Skip to content

Release 3.2.6 #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 23, 2025
Merged

Release 3.2.6 #26

merged 8 commits into from
Jun 23, 2025

Conversation

@DK96-OS
Copy link
Owner

@DK96-OS DK96-OS commented Jun 23, 2025
edited
Loading

Release 3.2.6 — Summary of Changes

Overview

This release focuses on dependency management, workflow improvements, and documentation updates, with several changes attributed to both upstream sources and direct maintenance.

Changelog Highlights

Dependency and Packaging Updates

  • Pinning of Python Dependencies:

    • All core and development dependencies are now explicitly pinned using pip-compile for reproducibility and security.
    • Example: sigstore == 3.6.3, requests == 2.32.4 in requirements/main.in.

  • Dependency Upgrades:

    • sigstore updated to 3.6.3
    • requests updated to 2.32.4
    • rfc3161-client upgraded to 1.0.3 to resolve a security vulnerability (from sigstore upstream PR #182)
    • Other packages such as cryptography, certifi, platformdirs, pydantic, and development tools (mypy, typing-extensions, types-requests) have been updated to their latest compatible versions.

  • Switched Dependency Management Tools:

    • Requirements are now generated via pip-compile (previously used uv).
    • Hash checking is enforced for all dependencies.

  • Removed Old Requirements Files:

    • dev-requirements.txt and requirements.txt removed in favor of dedicated, pinned, and hash-protected files under requirements/.

Workflow and Automation

  • GitHub Actions Workflow Updates:
    • .github/workflows/ci.yml and .github/workflows/zizmor.yml now use updated references for astral-sh/setup-uv and github/codeql-action/upload-sarif.
    • Dependabot configuration updated to:
      • Run weekly instead of daily.
      • Limit open PRs to 5 (down from 99).
    • The Zizmor security analysis workflow no longer runs on pull requests, only on main branch pushes.

Documentation Improvements

  • README.md:

    • Usage instructions now reference version v3.0.1 of the action.
    • Improved clarity and formatting.
    • Updates to reflect new dependency and workflow management.

  • CHANGELOG.md:

    • Notes the minimum Python version is now 3.9 (from upstream).
    • Python dependencies are now fully pinned (from upstream).
    • Security fix for rfc3161-client noted and attributed upstream.

Upstream and Dependency Attribution

  • Many of these dependency and security updates originate from the upstream sigstore/gh-action-sigstore-python repository.
  • Key upstream pull requests referenced in the changelog:
    • #155: Python 3.9 minimum version.
    • #165: Fully pinned dependencies.
    • #182: Security update for rfc3161-client.

Files Changed (Partial List)

  • .github/dependabot.yml
  • .github/workflows/ci.yml
  • .github/workflows/zizmor.yml
  • CHANGELOG.md
  • README.md
  • dev-requirements.txt (removed)
  • requirements.txt (removed)
  • requirements/dev.txt
  • requirements/main.in
  • requirements/main.txt

See the full list of file changes on the GitHub pull request files page.

Notable Dependencies (New/Updated)

  • sigstore: 3.6.3
  • requests: 2.32.4
  • rfc3161-client: 1.0.3
  • cryptography: 44.0.3
  • pydantic[email]: 2.11.5
  • mypy: 1.16.0
  • types-requests: 2.32.0.20250602

For a complete and hash-locked set, refer to requirements/main.txt and requirements/dev.txt.

Attribution

Portions of these updates directly track upstream improvements and security fixes from sigstore/gh-action-sigstore-python. Dependency versions and best practices have been synchronized with upstream to ensure security and stability.

DK96-OS added 5 commits June 23, 2025 16:51
@DK96-OS
Project Root:
735f95d 
* Update CHANGELOG.md
* Update README.md

-- credit: upstream commits --
@DK96-OS
Project Root:
26a0968 
* Update requirements.txt - sigstore 3.6.3, requests 2.32.4
@DK96-OS
Requirements:
123e865 
* Update requirements/dev.txt
* Update requirements/main.in - requests ~2.32
* Update requirements/main.txt

-- credit: upstream commits --
@DK96-OS
GitHub Workflows:
cf89f2d 
* Update .github/workflows/zizmor.yml - disable on pull_request triggers
* Update .github/workflows/ci.yml
@DK96-OS
GitHub Dependabot:
d337eb9 
* Update dependabot.yml - reduce schedule frequency to weekly, reduce open-pr-limit to 5
@DK96-OS DK96-OS self-assigned this Jun 23, 2025
@DK96-OS DK96-OS added the dependencies Pull requests that update a dependency file label Jun 23, 2025
@DK96-OS DK96-OS marked this pull request as ready for review June 23, 2025 21:06
DK96-OS added 3 commits June 23, 2025 17:20
@DK96-OS
Project Root:
beca5a7 
* Remove requirements.txt
* Remove dev-requirements.txt
@DK96-OS
Requirements:
d81a080 
* Update requirements/main.in
* Update requirements/main.txt
@DK96-OS
Requirements:
2768b72 
* Update requirements/dev.txt - switch to pip-compile
* Update requirements/main.txt - switch to pip-compile (for pydantic[email])
@DK96-OS DK96-OS merged commit 8e3b0e9 into main Jun 23, 2025
2 checks passed
@DK96-OS DK96-OS deleted the release-3.2.6 branch June 23, 2025 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@DK96-OS DK96-OS

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DK96-OS