trustcheck 2.1.2__tar.gz → 2.2.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- trustcheck-2.2.1/.github/workflows/acceptance-matrix.yml +56 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/benchmarks.yml +6 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/ci.yml +14 -7
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/codeql.yml +3 -3
- trustcheck-2.2.1/.github/workflows/plagiarism-scan.yml +128 -0
- trustcheck-2.2.1/.github/workflows/post-release-parity.yml +90 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/publish.yml +85 -7
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/sarif-integration.yml +1 -1
- {trustcheck-2.1.2 → trustcheck-2.2.1}/CHANGELOG.md +32 -2
- trustcheck-2.2.1/MANIFEST.in +3 -0
- {trustcheck-2.1.2/src/trustcheck.egg-info → trustcheck-2.2.1}/PKG-INFO +169 -29
- {trustcheck-2.1.2 → trustcheck-2.2.1}/README.md +168 -28
- {trustcheck-2.1.2 → trustcheck-2.2.1}/action.yml +10 -2
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/README.md +16 -7
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/corpus.json +9 -0
- trustcheck-2.2.1/benchmarks/corpus/malicious-calibration.json +102 -0
- trustcheck-2.2.1/benchmarks/corpus/pdm.lock +22 -0
- trustcheck-2.2.1/benchmarks/results/benchmark-public-key.pem +11 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/results/latest.json +339 -866
- trustcheck-2.2.1/benchmarks/results/latest.json.sig +1 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/changelog.md +1 -1
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/index.md +67 -3
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/getting-started/quickstart.md +31 -2
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/guides/ci-integration.md +85 -13
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/index.md +32 -3
- trustcheck-2.2.1/docs/reference/benchmarks.md +92 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/industry-formats.md +20 -9
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/json-contract.md +11 -9
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/malicious-package-detection.md +28 -3
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/python-api.md +3 -2
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/remediation.md +36 -13
- {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_exports.py +9 -1
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/action.lock +1 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/ci.in +3 -3
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/ci.lock +22 -23
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/semgrep.in +1 -1
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/semgrep.lock +118 -69
- trustcheck-2.2.1/scripts/acceptance_matrix.py +212 -0
- trustcheck-2.2.1/scripts/export_homebrew_tap.py +307 -0
- trustcheck-2.2.1/scripts/github_plagiarism_scan.py +307 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/update_benchmark_table.py +22 -14
- trustcheck-2.2.1/scripts/verify_release_channels.py +361 -0
- trustcheck-2.2.1/src/trustcheck/__init__.py +278 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/_version.py +2 -2
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/attestations.py +106 -41
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli.py +866 -7
- trustcheck-2.2.1/src/trustcheck/cli_commands/diff.py +408 -0
- trustcheck-2.2.1/src/trustcheck/cli_commands/doctor.py +31 -0
- trustcheck-2.2.1/src/trustcheck/cli_commands/impact.py +168 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/inspect.py +8 -3
- trustcheck-2.2.1/src/trustcheck/cli_commands/install.py +931 -0
- trustcheck-2.2.1/src/trustcheck/cli_commands/manifest.py +260 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/scan.py +9 -3
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_render.py +107 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/contract.py +14 -2
- trustcheck-2.2.1/src/trustcheck/diff.py +917 -0
- trustcheck-2.2.1/src/trustcheck/doctor.py +432 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/export_models.py +9 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/export_xml.py +33 -10
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/exports.py +392 -54
- trustcheck-2.2.1/src/trustcheck/impact.py +882 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/malicious.py +33 -33
- trustcheck-2.2.1/src/trustcheck/manifest.py +1028 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/policy.py +35 -1
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/provenance.py +182 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/remediation.py +197 -23
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/remediation_models.py +47 -1
- trustcheck-2.2.1/src/trustcheck/remediation_render.py +91 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/snapshots.py +35 -7
- {trustcheck-2.1.2 → trustcheck-2.2.1/src/trustcheck.egg-info}/PKG-INFO +169 -29
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/SOURCES.txt +26 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/snapshots/contract_schema.json +2 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_attestations.py +42 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_benchmark_results.py +40 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_ci_workflow.py +87 -1
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_cli.py +276 -1
- trustcheck-2.2.1/tests/test_diff.py +816 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_docker_workflows.py +7 -7
- trustcheck-2.2.1/tests/test_doctor.py +371 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_edge_cases.py +8 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_exports.py +103 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_github_action.py +16 -0
- trustcheck-2.2.1/tests/test_homebrew_tap_export.py +134 -0
- trustcheck-2.2.1/tests/test_impact.py +633 -0
- trustcheck-2.2.1/tests/test_install_command.py +880 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_lockfiles.py +13 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_malicious.py +3 -3
- trustcheck-2.2.1/tests/test_manifest.py +818 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_performance_extensibility.py +52 -2
- trustcheck-2.2.1/tests/test_plagiarism_scan.py +257 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_provenance.py +95 -1
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_public_api.py +23 -2
- trustcheck-2.2.1/tests/test_release_channels.py +160 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_release_readiness.py +56 -2
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_remediation.py +436 -0
- trustcheck-2.1.2/MANIFEST.in +0 -1
- trustcheck-2.1.2/benchmarks/results/benchmark-public-key.pem +0 -11
- trustcheck-2.1.2/benchmarks/results/latest.json.sig +0 -1
- trustcheck-2.1.2/docs/reference/benchmarks.md +0 -60
- trustcheck-2.1.2/src/trustcheck/__init__.py +0 -193
- trustcheck-2.1.2/src/trustcheck/remediation_render.py +0 -50
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.dockerignore +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.gitattributes +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/CODEOWNERS +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/ISSUE_TEMPLATE/general.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/dependabot.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/trustcheck-action-fail-policy.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/action-integration.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/bandit.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/binary-security.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/docs.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/fuzz.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/live-integration.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/mutation.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/semgrep.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/source-build.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.gitignore +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/.pre-commit-hooks.yaml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/CONTRIBUTING.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/Dockerfile +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/LICENSE +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/SECURITY.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/benchmark_against_pip_audit.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/poetry.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/pylock.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-hashed.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-main.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-malformed.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-markers-extras.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-private-index.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-profiles.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-resolution.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-vcs-editable.