This is an automated email from the ASF dual-hosted git repository.
arm pushed a change to branch promote_gha
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
discard 2b0973b8 #344 - added some extra information
discard 0e1b3dd5 #344 - starter for instructions on how to upload via GitHub
Actions. Needs committee filtering.
add 12eb4199 Add check clean to Makefile for cleaning pre-commit cache
add f994f843 #283: Add admin ID to session metadata and include in log and
audit log kwargs
add 58dfcad9 #283: Make sure original admin ID is preserved across
multiple masquerades
add 5e3e5258 Use LDAP to construct a session when browsing as another user
add c501f895 Add a task that reads GitHub Trusted Publishing payloads
add d2664b59 Update dependencies and fix lint errors
add 1f854244 Clone source from GitHub in the task to compare source trees
add 9ab62964 Add performance measurement for cloning GitHub repositories
add a2684f0f Check out GitHub trees to a subdirectory of a temporary
directory
add f50e425a Add unit tests for the tree comparison check
add 1e01d756 Check out GitHub trees by commit, not branch
add 77a47ec2 Extract archives for comparison with GitHub trees
add 342cefb0 Use rsync to compare GitHub trees with extracted archives
add 3a87cc4d Add some make targets for easier testing
add 6440e1b8 Account for a root directory within extracted archives
add 499e88d1 Detect only content changes in tree comparisons
add a03767c8 Allow PKG-INFO files in Python source archives
add b4d000e7 Make comparison logging less verbose
add 55b2da82 Convert all check warnings to errors
add 0f914c20 Add a blocking check result status
add 106a01c2 Integrate blocking check results into the user interface
add 3ac84a26 Change incontrovertible check results from failure to blocking
add 16257b03 Make an e2e test more reliable
add 0f765ac1 Rename blocking to blocker and improve the user interface
add 0b184a6c Link check result names to the corresponding JSON data
add 47ffcf82 Disallow starting a vote when there are check result blockers
add 31e07c49 Record relative rather than absolute paths in RAT check
results
add 34c625a3 Update one of the lint dependencies
add dadfe864 Document project policy inputs to checks
add f197ca34 Reduce the duration of JWTs from 90 minutes to 30 minutes
add 2b4ad72b Add a template checker script and include it in lints
add 6fd6e443 Document how to become a project that can use Trusted
Publishing
add c65332d8 Fix a few problems in the script to check templates
add 32182b93 Fix a few style issues
add 38ba32a3 Fix unparenthesized subexpressions in all scripts
add d9b97c94 Move auth buttons (#634)
add 5bba5c97 Adjustments to topnav
add 6ce22c06 Document ADMIN_USERS_ADDITIONAL
add 51fa871d Lint fix
add 65a35465 Markdown lint fix
add 49bb08ce #601: Add URL encoding safety for URLs currently using
f-strings
add e2663ddc Rearrange admin menu
add 63ff3a6f Use base-admin layout
add 7a75ab01 Tighten up banner css
add 5b8a282d Add an extra file of attestable JSON data mapping paths to
hashes
add 881a3eee Add a function to construct a mapping of paths to inodes, and
tests
add 5b874ed2 Compute attestable metadata before starting a database
transaction
add c777bb48 Add a merge module to automatically resolve conflicts between
revisions
add 517b7bd8 Resolve conflicts during revision creation, and add a
corresponding test
add 66e9321c Fix a problem with e2e tests
add 08edc8ac Improve the validation of filenames, paths, and relative paths
add 6de01e2c Focus pip-audit on the relevant dependencies
add d71388dc Update dependencies, including avoiding CVE-2026-26007
add 94964c67 Display the ATR classifications of uploaded files
add 665533bd Bump actions/cache from 5.0.2 to 5.0.3
add 2e723416 Make the existence of certain disallowed file types blocking
add 209816de Add a module for file classification and use it
add 1f756ffe Classify CycloneDX JSON SBOM files correctly as metadata
add 12ff090f Propagate file upload errors through to the user interface
add e19e41af Compute the path to the corresponding artifact for SBOM files
correctly
add 9e286de6 Do not run further path checks after a file is found to be
disallowed
add ec267b80 Style files with blocking check results more consistently
add e71802b4 Ignore spurious CodeQL warnings about file permissions
add e9ed2a37 ASVS L1 - Validate referrer in redirect in admin toggle-view
add 81b4f612 add API and link to svn:dist area (#648)
add 929a8c3b link to svn:dist, not any svn (#650)
add 0ec0992c Add the arm branch to QA workflows
add beb2a2a8 Update check caching to use hash keys of inputs
add 61001c81 clarify: svn:dist not done by ATR yet (#649)
add 62d14ea6 Update warning banner text in base.html
add 24f891be Fix scheduling bug in distribution status check
add bc8d8531 Adjust alpha 2 banner message
add a0927d24 Add nbf claim to JWTs. Closes #675.
