Dimitrovr/test permissions

.gitattributes

@@ -1,3 +1,3 @@
-# Files that will always have LF line endings on checkout.
-tests/repository_data/** text eol=lf
-
+# All JSON files will always have LF line endings on checkout.
+# This prevents git replacing line endings with CRLF on Windows.
+*.json text eol=lf

.github/dependabot.yml

@@ -1,8 +1,16 @@
 version: 2
 updates:
-- package-ecosystem: pip
+
+- package-ecosystem: "pip"
   directory: "/"
   schedule:
-    interval: daily
+    interval: "daily"
+    time: "10:00"
+  open-pull-requests-limit: 10
+
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"
     time: "10:00"
   open-pull-requests-limit: 10

.github/workflows/_test.yml

@@ -0,0 +1,90 @@
+on:
+  workflow_call:
+  # Permissions inherited from caller workflow
+
+
+jobs:
+  tests:
+    name: Tests
+    strategy:
+      fail-fast: false
+      # Run regular TUF tests on each OS/Python combination, plus special tests
+      # (sslib master) and linters on Linux/Python3.x only.
+      matrix:
+        python-version: ["3.7", "3.8", "3.9", "3.10"]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        toxenv: [py]
+        include:
+          - python-version: 3.x
+            os: ubuntu-latest
+            toxenv: with-sslib-master
+            experimental: true
+          - python-version: 3.x
+            os: ubuntu-latest
+            toxenv: lint
+
+    env:
+      # Set TOXENV env var to tell tox which testenv (see tox.ini) to use
+      # NOTE: The Python 2.7 runner has two Python versions on the path (see
+      # setup-python below), so we tell tox explicitly to use the 'py27'
+      # testenv. For all other runners the toxenv configured above suffices.
+      TOXENV: ${{ matrix.toxenv }}
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout TUF
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: 'requirements*.txt'
+
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade tox coveralls
+
+      - name: Run tox (${{ env.TOXENV }})
+        # See TOXENV environment variable for the testenv to be executed here
+        run: tox
+
+      - name: Publish on coveralls.io
+        # A failure to publish coverage results on coveralls should not
+        # be a reason for a job failure.
+        continue-on-error: true
+        # TODO: Maybe make 'lint' a separate job instead of case handling here
+        if: ${{ env.TOXENV != 'lint' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COVERALLS_FLAG_NAME: ${{ runner.os }} / Python ${{ matrix.python-version }} / ${{ env.TOXENV }}
+          COVERALLS_PARALLEL: true
+        # Use cp workaround to publish coverage reports with relative paths
+        # FIXME: Consider refactoring the tests to not require the test
+        # aggregation script being invoked from the `tests` directory, so
+        # that `.coverage` is written to and .coveragrc can also reside in
+        # the project root directory as is the convention.
+        run: |
+          cp tests/.coverage .
+          coveralls --service=github --rcfile=tests/.coveragerc
+
+  coveralls-fin:
+    # Always run when all 'tests' jobs have finished even if they failed
+    # TODO: Replace always() with a 'at least one job succeeded' expression
+    if: always()
+    needs: tests
+    runs-on: ubuntu-latest
+    container: python:3-slim
+    steps:
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade coveralls
+      - name: Finalize publishing on coveralls.io
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: coveralls --finish

.github/workflows/cd.yml

@@ -0,0 +1,87 @@
+name: CD
+concurrency: cd
+
+on:
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: write
+
+jobs:
+  test:
+    uses: ./.github/workflows/_test.yml
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: test
+    outputs:
+      release_id: ${{ steps.gh-release.outputs.id }}
+    steps:
+      - name: Checkout release tag
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          ref: ${{ github.event.workflow_run.head_branch }}
+
+      - name: Set up Python
+        uses: actions/setup-python@0ebf233433c08fb9061af664d501c3f3ff0e9e20
+        with:
+          python-version: '3.x'
+
+      - name: Install build dependency
+        run: python3 -m pip install --upgrade pip build
+
+      - name: Build binary wheel and source tarball
+        run: python3 -m build --sdist --wheel --outdir dist/ .
+
+      - id: gh-release
+        name: Publish GitHub release candiate
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        with:
+          name: ${{ github.ref_name }}-rc
+          tag_name: ${{ github.ref }}
+          body: "Release waiting for review..."
+          files: dist/*
+
+      - name: Store build artifacts
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        # NOTE: The GitHub release page contains the release artifacts too, but using
+        # GitHub upload/download actions seems robuster: there is no need to compute
+        # download URLs and tampering with artifacts between jobs is more limited.
+        with:
+          name: build-artifacts
+          path: dist
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs: build
+    environment: release
+    steps:
+      - name: Fetch build artifacts
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: build-artifacts
+          path: dist
+
+      - name: Publish binary wheel and source tarball on PyPI
+        uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295
+        with:
+          user: __token__
+          password: ${{ secrets.PYPI_API_TOKEN }}
+
+      - name: Finalize GitHub release
+        uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e
+        with:
+          script: |
+            await github.rest.repos.updateRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              release_id: '${{ needs.build.outputs.release_id }}',
+              name: '${{ github.ref_name }}',
+              body: 'See [CHANGELOG.md](https://github.com/' +
+                     context.repo.owner + '/' + context.repo.repo +
+                    '/blob/${{ github.ref_name }}/docs/CHANGELOG.md) for details.'
+            })

.github/workflows/ci.yml

@@ -1,104 +1,16 @@
-name: Run TUF tests and linter
+name: CI
 
 on:
   push:
     branches:
       - develop
+
   pull_request:
   workflow_dispatch:
 