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/truth-public-key.pem +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/truth.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/truth.json.sig +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/uv.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/measure_command.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/assets/images/logo-bg-less.png +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/assets/images/logo.png +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/assets/javascripts/disable-search-shortcut.js +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/configuration.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/exit-codes.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/policies.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/getting-started/installation.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/compatibility.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/performance-extensibility.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/recommendations.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/trust-model.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/README.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_artifacts.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_indexes.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_lockfiles.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_provenance.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_requirements.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/mkdocs.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/pyproject.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/fuzz.in +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/fuzz.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/runtime.in +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/runtime.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/benchmark_signature.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/build_msix_layout.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/build_standalone.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/check_mutation_score.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/dependency_bounds.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/smoke_test_distribution.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/trustcheck_binary.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/update_coverage_badge.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/validate_sarif.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/verify_release_version.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/setup.cfg +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/snap/README.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/snap/gui/icon.png +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/snap/snapcraft.yaml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/__main__.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/_resolver_guard.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/advisories.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/artifacts.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cache.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/__init__.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/context.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/environment.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_models.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_runtime.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_targets.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/dynamic.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/github_action.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/indexes.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/lockfiles.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/models.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/plugins.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/pre_commit.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/py.typed +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/pypi.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/resolver.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/resume.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/schemas.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/service.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/service_state.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/service_urls.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/workspace.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/dependency_links.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/entry_points.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/requires.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/top_level.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/bad-scan.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/cache/5e491d79f8ba9e36d864ae50c690989677616cd509e5b99abb9272c8ad976435.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/config_non_object.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/empty-scan.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/empty-scan.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/invalid-scan.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/policy_non_object.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/scan-poetry.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/scan-project.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/fixtures/client_config.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/fixtures/policy_require_expected_repo.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/fixtures/requirements-vulnerable.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/snapshots/report_minimal.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/snapshots/report_verified.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_advisories.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_artifacts.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_binary_security_workflow.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_contract.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_dependency_bounds.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_dynamic.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_indexes.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_integration_live.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_msix_packaging.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_mutation_score.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_plugin_security.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_pre_commit.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_property_invariants.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_pypi.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_release_executable.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_release_version.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_resolver.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_resolver_guard.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_sarif_validation.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_scan_profiles.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_service.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_snap_packaging.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_workspace.py +0 -0
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
name: Acceptance Matrix
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_dispatch:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: "47 4 * * *"
|
|
7
|
+
|
|
8
|
+
permissions:
|
|
9
|
+
contents: read
|
|
10
|
+
|
|
11
|
+
concurrency:
|
|
12
|
+
group: acceptance-matrix-main
|
|
13
|
+
cancel-in-progress: false
|
|
14
|
+
|
|
15
|
+
jobs:
|
|
16
|
+
acceptance:
|
|
17
|
+
name: ${{ matrix.case }} / ${{ matrix.os }} / Python ${{ matrix.python-version }}
|
|
18
|
+
runs-on: ${{ matrix.os }}
|
|
19
|
+
timeout-minutes: 45
|
|
20
|
+
strategy:
|
|
21
|
+
fail-fast: false
|
|
22
|
+
matrix:
|
|
23
|
+
os: [ubuntu-latest, macos-latest, windows-latest]
|
|
24
|
+
python-version: ["3.11", "3.12", "3.13", "3.14"]
|
|
25
|
+
case: [pip-tools, uv-lock, poetry-lock, pdm-lock, pep751-pylock, extras-markers, private-index-fixture, native-wheel, sdist]
|
|
26
|
+
|
|
27
|
+
steps:
|
|
28
|
+
- name: Check out repository
|
|
29
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
30
|
+
with:
|
|
31
|
+
persist-credentials: false
|
|
32
|
+
|
|
33
|
+
- name: Set up Python
|
|
34
|
+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
35
|
+
with:
|
|
36
|
+
python-version: ${{ matrix.python-version }}
|
|
37
|
+
cache: pip
|
|
38
|
+
|
|
39
|
+
- name: Install acceptance environment
|
|
40
|
+
run: |
|
|
41
|
+
python -m pip install --disable-pip-version-check --require-hashes --requirement requirements/runtime.lock
|
|
42
|
+
python -m pip install --disable-pip-version-check --no-build-isolation --no-deps -e .
