5989289d97fa42ed7fde1b4bad80985f15dba8c774c043b395a90c908e5 \ + --hash=sha256:8cbb277513444d9828016fe09eaa4a6fe25468e4bf411995c0542c6d2102af83 # via tuf -sigstore==3.6.2 +sigstore==3.6.3 \ + --hash=sha256:9bc05db5c01b9f313d211e8f8fe78a9e8d7a299d9608b11350ae58d9b9da6559 \ + --hash=sha256:9f957ef239b77695992b62823f79fc9554a589572dcc7bc0c1566a31b4bafc10 # via -r requirements/main.in -sigstore-protobuf-specs==0.3.2 +sigstore-protobuf-specs==0.3.2 \ + --hash=sha256:50c99fa6747a3a9c5c562a43602cf76df0b199af28f0e9d4319b6775630425ea \ + --hash=sha256:cae041b40502600b8a633f43c257695d0222a94efa1e5110a7ec7ada78c39d99 # via sigstore -sigstore-rekor-types==0.0.18 +sigstore-rekor-types==0.0.18 \ + --hash=sha256:19aef25433218ebf9975a1e8b523cc84aaf3cd395ad39a30523b083ea7917ec5 \ + --hash=sha256:b62bf38c5b1a62bc0d7fe0ee51a0709e49311d137c7880c329882a8f4b2d1d78 # via sigstore -six==1.17.0 +six==1.17.0 \ + --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ + --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 # via python-dateutil -tuf==6.0.0 +tuf==6.0.0 \ + --hash=sha256:458f663a233d95cc76dde0e1a3d01796516a05ce2781fefafebe037f7729601a \ + --hash=sha256:9eed0f7888c5fff45dc62164ff243a05d47fb8a3208035eb268974287e0aee8d # via sigstore -typing-extensions==4.13.2 +typing-extensions==4.14.0 \ + --hash=sha256:8676b788e32f02ab42d9e7c61324048ae4c6d844a399eebace3d4979d75ceef4 \ + --hash=sha256:a1514509136dd0b477638fc68d6a91497af5076466ad0fa6c338e44e359944af # via # pydantic # pydantic-core + # pyopenssl # typing-inspection -typing-inspection==0.4.0 +typing-inspection==0.4.1 \ + --hash=sha256:389055682238f53b04f7badcb49b989835495a96700ced5dab2d8feae4b26f51 \ + --hash=sha256:6ae134cc0203c33377d43188d4064e9b357dba58cff3185f22924610e70a9d28 # via pydantic -urllib3==2.4.0 +urllib3==2.4.0 \ + --hash=sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466 \ + --hash=sha256:4e16665048960a0900c702d4a66415956a584919c03361cac9f1df5c5dd7e813 # via # requests # tuf From e346064a371a9668bb0943cbbfd9d285feabfd06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Jun 2025 16:00:24 +0300 Subject: [PATCH 21/27] build(deps): bump requests from 2.32.3 to 2.32.4 in /requirements (#176) Bumps [requests](https://github.com/psf/requests) from 2.32.3 to 2.32.4. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.3...v2.32.4) --- updated-dependencies: - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/main.in | 2 +- requirements/main.txt | 22 ++++++++++++++++------ 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/requirements/main.in b/requirements/main.in index a9a2cad..d112a9b 100644 --- a/requirements/main.in +++ b/requirements/main.in @@ -1,2 +1,2 @@ sigstore ~= 3.6 -requests ~= 2.28 +requests ~= 2.32 diff --git a/requirements/main.txt b/requirements/main.txt index 8ff8073..e46fd51 100644 --- a/requirements/main.txt +++ b/requirements/main.txt @@ -251,6 +251,10 @@ idna==3.10 \ # via # email-validator # requests +importlib-resources==5.13.0 \ + --hash=sha256:82d5c6cca930697dbbd86c93333bb2c2e72861d4789a11c2662b933e5ad2b528 \ + --hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2 + # via sigstore markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ --hash=sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb @@ -377,7 +381,7 @@ pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -pydantic==2.11.5 \ +pydantic[email]==2.11.5 \ --hash=sha256:7f853db3d0ce78ce8bbb148c401c2cdd6431b3473c0cdff2755c7690952a7b7a \ --hash=sha256:f9c26ba06f9747749ca1e5c94d6a85cb84254577553c8785576fd38fa64dc0f7 # via @@ -500,11 +504,11 @@ python-dateutil==2.9.0.post0 \ --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ --hash=sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427 # via betterproto -requests==2.32.3 \ - --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ - --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 +requests==2.32.4 \ + --hash=sha256:27babd3cda2a6d50b30443204ee89830707d396671944c998b5975b031ac2b2c \ + --hash=sha256:27d0316682c8a29834d3264820024b62a36942083d52caf2f14c0591336d3422 # via - # -r requirements/main.in + # -r main.in # id # sigstore rfc3161-client==1.0.2 \ @@ -537,7 +541,7 @@ securesystemslib==1.3.0 \ sigstore==3.6.3 \ --hash=sha256:9bc05db5c01b9f313d211e8f8fe78a9e8d7a299d9608b11350ae58d9b9da6559 \ --hash=sha256:9f957ef239b77695992b62823f79fc9554a589572dcc7bc0c1566a31b4bafc10 - # via -r requirements/main.in + # via -r main.in sigstore-protobuf-specs==0.3.2 \ --hash=sha256:50c99fa6747a3a9c5c562a43602cf76df0b199af28f0e9d4319b6775630425ea \ --hash=sha256:cae041b40502600b8a633f43c257695d0222a94efa1e5110a7ec7ada78c39d99 @@ -558,9 +562,11 @@ typing-extensions==4.14.0 \ --hash=sha256:8676b788e32f02ab42d9e7c61324048ae4c6d844a399eebace3d4979d75ceef4 \ --hash=sha256:a1514509136dd0b477638fc68d6a91497af5076466ad0fa6c338e44e359944af # via + # multidict # pydantic # pydantic-core # pyopenssl + # rich # typing-inspection typing-inspection==0.4.1 \ --hash=sha256:389055682238f53b04f7badcb49b989835495a96700ced5dab2d8feae4b26f51 \ @@ -572,3 +578,7 @@ urllib3==2.4.0 \ # via # requests # tuf +zipp==3.23.0 \ + --hash=sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e \ + --hash=sha256:a07157588a12518c9d4034df3fbbee09c814741a33ff63c05fa29d26a2404166 + # via importlib-resources From d7c8f99cb60c12cfbcea09cfb344ed5a108c84b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Jun 2025 18:01:15 -0400 Subject: [PATCH 22/27] build(deps): bump softprops/action-gh-release in the actions group (#177) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 9234832..81cf683 100644 --- a/action.yml +++ b/action.yml @@ -107,7 +107,7 @@ runs: name: "signing-artifacts-${{ github.job }}" path: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" - - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2 + - uses: softprops/action-gh-release@d5382d3e6f2fa7bd53cb749d33091853d4985daf # v2 if: inputs.release-signing-artifacts == 'true' && github.event_name == 'release' && github.event.action == 'published' with: files: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" From 6409abb6b6aa159c173b7ccfc47078bec5735676 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Jun 2025 16:42:52 -0400 Subject: [PATCH 23/27] build(deps): bump the actions group with 2 updates (#178) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/zizmor.yml | 2 +- action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 136895e..9165f7f 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3 + uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3 with: sarif_file: results.sarif category: zizmor diff --git a/action.yml b/action.yml index 81cf683..5ea2ea6 100644 --- a/action.yml +++ b/action.yml @@ -107,7 +107,7 @@ runs: name: "signing-artifacts-${{ github.job }}" path: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" - - uses: softprops/action-gh-release@d5382d3e6f2fa7bd53cb749d33091853d4985daf # v2 + - uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2 if: inputs.release-signing-artifacts == 'true' && github.event_name == 'release' && github.event.action == 'published' with: files: "${{ env.GHA_SIGSTORE_PYTHON_INTERNAL_SIGNING_ARTIFACTS }}" From f38fa95e2fe947a0827cf83585e9cd65f6107d5a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Jun 2025 10:53:17 +0300 Subject: [PATCH 24/27] build(deps): bump urllib3 from 2.4.0 to 2.5.0 in /requirements (#180) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.4.0...2.5.