Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: theupdateframework/go-tuf
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.4.1
Choose a base ref
...
head repository: theupdateframework/go-tuf
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.4.2
Choose a head ref
  • 7 commits
  • 9 files changed
  • 3 contributors

Commits on Jan 26, 2026

  1. Do not allow empty hashes for the Target role (#721) 

    Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
    @rdimitrov
    rdimitrov authored Jan 26, 2026
    Configuration menu
    Copy the full SHA
    17b4808 View commit details
    Browse the repository at this point in the history

Commits on Apr 6, 2026

  1. Decouple CI Go version from module minimum (#726) 

    * go.mod: use toolchain directive to decouple CI version from minimum

See also: #722

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

* ci: test against oldstable and stable Go versions

Add a Go version matrix to the test workflow using the oldstable and
stable aliases from actions/setup-go. This validates compatibility
across the two most recent Go release series without hardcoding
versions or requiring manual updates.

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

* Drop specifying the toolchain

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

* Bump golangci-lint

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

---------

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
    @rdimitrov
    rdimitrov authored Apr 6, 2026
    Configuration menu
    Copy the full SHA
    fa94ec0 View commit details
    Browse the repository at this point in the history

Commits on Apr 7, 2026

  1. chore(deps): bump github.com/sigstore/sigstore from 1.10.4 to 1.10.5 (#… 

    …727)

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.10.4 to 1.10.5.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](sigstore/sigstore@v1.10.4...v1.10.5)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.10.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Radoslav Dimitrov <radoslav@stacklok.com>
    @dependabot @rdimitrov
    dependabot[bot] and rdimitrov authored Apr 7, 2026
    Configuration menu
    Copy the full SHA
    7e8f69f View commit details
    Browse the repository at this point in the history

Commits on Apr 27, 2026

  1. chore(deps): bump github.com/secure-systems-lab/go-securesystemslib f… 

    …rom 0.10.0 to 0.11.0 (#729)

chore(deps): bump github.com/secure-systems-lab/go-securesystemslib

Bumps [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases)
- [Commits](secure-systems-lab/go-securesystemslib@v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: github.com/secure-systems-lab/go-securesystemslib
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Apr 27, 2026
    Configuration menu
    Copy the full SHA
    a5a1273 View commit details
    Browse the repository at this point in the history

Commits on May 15, 2026

  1. Fix log line to not be fmt-styled (#730) 

    We've been seeing `Failed to verify %s with key ID %s` a bunch in the logs from a service of ours that's consuming a TUF root, and it's a bit confusing to see what appears to be a `fmt`-style line that isn't actually `fmt`ed. This PR changes that `log.Info` call to work like the one a bit below it for when a key ID is verified for the role.

Signed-off-by: Andrew Bayer <andrew.bayer@gmail.com>
    @abayer
    abayer authored May 15, 2026
    Configuration menu
    Copy the full SHA
    45e0a1f View commit details
    Browse the repository at this point in the history

Commits on May 19, 2026

  1. chore(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 (#… 

    …732)

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.10.5 to 1.10.6.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](sigstore/sigstore@v1.10.5...v1.10.6)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.10.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored May 19, 2026
    Configuration menu
    Copy the full SHA
    2800c0a View commit details
    Browse the repository at this point in the history

  2. Fix threshold counting for duplicate public keys (#733) 

    Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
    @rdimitrov
    rdimitrov authored May 19, 2026
    Configuration menu
    Copy the full SHA
    f5edbde View commit details
    Browse the repository at this point in the history
Loading