|
|
43
|
+
python -m pip check
|
|
44
|
+
|
|
45
|
+
- name: Run acceptance case
|
|
46
|
+
env:
|
|
47
|
+
TRUSTCHECK_RUN_ACCEPTANCE: "1"
|
|
48
|
+
run: python scripts/acceptance_matrix.py --case "${{ matrix.case }}" --report-dir acceptance-reports
|
|
49
|
+
|
|
50
|
+
- name: Upload acceptance report
|
|
51
|
+
if: always()
|
|
52
|
+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
|
|
53
|
+
with:
|
|
54
|
+
name: acceptance-${{ matrix.case }}-${{ matrix.os }}-py${{ matrix.python-version }}
|
|
55
|
+
path: acceptance-reports/
|
|
56
|
+
if-no-files-found: warn
|
|
@@ -2,6 +2,11 @@ name: Benchmarks
|
|
|
2
2
|
|
|
3
3
|
on:
|
|
4
4
|
workflow_dispatch:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: "23 4 * * 1"
|
|
7
|
+
workflow_run:
|
|
8
|
+
workflows: ["Release"]
|
|
9
|
+
types: [completed]
|
|
5
10
|
|
|
6
11
|
permissions:
|
|
7
12
|
contents: read
|
|
@@ -12,6 +17,7 @@ concurrency:
|
|
|
12
17
|
|
|
13
18
|
jobs:
|
|
14
19
|
pip-audit-comparison:
|
|
20
|
+
if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
|
|
15
21
|
runs-on: ubuntu-latest
|
|
16
22
|
timeout-minutes: 45
|
|
17
23
|
steps:
|
|
@@ -248,11 +248,11 @@ jobs:
|
|
|
248
248
|
|
|
249
249
|
- name: Set up Docker Buildx
|
|
250
250
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
251
|
-
uses: docker/setup-buildx-action@
|
|
251
|
+
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
|
|
252
252
|
|
|
253
253
|
- name: Log in to GitHub Container Registry
|
|
254
254
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
255
|
-
uses: docker/login-action@
|
|
255
|
+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
|
256
256
|
with:
|
|
257
257
|
registry: ghcr.io
|
|
258
258
|
username: ${{ github.actor }}
|
|
@@ -279,7 +279,7 @@ jobs:
|
|
|
279
279
|
|
|
280
280
|
- name: Build and publish CI Docker image
|
|
281
281
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
282
|
-
uses: docker/build-push-action@
|
|
282
|
+
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
|
|
283
283
|
with:
|
|
284
284
|
context: .
|
|
285
285
|
file: ./Dockerfile
|
|
@@ -379,13 +379,20 @@ jobs:
|
|
|
379
379
|
GH_TOKEN: ${{ github.token }}
|
|
380
380
|
run: |
|
|
381
381
|
publish_root="$(mktemp -d)"
|
|
382
|
-
cp coverage-artifacts/coverage-badge/coverage.svg "$publish_root/coverage.svg"
|
|
383
382
|
git -C "$publish_root" init
|
|
384
383
|
git -C "$publish_root" config user.name "github-actions[bot]"
|
|
385
384
|
git -C "$publish_root" config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
386
|
-
git -C "$publish_root" add coverage.svg
|
|
387
|
-
git -C "$publish_root" commit -m "Update coverage badge for ${GITHUB_SHA}"
|
|
388
|
-
git -C "$publish_root" branch -M coverage-badge
|
|
389
385
|
git -C "$publish_root" remote add origin \
|
|
390
386
|
"https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
|
|
387
|
+
git -C "$publish_root" fetch --depth=1 origin coverage-badge
|
|
388
|
+
if ! git -C "$publish_root" show FETCH_HEAD:PyPI.png > "$publish_root/PyPI.png"; then
|
|
389
|
+
printf '%s\n' \
|
|
390
|
+
"PyPI.png is missing from coverage-badge; refusing to replace the asset branch" \
|
|
391
|
+
"without it." >&2
|
|
392
|
+
exit 1
|
|
393
|
+
fi
|
|
394
|
+
cp coverage-artifacts/coverage-badge/coverage.svg "$publish_root/coverage.svg"
|
|
395
|
+
git -C "$publish_root" add PyPI.png coverage.svg
|
|
396
|
+
git -C "$publish_root" commit -m "Update coverage badge for ${GITHUB_SHA}"
|
|
397
|
+
git -C "$publish_root" branch -M coverage-badge
|
|
391
398
|
git -C "$publish_root" push --force origin coverage-badge
|
|
@@ -25,7 +25,7 @@ jobs:
|
|
|
25
25
|
fetch-depth: 0
|
|
26
26
|
|
|
27
27
|
- name: Initialize CodeQL
|
|
28
|
-
uses: github/codeql-action/init@
|
|
28
|
+