add ff331509 Reject "dangerous" JWT headers. Closes #673.
add 0c467bb2 Add LDAP validation to ASF sender IDs. Closes #654.
add 0f0e72fa Remove unverified_header_and_payload function as unused.
Closes #672.
add 7406bb29 Validate LDAP account of the initiating user when a task is
started. Closes #663.
add 1e306a6f Update dependencies and fix new lint errors
add 32f4ee3b Check for running tasks as well as completed checks when
using cache keys
add 7028236b Skip LDAP checks in development environments too
add 9847de95 Remove unused data from a committer data verification
add b714fc98 Update a comment in the function to browse as another user
add f9410802 Update dependencies
add e6887dac Add a continuation passing style version of the method to
create a revision
add 96397103 Migrate revision creators that clone without modifications
add a5745c15 Migrate revision creators that modify existing files
add 32d79d70 Make compose phase tests less fragile
add b576d354 Migrate revision creators that add new files
add 5581675a Fix some code style problems
add 83e7d6c9 Migrate the revision creator that clones from a specific
revision
add 5e8f907b Migrate revision creators that modify metadata
add bb8d5627 Fix some problems with e2e tests
add f4faa08a Migrate a test route to use the new revision creation code
add 7f5b0c63 Remove the deprecated context manager to create a new revision
add 4ec8b5a8 Pin Syft version in Dockerfile
add eb5b199a Fix typo in log message. Closes #669.
add ad085680 Assure debug mode is only set in development
add f653b3fb Redact sensitive configurations
add 0436a74e Add configuration to admin menu
add 682d99b8 pubsub url is https only closes #685
add 369109e6 Block SCM directories
add 921c41df Add dot file check
add d434f574 Set stricter permissions on all directories in revisions
add bb72770d Rebuild JavaScript files
add 5d3140b0 Fix the encoding of JSON data in the form to move files
add f60da54d Update dependencies
add 030b4fc3 Use the intersection of algorithms from asyncssh and ssh-audit
add a0cb5cd6 Return 404 when project is unknown in api endpoint call
add 32550b7e Introduce ATR_STATUS and control recipient lists
add 141036f3 Bump astral-sh/setup-uv from 7.2.0 to 7.3.0
add 731a2962 Check for banned ASF accounts in more places
add 48078cc5 Document the use of safe Markdown to HTML rendering in
cmarkgfm
add e693c2da Keep a strict subset of GitHub OIDC payloads
add 7281bdce Use asfquart main, as it now supports maximum session
lifetimes
add 8fdb8c21 Manual PAT removal; fixes #598
add fa00a7ba Strengthen a couple of authorisation patterns
add f4d7dd38 Improve curl download scripting
add 5e288b2d Set CodeQL to ignore permissions because ATR release data is
public
add 46e8fadf Remove check for task running and add unique constraint, for
which we try to catch the IntegrityError. Include in playwright tests and don't
use revision number to filter individual check results.
add ca1db4ae Change attestable hashes to dict and reuse to resolve TOCTOU
of check result. Use attestable hashes for check reports. Add version to cache
key. Add file hash to hash and signature check and github SHA to source_tree.
