Merge branch 'theupdateframework:develop' into switchUrlLib3

.github/workflows/_test.yml

@@ -74,14 +74,15 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COVERALLS_FLAG_NAME: ${{ runner.os }} / Python ${{ matrix.python-version }}
           COVERALLS_PARALLEL: true
-        # Use cp workaround to publish coverage reports with relative paths
-        # FIXME: Consider refactoring the tests to not require the test
-        # aggregation script being invoked from the `tests` directory, so
-        # that `.coverage` is written to and .coveragrc can also reside in
-        # the project root directory as is the convention.
         run: |
-          cp tests/.coverage .
-          coveralls --service=github --rcfile=tests/.coveragerc
+          coveralls --service=github
+
+  all-tests-pass:
+    name: All tests passed
+    needs: [lint-test, tests]
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "All test jobs have completed successfully."
 
   coveralls-fin:
     # Always run when all 'tests' jobs have finished even if they failed

.github/workflows/cd.yml

@@ -36,7 +36,7 @@ jobs:
           awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog
 
       - name: Store build artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: build-artifacts
           path: |
@@ -99,7 +99,7 @@ jobs:
       - name: Publish binary wheel and source tarball on PyPI
         # Only attempt pypi upload in upstream repository
         if: github.repository == 'theupdateframework/python-tuf'
-        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
 
       - name: Finalize GitHub release
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1

.github/workflows/specification-version-check.yml

@@ -20,7 +20,7 @@ jobs:
           python-version: "3.x"
       - id: get-version
         run: |
-          python3 -m pip install -e .
+          python3 -m pip install -r requirements/pinned.txt
           script="from tuf.api.metadata import SPECIFICATION_VERSION; \
                   print(f\"v{'.'.join(SPECIFICATION_VERSION)}\")"
           ver=$(python3 -c "$script")

docs/CONTRIBUTING.rst

@@ -39,21 +39,18 @@ you need debug/run outside ``tox``.
 Unit tests
 ----------
 
-More specifically, the Update Framework's test suite can be executed by invoking
-the test aggregation script inside the *tests* subdirectory. ``tuf`` and its
-dependencies must already be installed.
+test suite can be executed directly as well (in this case the environment managed by tox is
+not used):
 ::
 
-     cd tests/
-     python3 aggregate_tests.py
+     python3 -m unittest
 
 
 Individual tests can also be executed. Optional ``-v`` flags can be added to
 increase log level up to DEBUG (``-vvvv``).
 ::
 
-     cd tests/
-     python3 test_updater_ng.py -v
+     python3 tests/test_updater_ng.py -v
 
 
 Coverage
@@ -64,8 +61,7 @@ invoked with the ``coverage`` tool (requires installation of ``coverage``, e.g.
 via PyPI).
 ::
 
-     cd tests/
-     coverage run aggregate_tests.py && coverage report
+     coverage run -m unittest
 
 
 Auto-formatting

docs/INSTALLATION.rst

@@ -25,14 +25,13 @@ algorithms, and more performant backends. Opt-in is available via
 
 .. note::
 
-   Please consult with underlying crypto backend installation docs --
-   `cryptography <https://cryptography.io/en/latest/installation/>`_ and
-   `pynacl <https://pynacl.readthedocs.io/en/latest/install/>`_  --
+   Please consult with underlying crypto backend installation docs. e.g.
+   `cryptography <https://cryptography.io/en/latest/installation/>`_
    for possible system dependencies.
 
 ::
 
-   python3 -m pip securesystemslib[crypto,pynacl] tuf
+   python3 -m pip securesystemslib[crypto] tuf
 
 
 Install for development

pyproject.toml

@@ -70,11 +70,6 @@ include = [
   "/setup.py",
 ]
 
-[tool.hatch.build.targets.wheel]
-# The testing phase changes the current working directory to `tests` but the test scripts import
-# from `tests` so the root directory must be added to Python's path for editable installations
-dev-mode-dirs = ["."]
-
 # Ruff section
 # Read more here: https://docs.astral.sh/ruff/linter/#rule-selection
 [tool.ruff]
@@ -158,4 +153,7 @@ exclude_also = [
     "raise AssertionError",
     # imports for mypy only
     "if TYPE_CHECKING",
-]
+]
+[tool.coverage.run]
+branch = true
+omit = [ "tests/*" ]

requirements/build.txt

@@ -2,4 +2,4 @@
 # during CI and CD Github workflows
 build==1.2.2.post1
 tox==4.1.2
-hatchling==1.26.3
+hatchling==1.27.0

requirements/dev.txt

@@ -1,8 +1,3 @@
-# Install tuf in editable mode and requirements for local testing with tox,
-# and also for running test suite or individual tests manually.
-# The build and tox versions specified here are also used as constraints
-# during CI and CD Github workflows
 -r build.txt
 -r test.txt
 -r lint.txt
--e .