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
29
29
|
with:
|
|
30
30
|
languages: python
|
|
31
31
|
|
|
@@ -35,7 +35,7 @@ jobs:
|
|
|
35
35
|
python-version: "3.12"
|
|
36
36
|
|
|
37
37
|
- name: Autobuild
|
|
38
|
-
uses: github/codeql-action/autobuild@
|
|
38
|
+
uses: github/codeql-action/autobuild@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
39
39
|
|
|
40
40
|
- name: Perform CodeQL analysis
|
|
41
|
-
uses: github/codeql-action/analyze@
|
|
41
|
+
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
@@ -0,0 +1,128 @@
|
|
|
1
|
+
name: GitHub Code Copy Scan
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_dispatch:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: "37 3 * * *"
|
|
7
|
+
|
|
8
|
+
permissions:
|
|
9
|
+
contents: write
|
|
10
|
+
issues: write
|
|
11
|
+
pull-requests: write
|
|
12
|
+
|
|
13
|
+
concurrency:
|
|
14
|
+
group: github-code-copy-scan
|
|
15
|
+
cancel-in-progress: false
|
|
16
|
+
|
|
17
|
+
jobs:
|
|
18
|
+
scan:
|
|
19
|
+
name: Search GitHub for copied code
|
|
20
|
+
runs-on: ubuntu-latest
|
|
21
|
+
|
|
22
|
+
steps:
|
|
23
|
+
- name: Check out repository
|
|
24
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
25
|
+
with:
|
|
26
|
+
fetch-depth: 0
|
|
27
|
+
persist-credentials: false
|
|
28
|
+
|
|
29
|
+
- name: Set up Python
|
|
30
|
+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
31
|
+
with:
|
|
32
|
+
python-version: "3.12"
|
|
33
|
+
|
|
34
|
+
- name: Search public GitHub code
|
|
35
|
+
env:
|
|
36
|
+
GITHUB_TOKEN: ${{ secrets.TRUSTCHECK_GITHUB_SEARCH_TOKEN || github.token }}
|
|
37
|
+
GITHUB_REPOSITORY: ${{ github.repository }}
|
|
38
|
+
run: |
|
|
39
|
+
python scripts/github_plagiarism_scan.py \
|
|
40
|
+
--source src/trustcheck \
|
|
41
|
+
--output reports/github-code-copy-findings.md \
|
|
42
|
+
--max-fingerprints 20 \
|
|
43
|
+
--per-page 10
|
|
44
|
+
|
|
45
|
+
- name: Open or update findings pull request or issue
|
|
46
|
+
env:
|
|
47
|
+
BRANCH: automation/github-code-copy-findings
|
|
48
|
+
GH_TOKEN: ${{ secrets.TRUSTCHECK_PR_TOKEN || github.token }}
|
|
49
|
+
ISSUE_TITLE: GitHub code copy scan findings
|
|
50
|
+
REPORT_PATH: reports/github-code-copy-findings.md
|
|
51
|
+
run: |
|
|
52
|
+
if [ -z "$(git status --porcelain -- "$REPORT_PATH")" ]; then
|
|
53
|
+
echo "No code-copy finding changes to publish."
|
|
54
|
+
exit 0
|
|
55
|
+
fi
|
|
56
|
+
|
|
57
|
+
git config user.name "github-actions[bot]"
|
|
58
|
+
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
59
|
+
git checkout -B "$BRANCH"
|
|
60
|
+
git add "$REPORT_PATH"
|
|
61
|
+
git commit -m "Update GitHub code copy scan findings"
|
|
62
|
+
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
|
|
63
|
+
git push --force-with-lease origin "$BRANCH"
|
|
64
|
+
|
|
65
|
+
existing_pr="$(gh pr list --head "$BRANCH" --state open --json number --jq '.[0].number // empty')"
|
|
66
|
+
if [ -n "$existing_pr" ]; then
|
|
67
|
+
gh pr edit "$existing_pr" \
|
|
68
|
+
--title "Update GitHub code copy scan findings" \
|
|
69
|
+
--body-file "$REPORT_PATH"
|
|
70
|
+
else
|
|
71
|
+
pr_url="https://github.com/${GITHUB_REPOSITORY}/pull/new/${BRANCH}"
|
|
72
|
+
create_error="$(mktemp)"
|
|
73
|
+
if gh pr create \
|
|
74
|
+
--base main \
|
|
75
|
+
--head "$BRANCH" \
|
|
76
|
+
--title "Update GitHub code copy scan findings" \
|
|
77
|
+
--body-file "$REPORT_PATH" \
|
|
78
|
+
2>"$create_error"; then
|
|
79
|
+
exit 0
|
|
80
|
+
fi
|
|
81
|
+
|
|
82
|
+
cat "$create_error"
|
|
83
|
+
if grep -q "not permitted to create" "$create_error"; then
|
|
84
|
+
issue_body="$(mktemp)"
|
|
85
|
+
{
|
|
86
|
+
echo "GitHub Actions pushed the code-copy findings branch, but this repository does not permit Actions to create pull requests."