add ffd5e8fe Move github model into general models out of SBOM models
add 21042a35 Remove cache ignore logic since we can't have an empty cache
key now. Add policy dependencies to license and RAT checks. Enable local/global
caching switch. Fix bug with task list.
add 9b963ade Refactor check get logic to a shared method and remove some
extra places where we still used release_name or version. Remove bulk-delete of
check results. Update documentation.
add 9e18e43e #725 - make sure failures are logged from PAT failure and
they include the user
add efc597e4 Add a database model for the quarantined upload phase
add e68a272c Refactor Dockerfile to streamline Apache RAT installation
add 1354f7ab Fix a problem with the download script
add 731b389a Add the quarantined directory and tests
add ece6e9d4 Fix more function ordering by improving the order fixing
script
add 7a828f68 #695 - remove SVN Relase from SVN form. Also add support for
Njord bundle as a filetype and project property for file tagging spec
add fc1868b2 Add tighter rate limit to /distribute/ssh/register to match
/ssh/register. Update docs on some other endpoints. Closes #724.
add 4ca6056d #720 - Ensure paths are relative to the revision path.
add bc3f4f19 Detect which files need to be quarantined
add e8ea2fea #641 - some initial migrations out of the util module for
paths and hash calculation.
add 98584f0c Fix some e2e tests for checks
add b96895d6 Add some simple archive checks for quarantined file validation
add 5db7392a Add missing parentheses
add 7cac7526 Explicit ldap tls configuration (#755)
add df9462aa Fix a problem with rendering information about checks
add 70cdb2a2 Temporarily allow .gitkeep release files throughout
add 4862aec0 Fix import
add 9003b050 Separate the code to finalise a revision
add ac1ff3c0 Add taint tracking types to get endpoints
add 35c6670f Add taint tracking types to post endpoints
add f06f2df5 Validate session by type instead of name, and _ prefix unused
sessions
add c0900cf5 Add a task to validate quarantined files and reject or
promote them
add d88c4b0f Skip files that use overloads when fixing function order
add fa010e35 Fix function ordering
add cb5071f6 Fix auth bypass for admin via exceptions
add 1bc9ee14 Proper pagination validation checks
add 219d64af OF - fix typo
add de57ce15 Change data models to Subset instead of Lax - closes #777
new a90dbf86 #344 - starter for instructions on how to upload via GitHub
Actions. Needs committee filtering.
new 2b0b4147 #344 - added some extra information
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (2b0973b8)
\
N -- N -- N refs/heads/promote_gha (2b0b4147)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.github/workflows/analyze.yml | 6 +-
.github/workflows/build.yml | 6 +-
.github/workflows/codeql.yaml | 2 +-
.pre-commit-config.yaml | 18 +-
Dockerfile.alpine | 26 +-
Makefile | 20 +-
atr/admin/__init__.py | 268 +++---
atr/admin/templates/all-releases.html | 2 +-
atr/admin/templates/delete-release.html | 2 +-
atr/admin/templates/revoke-user-tokens.html | 48 +
atr/admin/templates/validation.html | 2 +-