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      # Run regular TUF tests on each OS/Python combination, plus special tests
-      # (sslib master) and linters on Linux/Python3.x only.
-      matrix:
-        python-version: [3.6, 3.7, 3.8, 3.9]
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        toxenv: [py]
-        include:
-          - python-version: 3.x
-            os: ubuntu-latest
-            toxenv: with-sslib-master
-            experimental: true
-          # TODO: Change to 3.x once pylint fully supports Python 3.9
-          - python-version: 3.8
-            os: ubuntu-latest
-            toxenv: lint
-
-    env:
-      # Set TOXENV env var to tell tox which testenv (see tox.ini) to use
-      # NOTE: The Python 2.7 runner has two Python versions on the path (see
-      # setup-python below), so we tell tox explicitly to use the 'py27'
-      # testenv. For all other runners the toxenv configured above suffices.
-      TOXENV: ${{ matrix.toxenv }}
-
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - name: Checkout TUF
-        uses: actions/checkout@v2
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
-        with:
-          python-version: ${{ matrix.python-version }}
+permissions:
+  contents: read
 
-      - name: Find pip cache dir
-        id: pip-cache
-        run: echo "::set-output name=dir::$(pip cache dir)"
-
-      - name: pip cache
-        uses: actions/cache@v2
-        with:
-          # Use the os dependent pip cache directory found above
-          path: ${{ steps.pip-cache.outputs.dir }}
-          # A match with 'key' counts as cache hit
-          key: ${{ runner.os }}-pip-${{ hashFiles('requirements*.txt') }}
-          # A match with 'restore-keys' is used as fallback
-          restore-keys: ${{ runner.os }}-pip-
-
-      - name: Install dependencies
-        run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install --upgrade tox coveralls
-
-      - name: Run tox (${{ env.TOXENV }})
-        # See TOXENV environment variable for the testenv to be executed here
-        run: tox
-
-      - name: Publish on coveralls.io
-        # A failure to publish coverage results on coveralls should not
-        # be a reason for a job failure.
-        continue-on-error: true
-        # TODO: Maybe make 'lint' a separate job instead of case handling here
-        if: ${{ env.TOXENV != 'lint' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COVERALLS_FLAG_NAME: ${{ runner.os }} / Python ${{ matrix.python-version }} / ${{ env.TOXENV }}
-          COVERALLS_PARALLEL: true
-        # Use cp workaround to publish coverage reports with relative paths
-        # FIXME: Consider refactoring the tests to not require the test
-        # aggregation script being invoked from the `tests` directory, so
-        # that `.coverage` is written to and .coveragrc can also reside in
-        # the project root directory as is the convention.
-        run: |
-          cp tests/.coverage .
-          coveralls --service=github --rcfile=tests/.coveragerc
-
-  coveralls-fin:
-    # Always run when all 'build' jobs have finished even if they failed
-    # TODO: Replace always() with a 'at least one job succeeded' expression
-    if: always()
-    needs: build
-    runs-on: ubuntu-latest
-    container: python:3-slim
-    steps:
-      - name: Finalize publishing on coveralls.io
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install --upgrade coveralls
-          coveralls --finish
+jobs:
+  test:
+    uses: ./.github/workflows/_test.yml

.github/workflows/maintainer-permissions-reminder.yml

@@ -0,0 +1,55 @@
+name: Maintainer review reminder
+
+on:
+  schedule:
+    - cron: '10 10 10 2 *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+
+jobs:
+  file-reminder-issue:
+    name: File issue to review maintainer permissions
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e
+      with:
+        script: |
+          await github.rest.issues.create({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            title: "Yearly maintainer permissions review",
+            body: `
+          This is a checklist for evaluating python-tuf maintainer accounts and permissions. This issue is automatically opened once a year.
+
+          ### Tasks
+
+          1. Update this list to include any new services
+          2. Evaluate the accounts and permissions for each service on the list. Some rules of thumb:
+             * Critical services should have a minimum of 3 _active_ maintainers/admins to prevent project lockout
+             * Each additional maintainer/admin increases the risk of project compromise: for this reason permissions should be removed if they are no longer used
+             * For services that are not frequently used, each maintainer/admin should check that they really are still able to authenticate to the service and confirm this in the comments
+          3. Update MAINTAINERS.txt to reflect current permissions
+          4. (Bonus) Update significant contributors in README.md#acknowledgements
+
+          ### Critical services
+
+          * [ ] **PyPI**: maintainer list is visible to everyone at https://pypi.org/project/tuf/
+              * Only enough maintainers and org admins to prevent locking the project out
+          * [ ] **GitHub**: release environment reviewers listed in https://github.com/theupdateframework/python-tuf/settings/environments
+              * Maintainers who can approve releases to PyPI
+          * [ ] **GitHub**: permissions visible to admins at https://github.com/theupdateframework/python-tuf/settings/access
+              * "admin" permission: Only for maintainers and org admins who do project administration
+              * "push/maintain" permission: Maintainers who actively approve and merge PRs (+admins)
+              * "triage" permission: All contributors trusted to manage issues
+
+          ### Other
+
+          * [ ] **ReadTheDocs**: admin list is visible to everyone at https://readthedocs.org/projects/theupdateframework/
+          * [ ] **Coveralls**: everyone with github "admin" permissions is a Coveralls admin: https://coveralls.io/github/theupdateframework/python-tuf
+          `
+          })
+          console.log("New issue created.")
+
+