From a7a775b292d8dd443adafbad17502b34550928fc Mon Sep 17 00:00:00 2001 From: Anas Nashif Date: Sun, 18 May 2025 11:17:59 -0400 Subject: [PATCH 1/6] create sbom Signed-off-by: Anas Nashif --- .github/workflows/release.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 91f4037a2e2..a345fcca365 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,6 +30,10 @@ jobs: with: args: spdx -o zephyr-${{ steps.get_version.outputs.VERSION }}.spdx + - uses: anchore/sbom-action@v0 + with: + artifact-name: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx + - name: upload-results uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 continue-on-error: true @@ -53,7 +57,7 @@ jobs: draft: true prerelease: true - - name: Upload Release Assets + - name: Upload Release Assets (SPDX) id: upload-release-asset uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: @@ -63,3 +67,14 @@ jobs: asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_content_type: text/plain + + - name: Upload Release Assets (SBOM) + id: upload-release-asset-sbom + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx + asset_name: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx + asset_content_type: text/plain From 4f7ac556de0a90e979f707c844cf613fab852970 Mon Sep 17 00:00:00 2001 From: Anas Nashif Date: Sun, 18 May 2025 11:52:59 -0400 Subject: [PATCH 2/6] sign Signed-off-by: Anas Nashif --- .github/workflows/release.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a345fcca365..3beb985a3f5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: write # to create GitHub release entry + id-token: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -57,6 +58,12 @@ jobs: draft: true prerelease: true + + # This step uses 'gh-action-sigstore-python' to sign the file designated in the inputs field. + - uses: sigstore/gh-action-sigstore-python@v3.0.0 + with: + inputs: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx + - name: Upload Release Assets (SPDX) id: upload-release-asset uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 @@ -67,14 +74,3 @@ jobs: asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_content_type: text/plain - - - name: Upload Release Assets (SBOM) - id: upload-release-asset-sbom - uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx - asset_name: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx - asset_content_type: text/plain From 7c2ea8bda5a465cd28dbe5c3cf8bf42cb97f6ba0 Mon Sep 17 00:00:00 2001 From: Anas Nashif Date: Sun, 18 May 2025 12:17:57 -0400 Subject: [PATCH 3/6] upload sig json Signed-off-by: Anas Nashif --- .github/workflows/release.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3beb985a3f5..cacb37d12c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,7 +60,8 @@ jobs: # This step uses 'gh-action-sigstore-python' to sign the file designated in the inputs field. - - uses: sigstore/gh-action-sigstore-python@v3.0.0 + - name: Sign + uses: sigstore/gh-action-sigstore-python@v3.0.0 with: inputs: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx @@ -74,3 +75,14 @@ jobs: asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_content_type: text/plain + + - name: Upload Release Assets (Sig) + id: upload-release-asset + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.sigstore.json + asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.sigstore.json + asset_content_type: application/json From 84ae3c6e50e505615da5dba5c30f994691dc3043 Mon Sep 17 00:00:00 2001 From: Anas Nashif Date: Sun, 18 May 2025 12:19:10 -0400 Subject: [PATCH 4/6] fix wf Signed-off-by: Anas Nashif --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cacb37d12c7..0b48fd63622 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -66,7 +66,7 @@ jobs: inputs: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx - name: Upload Release Assets (SPDX) - id: upload-release-asset + id: upload-release-asset_1 uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -77,7 +77,7 @@ jobs: asset_content_type: text/plain - name: Upload Release Assets (Sig) - id: upload-release-asset + id: upload-release-asset_2 uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From ee54af4f6fee1869c5f41e8a93d3ee1fc26294fb Mon Sep 17 00:00:00 2001 From: Anas Nashif Date: Sun, 18 May 2025 12:34:27 -0400 Subject: [PATCH 5/6] rename sig file Signed-off-by: Anas Nashif --- .github/workflows/release.