atr/analysis.py | 28 +
atr/api/__init__.py | 69 +-
atr/archives.py | 74 +-
atr/attestable.py | 195 ++++-
atr/blueprints/common.py | 175 ++++
atr/blueprints/get.py | 97 +-
atr/blueprints/post.py | 209 ++---
atr/cache.py | 62 ++
atr/classify.py | 54 ++
atr/config.py | 1 +
atr/construct.py | 5 +-
atr/datasources/apache.py | 22 +-
atr/db/__init__.py | 62 +-
atr/db/interaction.py | 81 +-
atr/detection.py | 95 ++
atr/docs/authentication-security.md | 7 +-
atr/docs/authorization-security.md | 6 +
atr/docs/check-ignores.md | 2 +-
atr/docs/checks.md | 44 +-
atr/docs/code-conventions.md | 16 +
atr/docs/index.md | 1 +
atr/docs/input-validation.md | 2 +
atr/docs/running-the-server.md | 9 +-
atr/docs/tasks.md | 2 +-
atr/docs/trusted-publishing.md | 67 ++
atr/docs/user-guide.md | 1 +
atr/docs/user-interface.md | 18 +-
atr/form.py | 60 +-
atr/get/__init__.py | 2 +
atr/get/announce.py | 41 +-
atr/get/checklist.py | 25 +-
atr/get/checks.py | 91 +-
atr/get/committees.py | 17 +-
atr/get/compose.py | 23 +-
atr/get/distribution.py | 110 ++-
atr/get/docs.py | 12 +-
atr/get/download.py | 121 ++-
atr/get/draft.py | 41 +-
atr/get/file.py | 52 +-
atr/get/finish.py | 49 +-
atr/get/ignores.py | 20 +-
atr/get/keys.py | 57 +-
atr/get/manual.py | 42 +-
atr/get/projects.py | 43 +-
atr/get/published.py | 27 +-
atr/get/ref.py | 23 +-
atr/get/release.py | 39 +-
atr/get/report.py | 42 +-
atr/get/result.py | 64 ++
atr/get/revisions.py | 29 +-
atr/get/root.py | 45 +-
atr/get/sbom.py | 31 +-
atr/get/start.py | 14 +-
atr/get/test.py | 110 ++-
atr/get/tokens.py | 9 +-
atr/get/upload.py | 39 +-
atr/get/user.py | 9 +-
atr/get/vote.py | 21 +-
atr/get/voting.py | 37 +-
atr/hashes.py | 69 ++
atr/jwtoken.py | 39 +-
atr/ldap.py | 23 +-
atr/log.py | 47 +-
atr/merge.py | 256 ++++++
atr/models/__init__.py | 16 +-
atr/models/attestable.py | 19 +-
atr/models/distribution.py | 28 +-
atr/{tasks/task.py => models/github.py} | 47 +-
atr/models/safe.py | 62 ++
atr/models/schema.py | 4 +
atr/models/sql.py | 115 ++-
atr/models/tabulate.py | 58 +-
atr/{sbom/models/bundle.py => models/unsafe.py} | 22 +-
atr/paths.py | 131 +++
atr/post/announce.py | 44 +-
atr/post/distribution.py | 91 +-
atr/post/draft.py | 266 +++---
atr/post/finish.py | 23 +-
atr/post/ignores.py | 22 +-
atr/post/keys.py | 93 +-
atr/post/manual.py | 63 +-
atr/post/projects.py | 74 +-
atr/post/resolve.py | 21 +-
atr/post/revisions.py | 37 +-
atr/post/sbom.py | 38 +-
atr/post/start.py | 22 +-
atr/post/test.py | 48 +-
atr/post/tokens.py | 21 +-
atr/post/upload.py | 87 +-
atr/post/user.py | 11 +-
atr/post/vote.py | 21 +-
atr/post/voting.py | 59 +-
atr/principal.py | 34 +-
atr/registry.py | 2 +-
atr/sbom/osv.py | 36 +-
atr/sbom/tool.py | 42 +-
atr/sbom/utilities.py | 54 +-
atr/server.py | 49 +-
atr/shared/upload.py | 12 +-
atr/shared/web.py | 60 +-
atr/ssh.py | 52 +-
atr/static/css/atr.css | 52 +-
atr/static/js/src/report-results.js | 21 +-
atr/static/js/src/upload-progress.js | 12 +-
atr/static/js/ts/create-a-jwt.js | 18 +
atr/static/js/ts/create-a-jwt.js.map | 2 +-
atr/static/js/ts/finish-selected-move.js | 18 +
atr/static/js/ts/finish-selected-move.js.map | 2 +-
