trustcheck 2.1.2__tar.gz → 2.2.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (244) hide show
  1. trustcheck-2.2.1/.github/workflows/acceptance-matrix.yml +56 -0
  2. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/benchmarks.yml +6 -0
  3. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/ci.yml +14 -7
  4. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/codeql.yml +3 -3
  5. trustcheck-2.2.1/.github/workflows/plagiarism-scan.yml +128 -0
  6. trustcheck-2.2.1/.github/workflows/post-release-parity.yml +90 -0
  7. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/publish.yml +85 -7
  8. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/sarif-integration.yml +1 -1
  9. {trustcheck-2.1.2 → trustcheck-2.2.1}/CHANGELOG.md +32 -2
  10. trustcheck-2.2.1/MANIFEST.in +3 -0
  11. {trustcheck-2.1.2/src/trustcheck.egg-info → trustcheck-2.2.1}/PKG-INFO +169 -29
  12. {trustcheck-2.1.2 → trustcheck-2.2.1}/README.md +168 -28
  13. {trustcheck-2.1.2 → trustcheck-2.2.1}/action.yml +10 -2
  14. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/README.md +16 -7
  15. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/corpus.json +9 -0
  16. trustcheck-2.2.1/benchmarks/corpus/malicious-calibration.json +102 -0
  17. trustcheck-2.2.1/benchmarks/corpus/pdm.lock +22 -0
  18. trustcheck-2.2.1/benchmarks/results/benchmark-public-key.pem +11 -0
  19. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/results/latest.json +339 -866
  20. trustcheck-2.2.1/benchmarks/results/latest.json.sig +1 -0
  21. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/changelog.md +1 -1
  22. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/index.md +67 -3
  23. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/getting-started/quickstart.md +31 -2
  24. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/guides/ci-integration.md +85 -13
  25. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/index.md +32 -3
  26. trustcheck-2.2.1/docs/reference/benchmarks.md +92 -0
  27. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/industry-formats.md +20 -9
  28. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/json-contract.md +11 -9
  29. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/malicious-package-detection.md +28 -3
  30. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/python-api.md +3 -2
  31. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/remediation.md +36 -13
  32. {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_exports.py +9 -1
  33. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/action.lock +1 -0
  34. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/ci.in +3 -3
  35. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/ci.lock +22 -23
  36. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/semgrep.in +1 -1
  37. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/semgrep.lock +118 -69
  38. trustcheck-2.2.1/scripts/acceptance_matrix.py +212 -0
  39. trustcheck-2.2.1/scripts/export_homebrew_tap.py +307 -0
  40. trustcheck-2.2.1/scripts/github_plagiarism_scan.py +307 -0
  41. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/update_benchmark_table.py +22 -14
  42. trustcheck-2.2.1/scripts/verify_release_channels.py +361 -0
  43. trustcheck-2.2.1/src/trustcheck/__init__.py +278 -0
  44. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/_version.py +2 -2
  45. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/attestations.py +106 -41
  46. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli.py +866 -7
  47. trustcheck-2.2.1/src/trustcheck/cli_commands/diff.py +408 -0
  48. trustcheck-2.2.1/src/trustcheck/cli_commands/doctor.py +31 -0
  49. trustcheck-2.2.1/src/trustcheck/cli_commands/impact.py +168 -0
  50. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/inspect.py +8 -3
  51. trustcheck-2.2.1/src/trustcheck/cli_commands/install.py +931 -0
  52. trustcheck-2.2.1/src/trustcheck/cli_commands/manifest.py +260 -0
  53. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/scan.py +9 -3
  54. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_render.py +107 -0
  55. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/contract.py +14 -2
  56. trustcheck-2.2.1/src/trustcheck/diff.py +917 -0
  57. trustcheck-2.2.1/src/trustcheck/doctor.py +432 -0
  58. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/export_models.py +9 -0
  59. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/export_xml.py +33 -10
  60. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/exports.py +392 -54
  61. trustcheck-2.2.1/src/trustcheck/impact.py +882 -0
  62. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/malicious.py +33 -33
  63. trustcheck-2.2.1/src/trustcheck/manifest.py +1028 -0
  64. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/policy.py +35 -1
  65. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/provenance.py +182 -0
  66. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/remediation.py +197 -23
  67. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/remediation_models.py +47 -1
  68. trustcheck-2.2.1/src/trustcheck/remediation_render.py +91 -0
  69. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/snapshots.py +35 -7
  70. {trustcheck-2.1.2 → trustcheck-2.2.1/src/trustcheck.egg-info}/PKG-INFO +169 -29
  71. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/SOURCES.txt +26 -0
  72. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/snapshots/contract_schema.json +2 -0
  73. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_attestations.py +42 -0
  74. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_benchmark_results.py +40 -0
  75. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_ci_workflow.py +87 -1
  76. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_cli.py +276 -1
  77. trustcheck-2.2.1/tests/test_diff.py +816 -0
  78. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_docker_workflows.py +7 -7
  79. trustcheck-2.2.1/tests/test_doctor.py +371 -0
  80. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_edge_cases.py +8 -0
  81. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_exports.py +103 -0
  82. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_github_action.py +16 -0
  83. trustcheck-2.2.1/tests/test_homebrew_tap_export.py +134 -0
  84. trustcheck-2.2.1/tests/test_impact.py +633 -0
  85. trustcheck-2.2.1/tests/test_install_command.py +880 -0
  86. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_lockfiles.py +13 -0
  87. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_malicious.py +3 -3
  88. trustcheck-2.2.1/tests/test_manifest.py +818 -0
  89. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_performance_extensibility.py +52 -2
  90. trustcheck-2.2.1/tests/test_plagiarism_scan.py +257 -0
  91. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_provenance.py +95 -1
  92. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_public_api.py +23 -2
  93. trustcheck-2.2.1/tests/test_release_channels.py +160 -0
  94. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_release_readiness.py +56 -2