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0b48fd63622..32c7751b09a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,6 +76,9 @@ jobs: asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_content_type: text/plain + - name: Rename + run: | + mv zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.sigstore.json zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.intoto.jsonl - name: Upload Release Assets (Sig) id: upload-release-asset_2 uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 @@ -83,6 +86,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.sigstore.json - asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.sigstore.json + asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.intoto.jsonl + asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.intoto.jsonl asset_content_type: application/json From 90358ae82a264bbfa6e7b4d2180a596365660728 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 May 2025 10:47:13 +0000 Subject: [PATCH 6/6] ci: doc: bump the doc-deps group in /doc with 2 updates Bumps the doc-deps group in /doc with 2 updates: [anytree](https://github.com/c0fec0de/anytree) and [sphinx](https://github.com/sphinx-doc/sphinx). Updates `anytree` from 2.12.1 to 2.13.0 - [Release notes](https://github.com/c0fec0de/anytree/releases) - [Commits](https://github.com/c0fec0de/anytree/compare/2.12.1...2.13.0) Updates `sphinx` from 8.2.3 to 8.1.3 - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/v8.1.3/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v8.2.3...v8.1.3) --- updated-dependencies: - dependency-name: anytree dependency-version: 2.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: doc-deps - dependency-name: sphinx dependency-version: 8.1.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: doc-deps ... Signed-off-by: dependabot[bot] --- doc/requirements.txt | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/doc/requirements.txt b/doc/requirements.txt index c10b390651a..e297e9038b6 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -1,6 +1,10 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal --python-version 3.10 --generate-hashes requirements.in --output-file requirements.txt -alabaster==1.0.0 \ +alabaster==0.7.16 ; python_full_version < '3.10' \ + --hash=sha256:75a8b99c28a5dad50dd7f8ccdd447a121ddb3892da9e53d1ca5cca3106d58d65 \ + --hash=sha256:b46733c07dce03ae4e150330b975c75737fa60f0a7c591b6c8bf4928a28e2c92 + # via sphinx +alabaster==1.0.0 ; python_full_version >= '3.10' \ --hash=sha256:c00dca57bca26fa62a6d7d0a9fcce65f3e026e9bfe33e9c538fd3fbb2144fd9e \ --hash=sha256:fc6786402dc3fcb2de3cabd5fe455a2db534b371124f1f21de8731783dec828b # via sphinx @@ -10,9 +14,9 @@ anyio==4.9.0 \ # via # starlette # watchfiles -anytree==2.12.1 \ - --hash=sha256:244def434ccf31b668ed282954e5d315b4e066c4940b94aff4a7962d85947830 \ - --hash=sha256:5ea9e61caf96db1e5b3d0a914378d2cd83c269dfce1fb8242ce96589fa3382f0 +anytree==2.13.0 \ + --hash=sha256:4cbcf10df36b1f1cba131b7e487ff3edafc9d6e932a3c70071b5b768bab901ff \ + --hash=sha256:c9d3aa6825fdd06af7ebb05b4ef291d2db63e62bb1f9b7d9b71354be9d362714 # via -r requirements.in babel==2.17.0 \ --hash=sha256:0c54cffb19f690cdcc52a3b50bcbf71e07a808d1c80d549f2459b9d2cf0afb9d \ @@ -165,6 +169,10 @@ imagesize==1.4.1 \ --hash=sha256:0d8d18d08f840c19d0ee7ca1fd82490fdc3729b7ac93f49870406ddde8ef8d8b \ --hash=sha256:69150444affb9cb0d5cc5a92b3676f0b2fb7cd9ae39e947a5e11a36b4497cd4a # via sphinx +importlib-metadata==8.7.0 ; python_full_version < '3.10' \ + --hash=sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000 \ + --hash=sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd + # via sphinx iniconfig==2.1.0 \ --hash=sha256:3abbd2e30b36733fee78f9c7f7308f2d0050e88f0087fd25c2645f63c773e1c7 \ --hash=sha256:9deba5723312380e77435581c6bf4935c94cbfab9b1ed33ef8d238ea168eb760 @@ -532,7 +540,6 @@ six==1.17.0 \ --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 # via - # anytree # doxmlparser # python-dateutil sniffio==1.3.1 \ @@ -543,7 +550,21 @@ snowballstemmer==2.2.0 \ --hash=sha256:09b16deb8547d3412ad7b590689584cd0fe25ec8db3be37788be3810cbf19cb1 \ --hash=sha256:c8e1716e83cc398ae16824e5572ae04e0d9fc2c6b985fb0f900f5f0c96ecba1a # via sphinx -sphinx==8.1.3 ; python_full_version < '3.11' \ +sphinx==7.4.7 ; python_full_version < '3.10' \ + --hash=sha256:242f92a7ea7e6c5b406fdc2615413890ba9f699114a9c09192d7dfead2ee9cfe \ + --hash=sha256:c2419e2135d11f1951cd994d6eb18a1835bd8fdd8429f9ca375dc1f3281bd239 + # via + # -r requirements.in + # sphinx-autobuild + # sphinx-copybutton + # sphinx-notfound-page + # sphinx-rtd-theme + # sphinx-sitemap + # sphinx-tabs + # sphinx-togglebutton + # sphinxcontrib-jquery + # sphinxcontrib-svg2pdfconverter +sphinx==8.1.3 ; python_full_version == '3.10.*' \ --hash=sha256:09719015511837b76bf6e03e42eb7595ac8c2e41eeb9c29c5b755c6b677992a2 \ --hash=sha256:43c1911eecb0d3e161ad78611bc905d1ad0e523e4ddc202a58a821773dc4c927 # via @@ -676,6 +697,7 @@ typing-extensions==4.13.0 ; python_full_version < '3.13' \ --hash=sha256:c8dd92cc0d6425a97c18fbb9d1954e5ff92c1ca881a309c45f06ebc0b79058e5 # via # anyio + # starlette # uvicorn urllib3==2.3.0 \ --hash=sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df \ @@ -833,3 +855,7 @@ wheel==0.45.1 \ --hash=sha256:661e1abd9198507b1409a20c02106d9670b2576e916d58f520316666abca6729 \ --hash=sha256:708e7481cc80179af0e556bbf0cc00b8444c7321e2700b8d8580231d13017248 # via sphinx-togglebutton +zipp==3.21.0 ; python_full_version < '3.10' \ + --hash=sha256:2c9958f6430a2040341a52eb608ed6dd93ef4392e02ffe219417c1b28b5dd1f4 \ + --hash=sha256:ac1bbe05fd2991f160ebce24ffbac5f6d11d83dc90891255885223d42b3cd931 + # via importlib-metadata