atr/static/sh/download-urls.sh | 5 +-
atr/storage/__init__.py | 62 +-
atr/storage/readers/checks.py | 14 +-
atr/storage/readers/releases.py | 70 +-
atr/storage/types.py | 17 +-
atr/storage/writers/announce.py | 13 +-
atr/storage/writers/checks.py | 14 +-
atr/storage/writers/keys.py | 21 +-
atr/storage/writers/policy.py | 18 +-
atr/storage/writers/release.py | 220 +++--
atr/storage/writers/revision.py | 271 ++++--
atr/storage/writers/sbom.py | 11 +-
atr/storage/writers/tokens.py | 48 +
atr/storage/writers/vote.py | 15 +-
atr/svn/__init__.py | 80 +-
atr/svn/pubsub.py | 4 +-
atr/tasks/__init__.py | 370 ++++++--
atr/tasks/checks/__init__.py | 304 ++++---
atr/tasks/checks/compare.py | 407 +++++++++
atr/tasks/checks/hashing.py | 8 +-
atr/tasks/checks/license.py | 28 +-
atr/tasks/checks/paths.py | 110 ++-
atr/tasks/checks/rat.py | 13 +-
atr/tasks/checks/signature.py | 13 +-
atr/tasks/checks/targz.py | 15 +-
atr/tasks/checks/zipformat.py | 13 +-
atr/tasks/distribution.py | 15 +-
atr/tasks/gha.py | 135 ++-
atr/tasks/message.py | 7 +
atr/tasks/quarantine.py | 214 +++++
atr/tasks/sbom.py | 134 +--
atr/tasks/svn.py | 27 +-
atr/template.py | 6 +-
atr/templates/about.html | 33 +-
atr/templates/check-selected-path-table.html | 49 +-
atr/templates/check-selected-release-info.html | 30 +-
atr/templates/check-selected.html | 32 +-
atr/templates/committee-directory.html | 4 +-
atr/templates/committee-view.html | 2 +-
atr/templates/download-all.html | 2 +-
atr/templates/includes/topnav.html | 143 +--
atr/templates/index-committer.html | 2 +-
atr/templates/layouts/base.html | 2 +-
atr/templates/projects.html | 4 +-
atr/templates/report-selected-path.html | 41 +-
atr/util.py | 296 ++++---
atr/validate.py | 78 +-
atr/web.py | 8 +-
atr/worker.py | 16 +
codeql-config.yml | 4 +
.../0048_2026.02.06_blocking_to_blocker.py | 25 +
migrations/versions/0049_2026.02.11_5b874ed2.py | 37 +
migrations/versions/0050_2026.02.17_7406bb29.py | 29 +
migrations/versions/0051_2026.02.17_12ac0c6b.py | 28 +
migrations/versions/0052_2026.02.20_96e1972f.py | 33 +
migrations/versions/0053_2026.02.23_5e288b2d.py | 59 ++
playwright/test.py | 58 +-
pyproject.toml | 5 +-
requirements-for-pip-audit.txt | 382 ++++++++
scripts/check_models_imports.py | 4 +-
scripts/check_templates.py | 258 ++++++
scripts/docs_post_process.py | 4 +-
scripts/fix_order.py | 43 +-
scripts/fix_order.sh | 3 +-
scripts/github_tag_dates.py | 2 +-
scripts/interface_privacy.py | 2 +-
scripts/markup_strings.py | 2 +-
{atr => tests/e2e/admin}/__init__.py | 0
tests/e2e/{tokens => admin}/conftest.py | 21 +-
tests/e2e/{tokens => admin}/helpers.py | 23 +-
tests/e2e/admin/test_revoke_tokens.py | 137 +++
tests/e2e/announce/conftest.py | 18 +-
tests/e2e/announce/test_get.py | 13 +
tests/e2e/committees/test_get.py | 22 +-
tests/e2e/compose/conftest.py | 8 +-
tests/e2e/compose/test_get.py | 61 +-
{atr => tests/e2e/merge}/__init__.py | 0
tests/e2e/{committees => merge}/conftest.py | 27 +-
.../version.py => tests/e2e/merge/helpers.py | 5 +-
tests/e2e/{root/conftest.py => merge/test_get.py} | 31 +-
tests/e2e/report/conftest.py | 8 +-