  95. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_remediation.py +436 -0
  96. trustcheck-2.1.2/MANIFEST.in +0 -1
  97. trustcheck-2.1.2/benchmarks/results/benchmark-public-key.pem +0 -11
  98. trustcheck-2.1.2/benchmarks/results/latest.json.sig +0 -1
  99. trustcheck-2.1.2/docs/reference/benchmarks.md +0 -60
  100. trustcheck-2.1.2/src/trustcheck/__init__.py +0 -193
  101. trustcheck-2.1.2/src/trustcheck/remediation_render.py +0 -50
  102. {trustcheck-2.1.2 → trustcheck-2.2.1}/.dockerignore +0 -0
  103. {trustcheck-2.1.2 → trustcheck-2.2.1}/.gitattributes +0 -0
  104. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/CODEOWNERS +0 -0
  105. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/ISSUE_TEMPLATE/general.yml +0 -0
  106. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/dependabot.yml +0 -0
  107. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/trustcheck-action-fail-policy.json +0 -0
  108. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/action-integration.yml +0 -0
  109. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/bandit.yml +0 -0
  110. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/binary-security.yml +0 -0
  111. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/docs.yml +0 -0
  112. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/fuzz.yml +0 -0
  113. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/live-integration.yml +0 -0
  114. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/mutation.yml +0 -0
  115. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/semgrep.yml +0 -0
  116. {trustcheck-2.1.2 → trustcheck-2.2.1}/.github/workflows/source-build.yml +0 -0
  117. {trustcheck-2.1.2 → trustcheck-2.2.1}/.gitignore +0 -0
  118. {trustcheck-2.1.2 → trustcheck-2.2.1}/.pre-commit-hooks.yaml +0 -0
  119. {trustcheck-2.1.2 → trustcheck-2.2.1}/CONTRIBUTING.md +0 -0
  120. {trustcheck-2.1.2 → trustcheck-2.2.1}/Dockerfile +0 -0
  121. {trustcheck-2.1.2 → trustcheck-2.2.1}/LICENSE +0 -0
  122. {trustcheck-2.1.2 → trustcheck-2.2.1}/SECURITY.md +0 -0
  123. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/benchmark_against_pip_audit.py +0 -0
  124. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/poetry.lock +0 -0
  125. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/pylock.toml +0 -0
  126. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-hashed.txt +0 -0
  127. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-main.txt +0 -0
  128. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-malformed.txt +0 -0
  129. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-markers-extras.txt +0 -0
  130. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-private-index.txt +0 -0
  131. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-profiles.txt +0 -0
  132. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-resolution.txt +0 -0
  133. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements-vcs-editable.txt +0 -0
  134. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/requirements.txt +0 -0
  135. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/truth-public-key.pem +0 -0
  136. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/truth.json +0 -0
  137. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/truth.json.sig +0 -0
  138. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/corpus/uv.lock +0 -0
  139. {trustcheck-2.1.2 → trustcheck-2.2.1}/benchmarks/measure_command.py +0 -0
  140. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/assets/images/logo-bg-less.png +0 -0
  141. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/assets/images/logo.png +0 -0
  142. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/assets/javascripts/disable-search-shortcut.js +0 -0
  143. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/configuration.md +0 -0
  144. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/exit-codes.md +0 -0
  145. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/cli/policies.md +0 -0
  146. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/getting-started/installation.md +0 -0
  147. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/compatibility.md +0 -0
  148. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/performance-extensibility.md +0 -0
  149. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/recommendations.md +0 -0
  150. {trustcheck-2.1.2 → trustcheck-2.2.1}/docs/reference/trust-model.md +0 -0
  151. {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/README.md +0 -0
  152. {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_artifacts.py +0 -0
  153. {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_indexes.py +0 -0
  154. {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_lockfiles.py +0 -0
  155. {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_provenance.py +0 -0
  156. {trustcheck-2.1.2 → trustcheck-2.2.1}/fuzz/fuzz_requirements.py +0 -0
  157. {trustcheck-2.1.2 → trustcheck-2.2.1}/mkdocs.yml +0 -0
  158. {trustcheck-2.1.2 → trustcheck-2.2.1}/pyproject.toml +0 -0
  159. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/fuzz.in +0 -0
  160. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/fuzz.lock +0 -0
  161. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/runtime.in +0 -0
  162. {trustcheck-2.1.2 → trustcheck-2.2.1}/requirements/runtime.lock +0 -0
  163. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/benchmark_signature.py +0 -0
  164. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/build_msix_layout.py +0 -0
  165. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/build_standalone.py +0 -0
  166. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/check_mutation_score.py +0 -0
  167. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/dependency_bounds.py +0 -0
  168. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/smoke_test_distribution.py +0 -0
  169. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/trustcheck_binary.py +0 -0
  170. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/update_coverage_badge.py +0 -0
  171. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/validate_sarif.py +0 -0
  172. {trustcheck-2.1.2 → trustcheck-2.2.1}/scripts/verify_release_version.py +0 -0
  173. {trustcheck-2.1.2 → trustcheck-2.2.1}/setup.cfg +0 -0
  174. {trustcheck-2.1.2 → trustcheck-2.2.1}/snap/README.md +0 -0
  175. {trustcheck-2.1.2 → trustcheck-2.2.1}/snap/gui/icon.png +0 -0
  176. {trustcheck-2.1.2 → trustcheck-2.2.1}/snap/snapcraft.yaml +0 -0
  177. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/__main__.py +0 -0
  178. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/_resolver_guard.py +0 -0
  179. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/advisories.py +0 -0
  180. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/artifacts.py +0 -0
  181. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cache.py +0 -0
  182. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/__init__.py +0 -0