requirements/lint.txt

@@ -6,8 +6,8 @@
 # Lint tools
 # (We are not so interested in the specific versions of the tools: the versions
 # are pinned to prevent unexpected linting failures when tools update)
-ruff==0.8.2
-mypy==1.13.0
+ruff==0.9.3
+mypy==1.14.1
 
 # Required for type stubs
 freezegun==1.5.1

requirements/main.txt

@@ -6,5 +6,5 @@
 # 'pinned.txt' is updated on GitHub with Dependabot, which
 # triggers CI/CD builds to automatically test against updated dependencies.
 #
-securesystemslib[crypto, pynacl]
+securesystemslib[crypto]
 requests

requirements/pinned.txt

@@ -1,10 +1,24 @@
-certifi==2024.8.30        # via requests
-cffi==1.17.1              # via cryptography, pynacl
-charset-normalizer==3.4.0 # via requests
-cryptography==44.0.0      # via securesystemslib
-idna==3.10                 # via requests
-pycparser==2.22           # via cffi
-pynacl==1.5.0             # via securesystemslib
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --output-file=requirements/pinned.txt --strip-extras requirements/main.txt
+#
+certifi==2024.12.14
+    # via requests
+cffi==1.17.1
+    # via cryptography
+charset-normalizer==3.4.1
+    # via requests
+cryptography==44.0.0
+    # via securesystemslib
+idna==3.10
+    # via requests
+pycparser==2.22
+    # via cffi
 requests==2.32.3
-securesystemslib[crypto,pynacl]==1.2.0
-urllib3==2.2.3           # via requests
+    # via -r requirements/main.txt
+securesystemslib==1.2.0
+    # via -r requirements/main.txt
+urllib3==2.3.0
+    # via requests

requirements/test.txt

@@ -4,5 +4,5 @@
 -r pinned.txt
 
 # coverage measurement
-coverage[toml]==7.6.9
+coverage[toml]==7.6.10
 freezegun==1.5.1

tests/generated_data/generate_md.py

@@ -56,9 +56,6 @@
     signers.append(CryptoSigner(private_key, key))
 
 EXPIRY = datetime(2050, 1, 1, tzinfo=timezone.utc)
-OUT_DIR = "generated_data/ed25519_metadata"
-if not os.path.exists(OUT_DIR):
-    os.mkdir(OUT_DIR)
 
 SERIALIZER = JSONSerializer()
 
@@ -80,15 +77,13 @@ def verify_generation(md: Metadata, path: str) -> None:
             )
 
 
-def generate_all_files(
-    dump: bool | None = False, verify: bool | None = False
-) -> None:
-    """Generate a new repository and optionally verify it.
+def generate_all_files(dump: bool = False) -> None:
+    """Generate a new repository or verify that output has not changed.
 
     Args:
-        dump: Wheter to dump the newly generated files.
-        verify: Whether to verify the newly generated files with the
-            local staored.
+        dump: If True, new files are generated. If False, existing files
+           are compared to generated files and an exception is raised if
+           there are differences.
     """
     md_root = Metadata(Root(expires=EXPIRY))
     md_timestamp = Metadata(Timestamp(expires=EXPIRY))
@@ -103,12 +98,16 @@ def generate_all_files(
     for i, md in enumerate([md_root, md_timestamp, md_snapshot, md_targets]):
         assert isinstance(md, Metadata)
         md.sign(signers[i])
-        path = os.path.join(OUT_DIR, f"{md.signed.type}_with_ed25519.json")
-        if verify:
-            verify_generation(md, path)
-
+        path = os.path.join(
+            utils.TESTS_DIR,
+            "generated_data",
+            "ed25519_metadata",
+            f"{md.signed.type}_with_ed25519.json",
+        )
         if dump:
             md.to_file(path, SERIALIZER)
+        else:
+            verify_generation(md, path)
 
 
 if __name__ == "__main__":