|
|
87
|
+
echo
|
|
88
|
+
echo "Findings branch: https://github.com/${GITHUB_REPOSITORY}/tree/${BRANCH}"
|
|
89
|
+
echo
|
|
90
|
+
echo "Manual pull request URL: ${pr_url}"
|
|
91
|
+
echo
|
|
92
|
+
cat "$REPORT_PATH"
|
|
93
|
+
} > "$issue_body"
|
|
94
|
+
|
|
95
|
+
existing_issue="$(
|
|
96
|
+
gh issue list \
|
|
97
|
+
--state open \
|
|
98
|
+
--search "${ISSUE_TITLE} in:title" \
|
|
99
|
+
--json number,title \
|
|
100
|
+
--jq ".[] | select(.title == \"${ISSUE_TITLE}\") | .number" \
|
|
101
|
+
| head -n 1
|
|
102
|
+
)"
|
|
103
|
+
if [ -n "$existing_issue" ]; then
|
|
104
|
+
gh issue edit "$existing_issue" \
|
|
105
|
+
--title "$ISSUE_TITLE" \
|
|
106
|
+
--body-file "$issue_body"
|
|
107
|
+
issue_url="https://github.com/${GITHUB_REPOSITORY}/issues/${existing_issue}"
|
|
108
|
+
else
|
|
109
|
+
issue_url="$(
|
|
110
|
+
gh issue create \
|
|
111
|
+
--title "$ISSUE_TITLE" \
|
|
112
|
+
--body-file "$issue_body"
|
|
113
|
+
)"
|
|
114
|
+
fi
|
|
115
|
+
|
|
116
|
+
{
|
|
117
|
+
echo "### GitHub code copy scan findings"
|
|
118
|
+
echo
|
|
119
|
+
echo "The findings branch was pushed, but GitHub Actions is not permitted to create pull requests in this repository."
|
|
120
|
+
echo
|
|
121
|
+
echo "Issue: ${issue_url}"
|
|
122
|
+
echo
|
|
123
|
+
echo "Manual pull request URL: ${pr_url}"
|
|
124
|
+
} >> "$GITHUB_STEP_SUMMARY"
|
|
125
|
+
exit 0
|
|
126
|
+
fi
|
|
127
|
+
exit 1
|
|
128
|
+
fi
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
name: Post-release Channel Parity
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_run:
|
|
5
|
+
workflows: ["Release"]
|
|
6
|
+
types: [completed]
|
|
7
|
+
workflow_dispatch:
|
|
8
|
+
inputs:
|
|
9
|
+
tag:
|
|
10
|
+
description: Release tag to verify, such as v2.1.1.
|
|
11
|
+
required: true
|
|
12
|
+
observed-json:
|
|
13
|
+
description: URL or repository path for normalized channel observations.
|
|
14
|
+
required: true
|
|
15
|
+
|
|
16
|
+
permissions:
|
|
17
|
+
contents: read
|
|
18
|
+
|
|
19
|
+
jobs:
|
|
20
|
+
verify-release-channels:
|
|
21
|
+
if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
|
|
22
|
+
runs-on: ubuntu-latest
|
|
23
|
+
|
|
24
|
+
steps:
|
|
25
|
+
- name: Check out repository
|
|
26
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
27
|
+
with:
|
|
28
|
+
persist-credentials: false
|
|
29
|
+
|
|
30
|
+
- name: Set up Python
|
|
31
|
+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
32
|
+
with:
|
|
33
|
+
python-version: "3.12"
|
|
34
|
+
|
|
35
|
+
- name: Resolve release parity inputs
|
|
36
|
+
id: release
|
|
37
|
+
env:
|
|
38
|
+
GH_TOKEN: ${{ github.token }}
|
|
39
|
+
INPUT_TAG: ${{ github.event.inputs.tag }}
|
|
40
|
+
INPUT_OBSERVED_JSON: ${{ github.event.inputs.observed-json }}
|
|
41
|
+
RELEASE_CHANNEL_OBSERVATIONS_URL: ${{ vars.RELEASE_CHANNEL_OBSERVATIONS_URL }}
|
|
42
|
+
run: |
|
|
43
|
+
tag="${INPUT_TAG:-}"
|
|
44
|
+
if [ -z "$tag" ]; then
|
|
45
|
+
tag="$(gh release list --limit 1 --json tagName --jq '.[0].tagName')"
|
|
46
|
+
fi
|
|
47
|
+
if [ -z "$tag" ]; then
|
|
48
|
+
echo "Unable to determine the release tag to verify." >&2
|
|
49
|
+
exit 1
|
|
50
|
+
fi
|
|
51
|
+
observed_json="${INPUT_OBSERVED_JSON:-$RELEASE_CHANNEL_OBSERVATIONS_URL}"
|
|
52
|
+
if [ -z "$observed_json" ]; then
|
|
53
|
+