  183. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/context.py +0 -0
  184. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_commands/environment.py +0 -0
  185. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_models.py +0 -0
  186. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_runtime.py +0 -0
  187. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/cli_targets.py +0 -0
  188. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/dynamic.py +0 -0
  189. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/github_action.py +0 -0
  190. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/indexes.py +0 -0
  191. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/lockfiles.py +0 -0
  192. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/models.py +0 -0
  193. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/plugins.py +0 -0
  194. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/pre_commit.py +0 -0
  195. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/py.typed +0 -0
  196. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/pypi.py +0 -0
  197. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/resolver.py +0 -0
  198. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/resume.py +0 -0
  199. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/schemas.py +0 -0
  200. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/service.py +0 -0
  201. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/service_state.py +0 -0
  202. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/service_urls.py +0 -0
  203. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck/workspace.py +0 -0
  204. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/dependency_links.txt +0 -0
  205. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/entry_points.txt +0 -0
  206. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/requires.txt +0 -0
  207. {trustcheck-2.1.2 → trustcheck-2.2.1}/src/trustcheck.egg-info/top_level.txt +0 -0
  208. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/bad-scan.toml +0 -0
  209. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/cache/5e491d79f8ba9e36d864ae50c690989677616cd509e5b99abb9272c8ad976435.json +0 -0
  210. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/config_non_object.json +0 -0
  211. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/empty-scan.toml +0 -0
  212. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/empty-scan.txt +0 -0
  213. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/invalid-scan.txt +0 -0
  214. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/policy_non_object.json +0 -0
  215. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/scan-poetry.toml +0 -0
  216. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/_tmp/scan-project.toml +0 -0
  217. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/fixtures/client_config.json +0 -0
  218. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/fixtures/policy_require_expected_repo.json +0 -0
  219. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/fixtures/requirements-vulnerable.txt +0 -0
  220. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/snapshots/report_minimal.json +0 -0
  221. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/snapshots/report_verified.json +0 -0
  222. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_advisories.py +0 -0
  223. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_artifacts.py +0 -0
  224. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_binary_security_workflow.py +0 -0
  225. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_contract.py +0 -0
  226. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_dependency_bounds.py +0 -0
  227. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_dynamic.py +0 -0
  228. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_indexes.py +0 -0
  229. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_integration_live.py +0 -0
  230. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_msix_packaging.py +0 -0
  231. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_mutation_score.py +0 -0
  232. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_plugin_security.py +0 -0
  233. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_pre_commit.py +0 -0
  234. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_property_invariants.py +0 -0
  235. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_pypi.py +0 -0
  236. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_release_executable.py +0 -0
  237. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_release_version.py +0 -0
  238. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_resolver.py +0 -0
  239. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_resolver_guard.py +0 -0
  240. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_sarif_validation.py +0 -0
  241. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_scan_profiles.py +0 -0
  242. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_service.py +0 -0
  243. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_snap_packaging.py +0 -0
  244. {trustcheck-2.1.2 → trustcheck-2.2.1}/tests/test_workspace.py +0 -0
@@ -0,0 +1,56 @@
1
+ name: Acceptance Matrix
2
+
3
+ on:
4
+ workflow_dispatch:
5
+ schedule:
6
+ - cron: "47 4 * * *"
7
+
8
+ permissions:
9
+ contents: read
10
+
11
+ concurrency:
12
+ group: acceptance-matrix-main
13
+ cancel-in-progress: false
14
+
15
+ jobs:
16
+ acceptance:
17
+ name: ${{ matrix.case }} / ${{ matrix.os }} / Python ${{ matrix.python-version }}
18
+ runs-on: ${{ matrix.os }}
19
+ timeout-minutes: 45
20
+ strategy:
21
+ fail-fast: false
22
+ matrix:
23
+ os: [ubuntu-latest, macos-latest, windows-latest]
24
+ python-version: ["3.11", "3.12", "3.13", "3.14"]
25
+ case: [pip-tools, uv-lock, poetry-lock, pdm-lock, pep751-pylock, extras-markers, private-index-fixture, native-wheel, sdist]
26
+
27
+ steps:
28
+ - name: Check out repository
29
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
30
+ with:
31
+ persist-credentials: false
32
+
33
+ - name: Set up Python
34
+ uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
35
+ with:
36
+ python-version: ${{ matrix.python-version }}
37
+ cache: pip
38
+
39
+ - name: Install acceptance environment
40
+ run: |
41
+ python -m pip install --disable-pip-version-check --require-hashes --requirement requirements/runtime.lock
42
+ python -m pip install --disable-pip-version-check --no-build-isolation --no-deps -e .
43
+ python -m pip check
44
+
45
+ - name: Run acceptance case
46
+ env:
47
+ TRUSTCHECK_RUN_ACCEPTANCE: "1"
48
+ run: python scripts/acceptance_matrix.py --case "${{ matrix.case }}" --report-dir acceptance-reports
49
+
50
+ - name: Upload acceptance report
51
+ if: always()
52
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
53
+ with:
54
+ name: acceptance-${{ matrix.case }}-${{ matrix.os }}-py${{ matrix.python-version }}
55
+ path: acceptance-reports/
56
+ if-no-files-found: warn
@@ -2,6 +2,11 @@ name: Benchmarks
2
2
 