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.5.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/dev.txt | 62 ++++++++++++++++++++++++++++++++++--------- requirements/main.txt | 6 ++--- 2 files changed, 53 insertions(+), 15 deletions(-) diff --git a/requirements/dev.txt b/requirements/dev.txt index 813c8f6..a2046ff 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -23,19 +23,19 @@ black==25.1.0 \ --hash=sha256:db8ea9917d6f8fc62abd90d944920d95e73c83a5ee3383493e35d271aca872e9 \ --hash=sha256:ea0213189960bda9cf99be5b8c8ce66bb054af5e9e861249cd23471bd7b0b3ba \ --hash=sha256:f3df5f1bf91d36002b0a75389ca8663510cf0531cca8aa5c1ef695b46d98655f - # via -r requirements/dev.in -click==8.2.1 \ - --hash=sha256:27c491cc05d968d271d5a1db13e3b5a184636d9d930f148c50b038f0d0646202 \ - --hash=sha256:61a3265b914e850b85317d0b3109c7f8cd35a670f963866005d6ef1d5175a12b + # via -r dev.in +click==8.1.8 \ + --hash=sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2 \ + --hash=sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a # via black flake8==7.2.0 \ --hash=sha256:93b92ba5bdb60754a6da14fa3b93a9361fd00a59632ada61fd7b130436c40343 \ --hash=sha256:fa558ae3f6f7dbf2b4f22663e5343b6b6023620461f8d4ff2019ef4b5ee70426 - # via -r requirements/dev.in + # via -r dev.in isort==6.0.1 \ --hash=sha256:1cb5df28dfbc742e490c5e41bad6da41b805b0a8be7bc93cd0fb2a8a890ac450 \ --hash=sha256:2dc5d7f65c9678d94c88dfc29161a320eec67328bc97aad576874cb4be1e9615 - # via -r requirements/dev.in + # via -r dev.in mccabe==0.7.0 \ --hash=sha256:348e0240c33b60bbdf4e523192ef919f28cb2c3d7d5c7794f74009290f236325 \ --hash=sha256:6c2d30ab6be0e4a46919781807b4f0d834ebdd6c6e3dca0bda5a15f863427b6e @@ -73,7 +73,7 @@ mypy==1.16.0 \ --hash=sha256:f2ed0e0847a80655afa2c121835b848ed101cc7b8d8d6ecc5205aedc732b1436 \ --hash=sha256:f56236114c425620875c7cf71700e3d60004858da856c6fc78998ffe767b73d3 \ --hash=sha256:feec38097f71797da0231997e0de3a58108c51845399669ebc532c815f93866b - # via -r requirements/dev.in + # via -r dev.in mypy-extensions==1.1.0 \ --hash=sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505 \ --hash=sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558 @@ -102,15 +102,53 @@ pyflakes==3.3.2 \ --hash=sha256:5039c8339cbb1944045f4ee5466908906180f13cc99cc9949348d10f82a5c32a \ --hash=sha256:6dfd61d87b97fba5dcfaaf781171ac16be16453be6d816147989e7f6e6a9576b # via flake8 +tomli==2.2.1 \ + --hash=sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6 \ + --hash=sha256:02abe224de6ae62c19f090f68da4e27b10af2b93213d36cf44e6e1c5abd19fdd \ + --hash=sha256:286f0ca2ffeeb5b9bd4fcc8d6c330534323ec51b2f52da063b11c502da16f30c \ + --hash=sha256:2d0f2fdd22b02c6d81637a3c95f8cd77f995846af7414c5c4b8d0545afa1bc4b \ + --hash=sha256:33580bccab0338d00994d7f16f4c4ec25b776af3ffaac1ed74e0b3fc95e885a8 \ + --hash=sha256:400e720fe168c0f8521520190686ef8ef033fb19fc493da09779e592861b78c6 \ + --hash=sha256:40741994320b232529c802f8bc86da4e1aa9f413db394617b9a256ae0f9a7f77 \ + --hash=sha256:465af0e0875402f1d226519c9904f37254b3045fc5084697cefb9bdde1ff99ff \ + --hash=sha256:4a8f6e44de52d5e6c657c9fe83b562f5f4256d8ebbfe4ff922c495620a7f6cea \ + --hash=sha256:4e340144ad7ae1533cb897d406382b4b6fede8890a03738ff1683af800d54192 \ + --hash=sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249 \ + --hash=sha256:6972ca9c9cc9f0acaa56a8ca1ff51e7af152a9f87fb64623e31d5c83700080ee \ + --hash=sha256:7fc04e92e1d624a4a63c76474610238576942d6b8950a2d7f908a340494e67e4 \ + --hash=sha256:889f80ef92701b9dbb224e49ec87c645ce5df3fa2cc548664eb8a25e03127a98 \ + --hash=sha256:8d57ca8095a641b8237d5b079147646153d22552f1c637fd3ba7f4b0b29167a8 \ + --hash=sha256:8dd28b3e155b80f4d54beb40a441d366adcfe740969820caf156c019fb5c7ec4 \ + --hash=sha256:9316dc65bed1684c9a98ee68759ceaed29d229e985297003e494aa825ebb0281 \ + --hash=sha256:a198f10c4d1b1375d7687bc25294306e551bf1abfa4eace6650070a5c1ae2744 \ + --hash=sha256:a38aa0308e754b0e3c67e344754dff64999ff9b513e691d0e786265c93583c69 \ + --hash=sha256:a92ef1a44547e894e2a17d24e7557a5e85a9e1d0048b0b5e7541f76c5032cb13 \ + --hash=sha256:ac065718db92ca818f8d6141b5f66369833d4a80a9d74435a268c52bdfa73140 \ + --hash=sha256:b82ebccc8c8a36f2094e969560a1b836758481f3dc360ce9a3277c65f374285e \ + --hash=sha256:c954d2250168d28797dd4e3ac5cf812a406cd5a92674ee4c8f123c889786aa8e \ + --hash=sha256:cb55c73c5f4408779d0cf3eef9f762b9c9f147a77de7b258bef0a5628adc85cc \ + --hash=sha256:cd45e1dc79c835ce60f7404ec8119f2eb06d38b1deba146f07ced3bbc44505ff \ + --hash=sha256:d3f5614314d758649ab2ab3a62d4f2004c825922f9e370b29416484086b264ec \ + --hash=sha256:d920f33822747519673ee656a4b6ac33e382eca9d331c87770faa3eef562aeb2 \ + --hash=sha256:db2b95f9de79181805df90bedc5a5ab4c165e6ec3fe99f970d0e302f384ad222 \ + --hash=sha256:e59e304978767a54663af13c07b3d1af22ddee3bb2fb0618ca1593e4f593a106 \ + --hash=sha256:e85e99945e688e32d5a35c1ff38ed0b3f41f43fad8df0bdf79f72b2ba7bc5272 \ + --hash=sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a \ + --hash=sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7 + # via + # black + # mypy types-requests==2.32.0.20250602 \ --hash=sha256:ee603aeefec42051195ae62ca7667cd909a2f8128fdf8aad9e8a5219ecfab3bf \ --hash=sha256:f4f335f87779b47ce10b8b8597b409130299f6971ead27fead4fe7ba6ea3e726 - # via -r requirements/dev.in + # via -r dev.in typing-extensions==4.14.0 \ --hash=sha256:8676b788e32f02ab42d9e7c61324048ae4c6d844a399eebace3d4979d75ceef4 \ --hash=sha256:a1514509136dd0b477638fc68d6a91497af5076466ad0fa6c338e44e359944af - # via mypy -urllib3==2.4.0 \ - --hash=sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466 \ - --hash=sha256:4e16665048960a0900c702d4a66415956a584919c03361cac9f1df5c5dd7e813 + # via + # black + # mypy +urllib3==2.5.0 \ + --hash=sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760 \ + --hash=sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc # via types-requests diff --git a/requirements/main.txt b/requirements/main.txt index e46fd51..449a54e 100644 --- a/requirements/main.txt +++ b/requirements/main.txt @@ -572,9 +572,9 @@ typing-inspection==0.4.1 \ --hash=sha256:389055682238f53b04f7badcb49b989835495a96700ced5dab2d8feae4b26f51 \ --hash=sha256:6ae134cc0203c33377d43188d4064e9b357dba58cff3185f22924610e70a9d28 # via pydantic -urllib3==2.4.0 \ - --hash=sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466 \ - --hash=sha256:4e16665048960a0900c702d4a66415956a584919c03361cac9f1df5c5dd7e813 +urllib3==2.5.0 \ + --hash=sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760 \ + --hash=sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc # via # requests # tuf From deae7b09039836f94c5a183a266f8cd31bd769a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Jun 2025 14:28:01 -0400 Subject: [PATCH 25/27] build(deps): bump astral-sh/setup-uv in the actions group (#181) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c144820..6bcfeca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: with: persist-credentials: false - - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v5 + - uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 # v5 - name: lint run: make lint diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 9165f7f..4402504 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v5 + uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 # v5 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif From 7dad330b7cc00877fda38e8ac56c7d69e20bd080 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Jun 2025 14:28:23 -0400 Subject: [PATCH 26/27] build(deps): bump rfc3161-client from 1.0.2 to 1.0.3 in /requirements (#182) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/main.txt | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/requirements/main.txt b/requirements/main.txt index 449a54e..63501a3 100644 --- a/requirements/main.txt +++ b/requirements/main.txt @@ -511,20 +511,20 @@ requests==2.32.4 \ # -r main.in # id # sigstore -rfc3161-client==1.0.2 \ - --hash=sha256:03bb5c92a59dd028959142a2dba8edfbf7575d3ccd74ac50eaf2c0ada45e3a40 \ - --hash=sha256:19cf1cdfa7a3c189d10e58ffdc9553f78972b45bce9dc713c78752b6dd696b5a \ - --hash=sha256:24653746e2d3868ac53bb47a46d2b891ffddd7fa939954df47301566919ed7e3 \ - --hash=sha256:37c78277d78aab02baf17393c30f66d1c2ab1a398d3540b0657792c0ceb81858 \ - --hash=sha256:714b5fd21b56b5d47136e4ca2ad346db26320a47b282b20d14337711e2bdec5b \ - --hash=sha256:8397241db132602e38bc6c4e416cb47d541528b6665aee9788705949487560f7 \ - --hash=sha256:8cb9d6aa413362b98f40ce4c6667e69ae29a31c91c657547de99203e353ebc43 \ - --hash=sha256:8db097d98b9e3bca4ca68babbeaed8436c4f8d455623c46821bf0cfd8492533f \ - --hash=sha256:8fe3c05f050b18719dac4accce6fdae88e7d5309eb36292eac0cad2f989d159e \ - --hash=sha256:9cf9a8f813028ef2d5d737f738f27c7abe41a4c5c0570fbc2ddfd5e4d03aee7a \ - --hash=sha256:a93b3b3f79f83fefd5399004d3cd522fe93f49dbbb4865dba2c6ac6d8190ab60 \ - --hash=sha256:af30b5e46db8b88c1bf7eae182e1bd4080f5d2475044f6ae04ab545e0faaa217 \ - --hash=sha256:b5a2e502d60176c3d376a7c81a3748b96df64c3c7ff46934f8f0e35b72f9922d +rfc3161-client==1.0.3 \ + --hash=sha256:0d40bb252d1a0714f4faa6b538be0bcbe9d13c6a7a37188b26f9f23d34aad7a3 \ + --hash=sha256:39e188281bc04378130ed52b1b00ee330570f04f0000cc60a0a534803f349482 \ + --hash=sha256:649037dbade2e78bdc1e8d7d917b04f27c245e0d758ab713f2ddeeec0fc6dd52 \ + --hash=sha256:863d97877c3aa7e42682f70da0f3009618bc1e2aa0a7353133b94dd649d3a602 \ + --hash=sha256:9d4d628e00fee72f07bdc779ce75160036c8cb318cac5336cd12692e2d7153e8 \ + --hash=sha256:a231b2d3430216491a4dac0cb04afdad0398bf5ded39138938b6002734abf2b4 \ + --hash=sha256:b3f513adc5d4c1c59aed1f5f89fbe2e560410f461ae163fdca8c130939df79d6 \ + --hash=sha256:c6743aa339c07772a53ffb1accc7def78c11d8ebba57c6d25329c1d412dde4dd \ + --hash=sha256:e5eeb73862b28e5aacc2951c0aec72ecff5209925a4c5be2753cd30f13c39ae5 \ + --hash=sha256:e9b614a5a4596ab9aea44d3fe8a4995bd84ac7f20dcbfaa82b115224202d88d8 \ + --hash=sha256:ea49605cf10558145b075979d8bfc8bff685c44815bf8b66fd580ced642216c9 \ + --hash=sha256:f2a925e668b7637c0aecd416dd060ec9579a5edd62502bb88efa981791419a44 \ + --hash=sha256:f76bdf2a9f80ea97a99324fa74695621fddc0e6f5d4a4a4e0ca30e822a37e534 # via sigstore rfc8785==0.1.4 \ --hash=sha256:520d690b448ecf0703691c76e1a34a24ddcd4fc5bc41d589cb7c58ec651bcd48 \ From f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 20 Jun 2025 14:48:59 -0400 Subject: [PATCH 27/27] chore: prep 3.0.1 (#183) --- CHANGELOG.md | 11 +++++++++++ README.md | 32 ++++++++++++++++---------------- 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cca774..6389aaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,9 +8,20 @@ All versions prior to 3.0.0 are untracked. ## [Unreleased] +## [3.0.1] + ### Changed * The minimum Python version supported by this action is now 3.9 + ([#155](https://github.com/sigstore/gh-action-sigstore-python/pull/155)) +* The action's Python dependencies are now fully pinned to specific versions + ([#165](https://github.com/sigstore/gh-action-sigstore-python/pull/165)) + +### Fixed + +* The `rfc3161-client` dependency has been