.github/dependabot.yml

@@ -17,6 +17,7 @@ updates:
         - "ruff"
         - "coverage"
         - "mypy"
+        - "zizmor"
     dependencies:
       # Python (developer) runtime dependencies. Also any new dependencies not
       # caught by earlier groups

.github/workflows/_test.yml

@@ -16,6 +16,7 @@ jobs:
         include:
           # Run macOS tests on 3.9 (current OS X python) and latest,
           # Run Windows and "special" tests on latest Python version only
+          # Run linter on oldest supported Python
           - python-version: "3.9"
             os: macos-latest
             toxenv: py
@@ -34,7 +35,7 @@ jobs:
           - python-version: "3.13"
             os: ubuntu-latest
             toxenv: py-test-gpg-fails
-          - python-version: "3.13"
+          - python-version: "3.9"
             os: ubuntu-latest
             toxenv: lint
 
@@ -43,9 +44,11 @@ jobs:
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
         with:
           python-version: ${{ matrix.python-version }}
           cache: "pip"
@@ -81,3 +84,10 @@ jobs:
 
       - name: Run tox
         run: tox -e ${{ matrix.toxenv }}
+
+  summary:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: All tests completed
+        run: echo "All matrix jobs have completed successfully."

.github/workflows/cd.yml

@@ -21,21 +21,22 @@ jobs:
       - name: Checkout release tag
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           ref: ${{ github.event.workflow_run.head_branch }}
 
       - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: '3.x'
 
       - name: Install build dependency
         run: python3 -m pip install --constraint requirements-build.txt build
 
       - name: Build binary wheel and source tarball
-        run: PIP_CONSTRAINT=requirements-build.txt python3 -m build --sdist --wheel --outdir dist/ .
+        run: python3 -m build --sdist --wheel --outdir dist/ .
 
       - name: Store build artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         # NOTE: The GitHub release page contains the release artifacts too, but using
         # GitHub upload/download actions seems robuster: there is no need to compute
         # download URLs and tampering with artifacts between jobs is more limited.
@@ -53,7 +54,7 @@ jobs:
       release_id: ${{ steps.gh-release.outputs.result }}
     steps:
       - name: Fetch build artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: build-artifacts
           path: dist
@@ -67,8 +68,8 @@ jobs:
             res = await github.rest.repos.createRelease({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              name: '${{ github.ref_name }}-rc',
-              tag_name: '${{ github.ref }}',
+              name: process.env.REF_NAME + '-rc',
+              tag_name: process.env.REF,
               body: 'Release waiting for review...',
             });
 
@@ -82,6 +83,10 @@ jobs:
               });
             });
             return res.data.id
+        env:
+          REF_NAME: ${{ github.ref_name }}
+          REF: ${{ github.ref }}
+
 
   release:
     name: Release
@@ -93,26 +98,28 @@ jobs:
       id-token: write # to authenticate as Trusted Publisher to pypi.org
     steps:
       - name: Fetch build artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: build-artifacts
           path: dist
 
       - name: Publish binary wheel and source tarball on PyPI
         # Only attempt pypi upload in upstream repository
         if: github.repository == 'secure-systems-lab/securesystemslib'
-        uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
 
       - name: Finalize GitHub release
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
-          script: |
+          script: | # zizmor: ignore[template-injection]
             github.rest.repos.updateRelease({
               owner: context.repo.owner,
               repo: context.repo.repo,
               release_id: '${{ needs.candidate_release.outputs.release_id }}',
-              name: '${{ github.ref_name }}',
+              name: process.env.REF_NAME,
               body: 'See [CHANGELOG.md](https://github.com/' +
                      context.repo.owner + '/' + context.repo.repo +
-                    '/blob/${{ github.ref_name }}/CHANGELOG.md) for details.'
+                    '/blob/' + process.env.REF_NAME + '/CHANGELOG.md) for details.'
             })
+        env:
+          REF_NAME: ${{ github.ref_name }}

.github/workflows/check-upstream-ed25519.yml

@@ -17,6 +17,8 @@ jobs:
     steps:
     - name: Check out repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      with:
+        persist-credentials: false
     - name: Test if ed25519 upstream main HEAD is what we expect
       id: test_ed25519
       run: |
@@ -30,7 +32,7 @@ jobs:
       uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
       if: ${{ steps.test_ed25519.outputs.result == '1' }}
       with:
-        script: |
+        script: | # zizmor: ignore[template-injection]
           console.log("ed25519 upstream main has changed!")
           console.log("${{ steps.test_ed25519.outputs.output }}")
           const repo = context.repo.owner + "/" + context.repo.repo