3
3
  on:
4
4
  workflow_dispatch:
5
+ schedule:
6
+ - cron: "23 4 * * 1"
7
+ workflow_run:
8
+ workflows: ["Release"]
9
+ types: [completed]
5
10
 
6
11
  permissions:
7
12
  contents: read
@@ -12,6 +17,7 @@ concurrency:
12
17
 
13
18
  jobs:
14
19
  pip-audit-comparison:
20
+ if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
15
21
  runs-on: ubuntu-latest
16
22
  timeout-minutes: 45
17
23
  steps:
@@ -248,11 +248,11 @@ jobs:
248
248
 
249
249
  - name: Set up Docker Buildx
250
250
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'
251
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
251
+ uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
252
252
 
253
253
  - name: Log in to GitHub Container Registry
254
254
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'
255
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
255
+ uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
256
256
  with:
257
257
  registry: ghcr.io
258
258
  username: ${{ github.actor }}
@@ -279,7 +279,7 @@ jobs:
279
279
 
280
280
  - name: Build and publish CI Docker image
281
281
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'
282
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
282
+ uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
283
283
  with:
284
284
  context: .
285
285
  file: ./Dockerfile
@@ -379,13 +379,20 @@ jobs:
379
379
  GH_TOKEN: ${{ github.token }}
380
380
  run: |
381
381
  publish_root="$(mktemp -d)"
382
- cp coverage-artifacts/coverage-badge/coverage.svg "$publish_root/coverage.svg"
383
382
  git -C "$publish_root" init
384
383
  git -C "$publish_root" config user.name "github-actions[bot]"
385
384
  git -C "$publish_root" config user.email "41898282+github-actions[bot]@users.noreply.github.com"
386
- git -C "$publish_root" add coverage.svg
387
- git -C "$publish_root" commit -m "Update coverage badge for ${GITHUB_SHA}"
388
- git -C "$publish_root" branch -M coverage-badge
389
385
  git -C "$publish_root" remote add origin \
390
386
  "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
387
+ git -C "$publish_root" fetch --depth=1 origin coverage-badge
388
+ if ! git -C "$publish_root" show FETCH_HEAD:PyPI.png > "$publish_root/PyPI.png"; then
389
+ printf '%s\n' \
390
+ "PyPI.png is missing from coverage-badge; refusing to replace the asset branch" \
391
+ "without it." >&2
392
+ exit 1
393
+ fi
394
+ cp coverage-artifacts/coverage-badge/coverage.svg "$publish_root/coverage.svg"
395
+ git -C "$publish_root" add PyPI.png coverage.svg
396
+ git -C "$publish_root" commit -m "Update coverage badge for ${GITHUB_SHA}"
397
+ git -C "$publish_root" branch -M coverage-badge
391
398
  git -C "$publish_root" push --force origin coverage-badge
@@ -25,7 +25,7 @@ jobs:
25
25
  fetch-depth: 0
26
26
 