echo "Set workflow input observed-json or repository variable RELEASE_CHANNEL_OBSERVATIONS_URL." >&2
|
|
54
|
+
exit 1
|
|
55
|
+
fi
|
|
56
|
+
echo "tag=$tag" >> "$GITHUB_OUTPUT"
|
|
57
|
+
echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
|
|
58
|
+
echo "observed_json=$observed_json" >> "$GITHUB_OUTPUT"
|
|
59
|
+
|
|
60
|
+
- name: Download release checksums
|
|
61
|
+
env:
|
|
62
|
+
GH_TOKEN: ${{ github.token }}
|
|
63
|
+
RELEASE_TAG: ${{ steps.release.outputs.tag }}
|
|
64
|
+
run: gh release download "$RELEASE_TAG" --pattern SHA256SUMS.txt --repo "$GITHUB_REPOSITORY"
|
|
65
|
+
|
|
66
|
+
- name: Verify channel parity
|
|
67
|
+
env:
|
|
68
|
+
RELEASE_TAG: ${{ steps.release.outputs.tag }}
|
|
69
|
+
RELEASE_VERSION: ${{ steps.release.outputs.version }}
|
|
70
|
+
OBSERVED_JSON: ${{ steps.release.outputs.observed_json }}
|
|
71
|
+
run: |
|
|
72
|
+
python scripts/verify_release_channels.py \
|
|
73
|
+
--expected-version "$RELEASE_VERSION" \
|
|
74
|
+
--tag "$RELEASE_TAG" \
|
|
75
|
+
--expected-checksums SHA256SUMS.txt \
|
|
76
|
+
--required-channel pypi \
|
|
77
|
+
--required-channel github \
|
|
78
|
+
--required-channel snap \
|
|
79
|
+
--required-channel docker \
|
|
80
|
+
--required-channel homebrew \
|
|
81
|
+
--required-channel winget \
|
|
82
|
+
--expected-architecture docker=linux/amd64 \
|
|
83
|
+
--expected-architecture docker=linux/arm64 \
|
|
84
|
+
--expected-architecture docker=linux/arm/v7 \
|
|
85
|
+
--expected-architecture snap=amd64 \
|
|
86
|
+
--expected-architecture snap=arm64 \
|
|
87
|
+
--expected-architecture snap=armhf \
|
|
88
|
+
--expected-architecture github=windows-x86_64 \
|
|
89
|
+
--release-notes-fragment "Published from immutable commit" \
|
|
90
|
+
--observed-json "$OBSERVED_JSON"
|
|
@@ -837,6 +837,84 @@ jobs:
|
|
|
837
837
|
packages-dir: dist/packages
|
|
838
838
|
verbose: true
|
|
839
839
|
|
|
840
|
+
publish-homebrew-tap:
|
|
841
|
+
needs: publish-pypi
|
|
842
|
+
runs-on: ubuntu-latest
|
|
843
|
+
|
|
844
|
+
steps:
|
|
845
|
+
- name: Check out tagged commit
|
|
846
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
847
|
+
with:
|
|
848
|
+
ref: ${{ github.sha }}
|
|
849
|
+
persist-credentials: false
|
|
850
|
+
|
|
851
|
+
- name: Set up Python
|
|
852
|
+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
853
|
+
with:
|
|
854
|
+
python-version: "3.12"
|
|
855
|
+
|
|
856
|
+
- name: Download build artifacts
|
|
857
|
+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
|
|
858
|
+
with:
|
|
859
|
+
name: dist-${{ github.sha }}
|
|
860
|
+
path: dist
|
|
861
|
+
|
|
862
|
+
- name: Export Homebrew tap pins
|
|
863
|
+
run: |
|
|
864
|
+
python scripts/export_homebrew_tap.py \
|
|
865
|
+
--runtime-lock requirements/runtime.lock \
|
|
866
|
+
--build-lock requirements/action.lock \
|
|
867
|
+
--checksums dist/SHA256SUMS.txt \
|
|
868
|
+
--output-dir homebrew-tap-export/trustcheck \
|
|
869
|
+
--tag "$GITHUB_REF_NAME" \
|
|
870
|
+
--source-repository "$GITHUB_REPOSITORY" \
|
|
871
|
+
--source-commit "$GITHUB_SHA" \
|
|
872
|
+
--extra-package setuptools-scm \
|
|
873
|
+
--extra-package wheel
|
|
874
|
+
|
|
875
|
+
- name: Require Homebrew tap token
|
|
876
|
+
env:
|
|
877
|
+
HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN || secrets.RELEASE_TOKEN }}
|
|
878
|
+
run: |
|
|
879