.github/workflows/test-kms-aws.yml

@@ -4,15 +4,21 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   local-aws-kms:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
         with:
           python-version: '3.x'
           cache: 'pip'

.github/workflows/test-kms.yml

@@ -18,9 +18,11 @@ jobs:
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
         with:
           python-version: '3.x'
           cache: 'pip'
@@ -32,7 +34,7 @@ jobs:
           pip install --upgrade tox
 
       - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f
+        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935
         with:
           token_format: access_token
           workload_identity_provider: projects/843741030650/locations/global/workloadIdentityPools/securesystemslib-tests/providers/securesystemslib-tests

.github/workflows/test-sigstore.yml

@@ -16,9 +16,11 @@ jobs:
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
         with:
           python-version: '3.x'
           cache: 'pip'

.github/workflows/test-vault.yaml

@@ -4,15 +4,21 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   local-vault:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
         with:
           python-version: '3.x'
           cache: 'pip'

pyproject.toml

@@ -1,14 +1,12 @@
 [build-system]
-# Dependabot cannot do `build-system.requires` (dependabot/dependabot-core#8465)
-# workaround to get reproducibility and auto-updates:
-#   PIP_CONSTRAINT=requirements/build.txt python3 -m build ...
-requires = ["hatchling"]
+requires = ["hatchling==1.27.0"]
 build-backend = "hatchling.build"
 
 [project]
 name = "securesystemslib"
 authors = [{name = "https://www.updateframework.com", email = "theupdateframework@googlegroups.com"}]
-license = {text = "MIT"}
+license = "MIT"
+license-files = [ "LICENSE" ]
 description = "A library that provides cryptographic and general-purpose routines for Secure Systems Lab projects at NYU"
 readme = "README.md"
 keywords = [
@@ -22,7 +20,6 @@ keywords = [
 classifiers = [
     "Development Status :: 4 - Beta",
     "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT License",
     "Natural Language :: English",
     "Operating System :: POSIX",
     "Operating System :: POSIX :: Linux",
@@ -65,7 +62,6 @@ include = [
   "/securesystemslib",
   "/requirements*.txt",
   "/tox.ini",
-  "/mypy.ini",
   "/CHANGELOG.md",
   "/.coveragerc",
 ]
@@ -90,4 +86,43 @@ indent-width = 4
 "tests/*" = [
     "S",      # bandit: Not running bandit on tests
     "E501"    # line-too-long
-]
+]
+
+[tool.mypy]
+warn_unused_configs = "True"
+warn_redundant_casts = "True"
+warn_unused_ignores = "True"
+warn_unreachable = "True"
+strict_equality = "True"
+disallow_untyped_defs = "True"
+show_error_codes = "True"
+
+exclude = [
+  "^securesystemslib/_vendor/",
+  "^securesystemslib/_gpg/",
+  "^securesystemslib/hash.py",
+]
+
+[[tool.mypy.overrides]]
+module = [
+  # let's not install typeshed annotations for GCPSigner
+  "google.*",
+  # Suppress error messages for non-annotating dependencies
+  "PyKCS11.*",
+  "asn1crypto.*",
+  "sigstore_protobuf_specs.*",
+  "pyspx.*",
+  "azure.*",
+  "boto3.*",
+  "botocore.*",
+  "hvac.*",
+]
+ignore_missing_imports = "True"
+
+[[tool.mypy.overrides]]
+module = [
+  "securesystemslib._gpg.*",
+  "securesystemslib._vendor.*",
+  "securesystemslib.hash",
+]
+follow_imports = "skip"

requirements-aws.txt

@@ -1,2 +1,2 @@
-boto3==1.35.69
-botocore==1.35.69
+boto3~=1.37.24
+botocore~=1.37.24

requirements-build.txt

@@ -1,2 +1 @@
 build==1.2.2.post1
-hatchling==1.26.3

requirements-lint.txt

@@ -1,2 +1,3 @@
-mypy==1.13.0
-ruff==0.8.1
+mypy==1.15.0
+ruff==0.11.2
+zizmor==1.5.2

requirements-sigstore.txt

@@ -1 +1 @@
-sigstore==3.5.1
+sigstore==3.6.1

requirements-test.txt

@@ -1,2 +1,2 @@
 # additional test tools
-coverage==7.6.8
+coverage==7.8.0