27
27
  - name: Initialize CodeQL
28
- uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
28
+ uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
29
29
  with:
30
30
  languages: python
31
31
 
@@ -35,7 +35,7 @@ jobs:
35
35
  python-version: "3.12"
36
36
 
37
37
  - name: Autobuild
38
- uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
38
+ uses: github/codeql-action/autobuild@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
39
39
 
40
40
  - name: Perform CodeQL analysis
41
- uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
41
+ uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
@@ -0,0 +1,128 @@
1
+ name: GitHub Code Copy Scan
2
+
3
+ on:
4
+ workflow_dispatch:
5
+ schedule:
6
+ - cron: "37 3 * * *"
7
+
8
+ permissions:
9
+ contents: write
10
+ issues: write
11
+ pull-requests: write
12
+
13
+ concurrency:
14
+ group: github-code-copy-scan
15
+ cancel-in-progress: false
16
+
17
+ jobs:
18
+ scan:
19
+ name: Search GitHub for copied code
20
+ runs-on: ubuntu-latest
21
+
22
+ steps:
23
+ - name: Check out repository
24
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
25
+ with:
26
+ fetch-depth: 0
27
+ persist-credentials: false
28
+
29
+ - name: Set up Python
30
+ uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
31
+ with:
32
+ python-version: "3.12"
33
+
34
+ - name: Search public GitHub code
35
+ env:
36
+ GITHUB_TOKEN: ${{ secrets.TRUSTCHECK_GITHUB_SEARCH_TOKEN || github.token }}
37
+ GITHUB_REPOSITORY: ${{ github.repository }}
38
+ run: |
39
+ python scripts/github_plagiarism_scan.py \
40
+ --source src/trustcheck \
41
+ --output reports/github-code-copy-findings.md \
42
+ --max-fingerprints 20 \
43
+ --per-page 10
44
+
45
+ - name: Open or update findings pull request or issue
46
+ env:
47
+ BRANCH: automation/github-code-copy-findings
48
+ GH_TOKEN: ${{ secrets.TRUSTCHECK_PR_TOKEN || github.token }}
49
+ ISSUE_TITLE: GitHub code copy scan findings
50
+ REPORT_PATH: reports/github-code-copy-findings.md
51
+ run: |
52
+ if [ -z "$(git status --porcelain -- "$REPORT_PATH")" ]; then
53
+ echo "No code-copy finding changes to publish."
54
+ exit 0
55
+ fi
56
+
57
+ git config user.name "github-actions[bot]"
58
+ git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
59
+ git checkout -B "$BRANCH"
60
+ git add "$REPORT_PATH"
61
+ git commit -m "Update GitHub code copy scan findings"
62
+ git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
63
+ git push --force-with-lease origin "$BRANCH"
64
+
65
+ existing_pr="$(gh pr list --head "$BRANCH" --state open --json number --jq '.[0].number // empty')"
66
+ if [ -n "$existing_pr" ]; then
67
+ gh pr edit "$existing_pr" \
68
+ --title "Update GitHub code copy scan findings" \
69
+ --body-file "$REPORT_PATH"
70
+ else
71
+ pr_url="https://github.com/${GITHUB_REPOSITORY}/pull/new/${BRANCH}"
72
+ create_error="$(mktemp)"
73
+ if gh pr create \
74
+ --base main \
75
+ --head "$BRANCH" \
76
+ --title "Update GitHub code copy scan findings" \
77
+ --body-file "$REPORT_PATH" \
78
+ 2>"$create_error"; then
79
+ exit 0
80
+ fi
81
+
82
+ cat "$create_error"
83
+ if grep -q "not permitted to create" "$create_error"; then
84
+ issue_body="$(mktemp)"
85
+ {
86
+ echo "GitHub Actions pushed the code-copy findings branch, but this repository does not permit Actions to create pull requests."
87
+ echo
88
+ echo "Findings branch: https://github.com/${GITHUB_REPOSITORY}/tree/${BRANCH}"
89
+ echo
90
+ echo "Manual pull request URL: ${pr_url}"
91
+ echo
92
+ cat "$REPORT_PATH"
93
+ } > "$issue_body"
94
+
95
+ existing_issue="$(
96
+ gh issue list \
97
+ --state open \
98
+ --search "${ISSUE_TITLE} in:title" \
99
+ --json number,title \
100
+ --jq ".[] | select(.title == \"${ISSUE_TITLE}\") | .number" \
101
+ | head -n 1
102
+ )"
103
+ if [ -n "$existing_issue" ]; then
104
+ gh issue edit "$existing_issue" \