|
+
if [ -z "$HOMEBREW_TAP_TOKEN" ]; then
|
|
880
|
+
echo "Set HOMEBREW_TAP_TOKEN or RELEASE_TOKEN with contents:write access to Halfblood-Prince/homebrew-tap." >&2
|
|
881
|
+
exit 1
|
|
882
|
+
fi
|
|
883
|
+
|
|
884
|
+
- name: Check out Homebrew tap
|
|
885
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
886
|
+
with:
|
|
887
|
+
repository: Halfblood-Prince/homebrew-tap
|
|
888
|
+
ref: main
|
|
889
|
+
token: ${{ secrets.HOMEBREW_TAP_TOKEN || secrets.RELEASE_TOKEN }}
|
|
890
|
+
path: homebrew-tap
|
|
891
|
+
persist-credentials: true
|
|
892
|
+
|
|
893
|
+
- name: Commit Homebrew tap pins
|
|
894
|
+
env:
|
|
895
|
+
RELEASE_TAG: ${{ github.ref_name }}
|
|
896
|
+
run: |
|
|
897
|
+
mkdir -p homebrew-tap/trustcheck
|
|
898
|
+
cp homebrew-tap-export/trustcheck/runtime.lock homebrew-tap/trustcheck/runtime.lock
|
|
899
|
+
cp homebrew-tap-export/trustcheck/resources.rb homebrew-tap/trustcheck/resources.rb
|
|
900
|
+
cp homebrew-tap-export/trustcheck/release.json homebrew-tap/trustcheck/release.json
|
|
901
|
+
|
|
902
|
+
git -C homebrew-tap config user.name "github-actions[bot]"
|
|
903
|
+
git -C homebrew-tap config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
904
|
+
git -C homebrew-tap add trustcheck
|
|
905
|
+
if git -C homebrew-tap diff --cached --quiet; then
|
|
906
|
+
echo "No Homebrew tap pin changes to commit."
|
|
907
|
+
exit 0
|
|
908
|
+
fi
|
|
909
|
+
git -C homebrew-tap commit -m "Update trustcheck Homebrew pins for ${RELEASE_TAG}"
|
|
910
|
+
git -C homebrew-tap push
|
|
911
|
+
{
|
|
912
|
+
echo "## Homebrew tap"
|
|
913
|
+
echo
|
|
914
|
+
echo "- Updated \`Halfblood-Prince/homebrew-tap\` trustcheck pin export for \`${RELEASE_TAG}\`."
|
|
915
|
+
echo "- Wrote \`trustcheck/runtime.lock\`, \`trustcheck/resources.rb\`, and \`trustcheck/release.json\`."
|
|
916
|
+
} >> "$GITHUB_STEP_SUMMARY"
|
|
917
|
+
|
|
840
918
|
publish-docker:
|
|
841
919
|
needs:
|
|
842
920
|
- coverage-build
|
|
@@ -852,13 +930,13 @@ jobs:
|
|
|
852
930
|
persist-credentials: false
|
|
853
931
|
|
|
854
932
|
- name: Set up QEMU for multi-platform builds
|
|
855
|
-
uses: docker/setup-qemu-action@
|
|
933
|
+
uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0
|
|
856
934
|
|
|
857
935
|
- name: Set up Docker Buildx
|
|
858
|
-
uses: docker/setup-buildx-action@
|
|
936
|
+
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
|
|
859
937
|
|
|
860
938
|
- name: Log in to GitHub Container Registry
|
|
861
|
-
uses: docker/login-action@
|
|
939
|
+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
|
862
940
|
with:
|
|
863
941
|
registry: ghcr.io
|
|
864
942
|
username: ${{ github.actor }}
|
|
@@ -891,7 +969,7 @@ jobs:
|
|
|
891
969
|
} >> "$GITHUB_OUTPUT"
|
|
892
970
|
|
|
893
971
|
- name: Build and publish multi-platform Docker images
|
|
894
|
-
uses: docker/build-push-action@
|
|
972
|
+
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
|
|
895
973
|
with:
|
|
896
974
|
context: .
|
|
897
975
|
file: ./Dockerfile
|
|
@@ -935,9 +1013,9 @@ jobs:
|
|
|
935
1013
|
append_body: true
|
|
936
1014
|
body: |
|
|
937
1015
|
Published from immutable commit `${{ github.sha }}`.
|
|
938
|
-
The release workflow publishes PyPI, GitHub Action, Snap Store,
|
|
939
|
-
GHCR Docker distributions after shared tag
|
|
940
|
-
and coverage builds.