upgrades to `1.0.3` to resolve + a security vulnerability + ([#182](https://github.com/sigstore/gh-action-sigstore-python/pull/182)) ## [3.0.0] diff --git a/README.md b/README.md index 14aab51..c8d9a5f 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ gh-action-sigstore-python [![Self-test](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml/badge.svg)](https://github.com/sigstore/gh-action-sigstore-python/actions/workflows/selftest.yml) This GitHub Action uses [`sigstore-python`](https://github.com/sigstore/sigstore-python) -to generate Sigstore signatures. `gh-action-sigstore-python` is the easiest way to [integrate Sigstore into your CI system](https://docs.sigstore.dev/quickstart/quickstart-ci/) and can be used for not only Python projects, but projects in other languages as well. +to generate Sigstore signatures. `gh-action-sigstore-python` is the easiest way to [integrate Sigstore into your CI system](https://docs.sigstore.dev/quickstart/quickstart-ci/) and can be used for not only Python projects, but projects in other languages as well. > [!IMPORTANT] > Are you publishing a package to PyPI? If so, you **do not need this action**: @@ -36,7 +36,7 @@ jobs: persist-credentials: false - name: install run: python -m pip install . - - uses: sigstore/gh-action-sigstore-python@v3.0.0 + - uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt ``` @@ -60,7 +60,7 @@ provided unless [release-signing-artifacts](#release-signing-artifacts) is set t To sign one or more files: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file0.txt file1.txt file2.txt ``` @@ -68,7 +68,7 @@ To sign one or more files: The `inputs` argument also supports file globbing: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: ./path/to/inputs/*.txt ``` @@ -77,7 +77,7 @@ Multiple lines are fine, and whitespace in filenames can also be escaped using POSIX shell lexing rules: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: | ./path/to/inputs/*.txt @@ -97,7 +97,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci workflow will use the credentials found in the GitHub Actions environment. ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere @@ -113,7 +113,7 @@ Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt oidc-client-id: alternative-sigstore-id @@ -129,7 +129,7 @@ Connect Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt oidc-client-secret: alternative-sigstore-secret @@ -145,7 +145,7 @@ instead of the default production instances. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt staging: true @@ -168,7 +168,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt verify: true @@ -191,7 +191,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`. Supplying it without `verify-oidc-issuer` will produce an error. ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt verify: true @@ -216,7 +216,7 @@ Supplying it without `verify-cert-identity` will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt verify: true @@ -238,7 +238,7 @@ workflow artifact retention period is used. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt upload-signing-artifacts: true @@ -265,7 +265,7 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt release-signing-artifacts: true @@ -281,7 +281,7 @@ permissions: # ... # no explicit settings needed, signs all pre-existing release artifacts -- uses: sigstore/gh-action-sigstore-python@v3.0.0 +- uses: sigstore/gh-action-sigstore-python@v3.0.1 ``` ### Internal options @@ -305,7 +305,7 @@ permissions: Example: ```yaml - - uses: sigstore/gh-action-sigstore-python@v3.0.0 + - uses: sigstore/gh-action-sigstore-python@v3.0.1 with: inputs: file.txt internal-be-careful-debug: true