105
+ --title "$ISSUE_TITLE" \
106
+ --body-file "$issue_body"
107
+ issue_url="https://github.com/${GITHUB_REPOSITORY}/issues/${existing_issue}"
108
+ else
109
+ issue_url="$(
110
+ gh issue create \
111
+ --title "$ISSUE_TITLE" \
112
+ --body-file "$issue_body"
113
+ )"
114
+ fi
115
+
116
+ {
117
+ echo "### GitHub code copy scan findings"
118
+ echo
119
+ echo "The findings branch was pushed, but GitHub Actions is not permitted to create pull requests in this repository."
120
+ echo
121
+ echo "Issue: ${issue_url}"
122
+ echo
123
+ echo "Manual pull request URL: ${pr_url}"
124
+ } >> "$GITHUB_STEP_SUMMARY"
125
+ exit 0
126
+ fi
127
+ exit 1
128
+ fi
@@ -0,0 +1,90 @@
1
+ name: Post-release Channel Parity
2
+
3
+ on:
4
+ workflow_run:
5
+ workflows: ["Release"]
6
+ types: [completed]
7
+ workflow_dispatch:
8
+ inputs:
9
+ tag:
10
+ description: Release tag to verify, such as v2.1.1.
11
+ required: true
12
+ observed-json:
13
+ description: URL or repository path for normalized channel observations.
14
+ required: true
15
+
16
+ permissions:
17
+ contents: read
18
+
19
+ jobs:
20
+ verify-release-channels:
21
+ if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
22
+ runs-on: ubuntu-latest
23
+
24
+ steps:
25
+ - name: Check out repository
26
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
27
+ with:
28
+ persist-credentials: false
29
+
30
+ - name: Set up Python
31
+ uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
32
+ with:
33
+ python-version: "3.12"
34
+
35
+ - name: Resolve release parity inputs
36
+ id: release
37
+ env:
38
+ GH_TOKEN: ${{ github.token }}
39
+ INPUT_TAG: ${{ github.event.inputs.tag }}
40
+ INPUT_OBSERVED_JSON: ${{ github.event.inputs.observed-json }}
41
+ RELEASE_CHANNEL_OBSERVATIONS_URL: ${{ vars.RELEASE_CHANNEL_OBSERVATIONS_URL }}
42
+ run: |
43
+ tag="${INPUT_TAG:-}"
44
+ if [ -z "$tag" ]; then
45
+ tag="$(gh release list --limit 1 --json tagName --jq '.[0].tagName')"
46
+ fi
47
+ if [ -z "$tag" ]; then
48
+ echo "Unable to determine the release tag to verify." >&2
49
+ exit 1
50
+ fi
51
+ observed_json="${INPUT_OBSERVED_JSON:-$RELEASE_CHANNEL_OBSERVATIONS_URL}"
52
+ if [ -z "$observed_json" ]; then
53
+ echo "Set workflow input observed-json or repository variable RELEASE_CHANNEL_OBSERVATIONS_URL." >&2
54
+ exit 1
55
+ fi
56
+ echo "tag=$tag" >> "$GITHUB_OUTPUT"
57
+ echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
58
+ echo "observed_json=$observed_json" >> "$GITHUB_OUTPUT"
59
+
60
+ - name: Download release checksums
61
+ env:
62
+ GH_TOKEN: ${{ github.token }}
63
+ RELEASE_TAG: ${{ steps.release.outputs.tag }}
64
+ run: gh release download "$RELEASE_TAG" --pattern SHA256SUMS.txt --repo "$GITHUB_REPOSITORY"
65
+
66
+ - name: Verify channel parity
67
+ env:
68
+ RELEASE_TAG: ${{ steps.release.outputs.tag }}
69
+ RELEASE_VERSION: ${{ steps.release.outputs.version }}
70
+ OBSERVED_JSON: ${{ steps.release.outputs.observed_json }}
71
+ run: |
72
+ python scripts/verify_release_channels.py \
73
+ --expected-version "$RELEASE_VERSION" \
74
+ --tag "$RELEASE_TAG" \
75
+ --expected-checksums SHA256SUMS.txt \
76
+ --required-channel pypi \
77
+ --required-channel github \
78
+ --required-channel snap \
79
+ --required-channel docker \
80
+ --required-channel homebrew \
81
+ --required-channel winget \
82
+ --expected-architecture docker=linux/amd64 \
83
+ --expected-architecture docker=linux/arm64 \
84
+ --expected-architecture docker=linux/arm/v7 \
85
+ --expected-architecture snap=amd64 \
86
+ --expected-architecture snap=arm64 \
87
+ --expected-architecture snap=armhf \
88
+ --expected-architecture github=windows-x86_64 \
89
+ --release-notes-fragment "Published from immutable commit" \
90
+ --observed-json "$OBSERVED_JSON"
@@ -837,6 +837,84 @@ jobs:
837
837
  packages-dir: dist/packages
838
838
  verbose: true
839
839
 