|
|
1016
|
+
The release workflow publishes PyPI, GitHub Action, Snap Store,
|
|
1017
|
+
Homebrew tap pins, and GHCR Docker distributions after shared tag
|
|
1018
|
+
verification, QA, matrix, and coverage builds.
|
|
941
1019
|
|
|
942
1020
|
Release artifacts:
|
|
943
1021
|
- `dist/*`
|
|
@@ -58,7 +58,7 @@ jobs:
|
|
|
58
58
|
--compare trustcheck-second.sarif
|
|
59
59
|
|
|
60
60
|
- name: Upload SARIF to GitHub code scanning
|
|
61
|
-
uses: github/codeql-action/upload-sarif@
|
|
61
|
+
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
62
62
|
with:
|
|
63
63
|
sarif_file: trustcheck-first.sarif
|
|
64
64
|
category: trustcheck-sarif-integration
|
|
@@ -6,14 +6,33 @@ The project follows Semantic Versioning for the supported public API described i
|
|
|
6
6
|
|
|
7
7
|
## Unreleased
|
|
8
8
|
|
|
9
|
+
## [2.2.0] - 2026-07-05
|
|
10
|
+
|
|
11
|
+
Package release `2.2.0` emits machine-readable report schema `1.11.0`.
|
|
12
|
+
|
|
9
13
|
### Added
|
|
10
14
|
|
|
11
|
-
- Added
|
|
15
|
+
- Added malicious-package heuristic rule metadata, policy-configurable
|
|
12
16
|
aggregate and per-rule thresholds, and advanced the schema to `1.11.0`.
|
|
13
17
|
- Added opt-in `--dynamic-analysis` execution in a disposable, no-network,
|
|
14
18
|
non-root Docker sandbox with CPU, memory, process, and wall-clock limits.
|
|
19
|
+
- Added `trustcheck manifest init|verify|update` for dependency trust
|
|
20
|
+
baselines that block repository, Trusted Publisher, SLSA, provenance,
|
|
21
|
+
index-origin, native-binary, dynamic-execution, and malicious-score
|
|
22
|
+
regressions.
|
|
23
|
+
- Added `trustcheck diff` for lockfile and pull-request trust review across
|
|
24
|
+
changed direct and transitive packages, with text, JSON, Markdown, SARIF,
|
|
25
|
+
Git ref discovery, GitHub PR commenting, and optional trust-manifest
|
|
26
|
+
enforcement.
|
|
27
|
+
- Added `trustcheck doctor`, concise `--summary`/`--decision` report output,
|
|
28
|
+
source/release provenance parity checks, starter policy bundles, and a
|
|
29
|
+
post-release channel parity verifier workflow.
|
|
15
30
|
- Added a pinned GitHub Dependency Review pull-request gate for vulnerable
|
|
16
31
|
dependency.
|
|
32
|
+
- Strengthened `scan --fix` to target policy-failing packages, validate the
|
|
33
|
+
generated graph in a clean virtual environment, run
|
|
34
|
+
`[tool.trustcheck.fix].test_commands`, support `requirements.lock`, and write
|
|
35
|
+
a review patch artifact; advanced the remediation schema to `1.3.0`.
|
|
17
36
|
|
|
18
37
|
### Changed
|
|
19
38
|
|
|
@@ -24,6 +43,15 @@ The project follows Semantic Versioning for the supported public API described i
|
|
|
24
43
|
Sigstore requirements `PyJWT`, `idna`, and `tuf`; the action lockfile still
|
|
25
44
|
constrains the resolved transitive set.
|
|
26
45
|
|
|
46
|
+
## [2.1.2] - 2026-07-01
|
|
47
|
+
|
|
48
|
+
Package release `2.1.2` emits machine-readable report schema `1.11.0`.
|
|
49
|
+
|
|
50
|
+
### Changed
|
|
51
|
+
|
|
52
|
+
- Corrected the changelog description for the pinned GitHub Dependency Review
|
|
53
|
+
pull-request gate.
|
|
54
|
+
|
|
27
55
|
## [2.1.1] - 2026-06-28
|
|
28
56
|
|
|
29
57
|
Package release `2.1.1` emits machine-readable report schema `1.11.0`.
|
|
@@ -244,7 +272,9 @@ Package release `1.9.0` emits machine-readable report schema `1.4.0`.
|
|
|
244
272
|
- Aligned the README, documentation site, CLI help, changelog, and JSON contract documentation around the same supported feature set.
|
|
245
273
|
- Replaced temporary Discord issue and security links with stable GitHub project pages and private vulnerability reporting.
|
|
246
274
|
|
|
247
|
-
[Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.
|
|
275
|
+
[Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.2.0...HEAD
|
|
276
|
+
[2.2.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.2...v2.2.0
|
|
277
|
+
[2.1.2]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.1...v2.1.2
|
|
248
278
|
[2.1.1]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.0...v2.1.1
|
|
249
279
|
[2.1.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.0.5...v2.1.0
|
|
250
280
|
[1.9.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v1.8.0...v1.9.0
|