tests/e2e/root/conftest.py | 14 +-
tests/e2e/root/test_get.py | 10 +-
tests/e2e/sbom/conftest.py | 6 +-
tests/e2e/sbom/test_post.py | 2 +-
.../e2e/test_files/apache-test-0.2.tar.gz.asc | 0
tests/e2e/test_files/apache-test-0.2.tar.gz.sha512 | 1 +
tests/e2e/vote/conftest.py | 8 +-
tests/e2e/voting/conftest.py | 8 +-
tests/run-e2e.sh | 4 +-
tests/unit/recorders.py | 24 +-
tests/unit/test_archive_root_variants.py | 74 +-
tests/unit/test_attestable.py | 71 ++
tests/unit/test_checks_compare.py | 975 +++++++++++++++++++++
tests/unit/test_create_revision.py | 281 ++++++
tests/unit/test_detection.py | 309 +++++++
tests/unit/test_mail.py | 26 +-
tests/unit/test_merge.py | 412 +++++++++
tests/unit/test_message.py | 111 +++
tests/unit/test_paths.py | 45 +
tests/unit/test_quarantine_task.py | 312 +++++++
tests/unit/test_stat_tree.py | 61 ++
tests/unit/test_util.py | 13 +
uv.lock | 379 ++++----
223 files changed, 10517 insertions(+), 3017 deletions(-)
create mode 100644 atr/admin/templates/revoke-user-tokens.html
create mode 100644 atr/blueprints/common.py
create mode 100644 atr/classify.py
create mode 100644 atr/docs/trusted-publishing.md
create mode 100644 atr/get/result.py
create mode 100644 atr/hashes.py
create mode 100644 atr/merge.py
copy atr/{tasks/task.py => models/github.py} (56%)
create mode 100644 atr/models/safe.py
copy atr/{sbom/models/bundle.py => models/unsafe.py} (71%)
create mode 100644 atr/paths.py
create mode 100644 atr/tasks/checks/compare.py
create mode 100644 atr/tasks/quarantine.py
create mode 100644 migrations/versions/0048_2026.02.06_blocking_to_blocker.py
create mode 100644 migrations/versions/0049_2026.02.11_5b874ed2.py
create mode 100644 migrations/versions/0050_2026.02.17_7406bb29.py
create mode 100644 migrations/versions/0051_2026.02.17_12ac0c6b.py
create mode 100644 migrations/versions/0052_2026.02.20_96e1972f.py
create mode 100644 migrations/versions/0053_2026.02.23_5e288b2d.py
create mode 100644 requirements-for-pip-audit.txt
create mode 100755 scripts/check_templates.py
copy {atr => tests/e2e/admin}/__init__.py (100%)
copy tests/e2e/{tokens => admin}/conftest.py (58%)
copy tests/e2e/{tokens => admin}/helpers.py (55%)
create mode 100644 tests/e2e/admin/test_revoke_tokens.py
copy {atr => tests/e2e/merge}/__init__.py (100%)
copy tests/e2e/{committees => merge}/conftest.py (65%)
copy atr/sbom/constants/version.py => tests/e2e/merge/helpers.py (91%)
copy tests/e2e/{root/conftest.py => merge/test_get.py} (66%)
copy atr/py.typed => tests/e2e/test_files/apache-test-0.2.tar.gz.asc (100%)
create mode 100644 tests/e2e/test_files/apache-test-0.2.tar.gz.sha512
create mode 100644 tests/unit/test_attestable.py
create mode 100644 tests/unit/test_checks_compare.py
create mode 100644 tests/unit/test_create_revision.py
create mode 100644 tests/unit/test_detection.py
create mode 100644 tests/unit/test_merge.py
create mode 100644 tests/unit/test_message.py
create mode 100644 tests/unit/test_paths.py
create mode 100644 tests/unit/test_quarantine_task.py
create mode 100644 tests/unit/test_stat_tree.py
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