840
+ publish-homebrew-tap:
841
+ needs: publish-pypi
842
+ runs-on: ubuntu-latest
843
+
844
+ steps:
845
+ - name: Check out tagged commit
846
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
847
+ with:
848
+ ref: ${{ github.sha }}
849
+ persist-credentials: false
850
+
851
+ - name: Set up Python
852
+ uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
853
+ with:
854
+ python-version: "3.12"
855
+
856
+ - name: Download build artifacts
857
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
858
+ with:
859
+ name: dist-${{ github.sha }}
860
+ path: dist
861
+
862
+ - name: Export Homebrew tap pins
863
+ run: |
864
+ python scripts/export_homebrew_tap.py \
865
+ --runtime-lock requirements/runtime.lock \
866
+ --build-lock requirements/action.lock \
867
+ --checksums dist/SHA256SUMS.txt \
868
+ --output-dir homebrew-tap-export/trustcheck \
869
+ --tag "$GITHUB_REF_NAME" \
870
+ --source-repository "$GITHUB_REPOSITORY" \
871
+ --source-commit "$GITHUB_SHA" \
872
+ --extra-package setuptools-scm \
873
+ --extra-package wheel
874
+
875
+ - name: Require Homebrew tap token
876
+ env:
877
+ HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN || secrets.RELEASE_TOKEN }}
878
+ run: |
879
+ if [ -z "$HOMEBREW_TAP_TOKEN" ]; then
880
+ echo "Set HOMEBREW_TAP_TOKEN or RELEASE_TOKEN with contents:write access to Halfblood-Prince/homebrew-tap." >&2
881
+ exit 1
882
+ fi
883
+
884
+ - name: Check out Homebrew tap
885
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
886
+ with:
887
+ repository: Halfblood-Prince/homebrew-tap
888
+ ref: main
889
+ token: ${{ secrets.HOMEBREW_TAP_TOKEN || secrets.RELEASE_TOKEN }}
890
+ path: homebrew-tap
891
+ persist-credentials: true
892
+
893
+ - name: Commit Homebrew tap pins
894
+ env:
895
+ RELEASE_TAG: ${{ github.ref_name }}
896
+ run: |
897
+ mkdir -p homebrew-tap/trustcheck
898
+ cp homebrew-tap-export/trustcheck/runtime.lock homebrew-tap/trustcheck/runtime.lock
899
+ cp homebrew-tap-export/trustcheck/resources.rb homebrew-tap/trustcheck/resources.rb
900
+ cp homebrew-tap-export/trustcheck/release.json homebrew-tap/trustcheck/release.json
901
+
902
+ git -C homebrew-tap config user.name "github-actions[bot]"
903
+ git -C homebrew-tap config user.email "41898282+github-actions[bot]@users.noreply.github.com"
904
+ git -C homebrew-tap add trustcheck
905
+ if git -C homebrew-tap diff --cached --quiet; then
906
+ echo "No Homebrew tap pin changes to commit."
907
+ exit 0
908
+ fi
909
+ git -C homebrew-tap commit -m "Update trustcheck Homebrew pins for ${RELEASE_TAG}"
910
+ git -C homebrew-tap push
911
+ {
912
+ echo "## Homebrew tap"
913
+ echo
914
+ echo "- Updated \`Halfblood-Prince/homebrew-tap\` trustcheck pin export for \`${RELEASE_TAG}\`."
915
+ echo "- Wrote \`trustcheck/runtime.lock\`, \`trustcheck/resources.rb\`, and \`trustcheck/release.json\`."
916
+ } >> "$GITHUB_STEP_SUMMARY"
917
+
840
918
  publish-docker:
841
919
  needs:
842
920
  - coverage-build
@@ -852,13 +930,13 @@ jobs:
852
930
  persist-credentials: false
853
931
 
854
932
  - name: Set up QEMU for multi-platform builds
855
- uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
933
+ uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0
856
934
 
857
935
  - name: Set up Docker Buildx
858
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
936
+ uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
859
937
 
860
938
  - name: Log in to GitHub Container Registry
861
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
939
+ uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
862
940
  with:
863
941
  registry: ghcr.io
864
942
  username: ${{ github.actor }}
@@ -891,7 +969,7 @@ jobs:
891
969
  } >> "$GITHUB_OUTPUT"
892
970
 
