v0.13.0

• Accept usernames without @ in .tuf-on-ci-sign.ini (#415)
• Add workaround for Sigstore root-signing migration (#422)
• Dependency updates

v0.12.0

In addition to dependency updates, this release contains one new (experimental) repository
feature: Online signed targets. Updating to this version does not require any changes to
GitHub workflow files.

The Online signed targets feature (#75) currently has some significant limitations
and may be changed in the future, see DELEGATION-MANUAL.md for details.

v0.11.0

This release contains bug fixes, stability fixes and dependency
updates.

Updating to this version does not require any changes to GitHub
workflow files.

Changes

• Increased the number of root rotations allowed in the client unsed by
  the test workflow (#377)
• Versioned root metadata file is now created by the signing event (#352)

Fixes

• TUF key ids are now updated only when the repository is successfully
  imported (#358)
• Relative links in published TUF repository state are now correct
  (#354)

v0.10.0

Release includes several new features. It also fixes an issue with TUF keyids,
see issue #292 (note that existing keyids are not automatically made compliant:
tuf-on-ci-delegate --force-compliant-keyids can be used in a signing event to
make that happen).

GitHub workflows require no changes (but you may want to add a
.github/TUF_ON_CI_TEMPLATE/failure.md file, see below).

Changes

• Artifact directories can now be up to 5 levels deep (#238)
• actions: All action requirements are now version pinned (#248)
• actions: .github/TUF_ON_CI_TEMPLATE/failure.md can now be used to
  define custom content for workflow failure issues (#270)
• build-repository action: A human readable repository description
  is generated in index.html in the published metadata dir (#313)

Fixes

• signer: keyid generation was fixed to be specification compliant (#294)
  • A feature was added to fix noncompliant keyids in repositories
    where they non-compliant keyids already present (#338)
• test-repository action: Use a better default artifact-url (#275),
  handle a initial root in more cases (#346)
• build-repository action: Delegation tree is now used to decide which
  metadata to include in published repo (#344)
• tuf minimum dependency is now correctly set to 3.1 (#329)

v0.9.0

GitHub Actions users are adviced to upgrade for safer dependency
pinning that should avoid breakage in future.

Changes

• actions: test-repository action has many additional features (#239)
• actions: python package versions are now in logs again (#247)
• signer: Improve signing robustness (#237)
• Dependency updates (including more strictly pinned securesystemslib)

GitHub Actions upgrade instructions

A plain version bump from 0.8 works: Workflows require no changes.

v0.8.0

GitHub Actions upgrade instructions

A plain version bump from 0.7 works: Workflows require no changes.

Changes

• Signer now opens PRs in a browser automatically when in non-maintainer signing flow
• Signer now has runtime version checking: A message is printed out if a new version is available
• Actions have dependency updates

v0.7.0

Changes

• Signer has improved signing error handling
• Custom fields in TargetFile metadata are now preserved during target update
  (this is a workaround mostly for sigstore root-signing legacy artifacts)

Upgrade instructions

A plain version bump from 0.6 works: Workflows require no changes.

v0.6.0

NOTE: please see upgrade instructions below.

Changes

• Signing events now happen in GitHub pull requests
• Signer now probes for PKCS11 module: configuring that is no longer required, as long as as the module is in one of the expected locations.

Upgrade instructions

• As usual we recommend copying your workflows from https://github.com/theupdateframework/tuf-on-ci-template/.
  • signing event action no longer needs issues: write permission but instead requires pull-requests: write
• Custom token users need to create a new token with an additional permission Pull requests: write
• Settings->Actions->General->Allow GitHub Actions to create and approve pull requests needs to be enabled in repository settings
  (not required if a custom token is used)

v0.5.0

NOTE: Do not accept a dependabot upgrade, please see upgrade
instructions.

This release contains improved failure handling and testing.

Changes

• New action test-repository: This new action enables smoke testing
  every published repository with a TUF client.
• New action update-issue: This action enables automated filing of
  issues when a TUF-on-CI workflow fails

Upgrade instructions

As usual we recommend copying your workflows from
https://github.com/theupdateframework/tuf-on-ci-template/ as there
are a number of changes, including a new reusable workflow.

v0.4.0

NOTE: This is a major Actions API break, users should not just accept a Dependabot update but should instead follow upgrade instructions below.

Changes

• Support for custom GitHub tokens: see [REPOSITORY-MAINTENANCE.md].
• Uses upload-artifact v4: this means publish workflow must use download-artifact v4 or deploy-pages v4
• All commits are now done with "Signed-Off-By"

Upgrade instructions from v0.3.0:

• We recommend using the workflows from tuf-on-ci-template (or to merge changes from there if you have local changes in your workflows) to ensure workflows stay compatible with the tuf-on-ci actions