Releases: theupdateframework/tuf-on-ci
v0.4.0
NOTE: This is a major Actions API break, users should not just accept a Dependabot update but should instead follow upgrade instructions below.
Changes
- Support for custom GitHub tokens: see [REPOSITORY-MAINTENANCE.md].
- Uses upload-artifact v4: this means publish workflow must use download-artifact v4 or deploy-pages v4
- All commits are now done with "Signed-Off-By"
Upgrade instructions from v0.3.0:
- We recommend using the workflows from tuf-on-ci-template (or to merge changes from there if you have local changes in your workflows) to ensure workflows stay compatible with the tuf-on-ci actions
v0.3.0
NOTE: This is a major API break, users should not just upgrade the action versions but
should replace their publish.yml
workflow with the new workflow from tuf-on-ci-template.
Upgrade instructions from v0.2.0:
- When the Dependabot PR is created, update the PR to include the
updatedpublish.yml
fromtuf-on-ci-template
repository. Then the
PR can be approved and merged without breaking any workflows.
See CHANGELOG.md for details.
v0.2.0
Upgrade instructions from v0.1.0:
- Dependabot version bump can be accepted as is
See CHANGELOG.md for details.
v0.1.0
NOTE: This is a major API break, users should not just upgrade the action versions but
should replace their workflows with new workflows from tuf-on-ci-template.
Release contains:
- Major refactoring of actions: New actions are more logical and enable separating publishing fron online signing. The repository now contains a new branch "publish" that always points to the newest publishable repository version
- Improved Sigstore signer registration flow
- Bug fixes
Upgrade instructions:
- Remove your existing tuf-on-ci workflows and replace them with the ones from current tuf-on-ci-template.
- In Settings->Environments->github-pages change deployment branch from
main
topublish
- If you use the experimental sigstore online signing: After updating run
tuf-on-ci-delegate sign/update-online-key timestamp
re-select sigstore as the signing system: This creates a new signing event that is required for online signing to work.
Thanks to contributors Radoslav Dimitrov, Meredith Lancaster and lv291.
0.0.1
initial release of TUF-on-CI.
TUF-on-CI is a repository and signer implementation of
https://theupdateframework.io/ that runs on a Continuous Integration platform.
Features include:
- Threshold signing with hardware keys and Sigstore
- Automated online signing with multiple KMSs
- Polished signing user experience
- No custom code required
The signer is not available from PyPI in this release but will be in future releases.
See README.md for repository and signer setup instructions.
Upgrading an existing repository installation
- Start pinning tuf-on-ci actions in your workflows (see example in theupdateframework/tuf-on-ci-template#3)
- Use Dependabot in your GitHub project to get automatic update PRs in the future