893
971
  - name: Build and publish multi-platform Docker images
894
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
972
+ uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
895
973
  with:
896
974
  context: .
897
975
  file: ./Dockerfile
@@ -935,9 +1013,9 @@ jobs:
935
1013
  append_body: true
936
1014
  body: |
937
1015
  Published from immutable commit `${{ github.sha }}`.
938
- The release workflow publishes PyPI, GitHub Action, Snap Store, and
939
- GHCR Docker distributions after shared tag verification, QA, matrix,
940
- and coverage builds.
1016
+ The release workflow publishes PyPI, GitHub Action, Snap Store,
1017
+ Homebrew tap pins, and GHCR Docker distributions after shared tag
1018
+ verification, QA, matrix, and coverage builds.
941
1019
 
942
1020
  Release artifacts:
943
1021
  - `dist/*`
@@ -58,7 +58,7 @@ jobs:
58
58
  --compare trustcheck-second.sarif
59
59
 
60
60
  - name: Upload SARIF to GitHub code scanning
61
- uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
61
+ uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
62
62
  with:
63
63
  sarif_file: trustcheck-first.sarif
64
64
  category: trustcheck-sarif-integration
@@ -6,14 +6,33 @@ The project follows Semantic Versioning for the supported public API described i
6
6
 
7
7
  ## Unreleased
8
8
 
9
+ ## [2.2.0] - 2026-07-05
10
+
11
+ Package release `2.2.0` emits machine-readable report schema `1.11.0`.
12
+
9
13
  ### Added
10
14
 
11
- - Added calibrated malicious-package heuristic metadata, policy-configurable
15
+ - Added malicious-package heuristic rule metadata, policy-configurable
12
16
  aggregate and per-rule thresholds, and advanced the schema to `1.11.0`.
13
17
  - Added opt-in `--dynamic-analysis` execution in a disposable, no-network,
14
18
  non-root Docker sandbox with CPU, memory, process, and wall-clock limits.
19
+ - Added `trustcheck manifest init|verify|update` for dependency trust
20
+ baselines that block repository, Trusted Publisher, SLSA, provenance,
21
+ index-origin, native-binary, dynamic-execution, and malicious-score
22
+ regressions.
23
+ - Added `trustcheck diff` for lockfile and pull-request trust review across
24
+ changed direct and transitive packages, with text, JSON, Markdown, SARIF,
25
+ Git ref discovery, GitHub PR commenting, and optional trust-manifest
26
+ enforcement.
27
+ - Added `trustcheck doctor`, concise `--summary`/`--decision` report output,
28
+ source/release provenance parity checks, starter policy bundles, and a
29
+ post-release channel parity verifier workflow.
15
30
  - Added a pinned GitHub Dependency Review pull-request gate for vulnerable
16
31
  dependency.
32
+ - Strengthened `scan --fix` to target policy-failing packages, validate the
33
+ generated graph in a clean virtual environment, run
34
+ `[tool.trustcheck.fix].test_commands`, support `requirements.lock`, and write
35
+ a review patch artifact; advanced the remediation schema to `1.3.0`.
17
36
 
18
37
  ### Changed
19
38
 
@@ -24,6 +43,15 @@ The project follows Semantic Versioning for the supported public API described i
24
43
  Sigstore requirements `PyJWT`, `idna`, and `tuf`; the action lockfile still
25
44
  constrains the resolved transitive set.
26
45
 
46
+ ## [2.1.2] - 2026-07-01
47
+
48
+ Package release `2.1.2` emits machine-readable report schema `1.11.0`.
49
+
50
+ ### Changed
51
+
52
+ - Corrected the changelog description for the pinned GitHub Dependency Review
53
+ pull-request gate.
54
+
27
55
  ## [2.1.1] - 2026-06-28
28
56
 
29
57
  Package release `2.1.1` emits machine-readable report schema `1.11.0`.
@@ -244,7 +272,9 @@ Package release `1.9.0` emits machine-readable report schema `1.4.0`.
244
272
  - Aligned the README, documentation site, CLI help, changelog, and JSON contract documentation around the same supported feature set.
245
273
  - Replaced temporary Discord issue and security links with stable GitHub project pages and private vulnerability reporting.
246
274
 
247
- [Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.1...HEAD
275
+ [Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.2.0...HEAD
276
+ [2.2.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.2...v2.2.0
277
+ [2.1.2]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.1...v2.1.2
248
278
  [2.1.1]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.0...v2.1.1
249
279
  [2.1.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.0.5...v2.1.0
250
280
  [1.9.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v1.8.0...v1.9.0
@@ -0,0 +1,3 @@
1
+ include scripts/verify_release_version.py
2
+ include scripts/verify_release_channels.py
3
+ include scripts/export_homebrew_tap.py