chore: sync with main

.github/dependabot.yml

@@ -6,6 +6,11 @@ updates:
     schedule:
       interval: "weekly"
       time: "10:00"
+    groups:
+      minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
     commit-message:
       prefix: "chore"
       include: "scope"
@@ -16,6 +21,11 @@ updates:
     schedule:
       interval: "weekly"
       time: "10:00"
+    groups:
+      minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
     commit-message:
       prefix: "chore"
       include: "scope"
@@ -26,6 +36,11 @@ updates:
     schedule:
       interval: "weekly"
       time: "10:00"
+    groups:
+      minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
     commit-message:
       prefix: "chore"
       include: "scope"

.github/workflows/auto-merge.yml

@@ -0,0 +1,26 @@
+name: Dependabot auto-merge
+
+on:
+  pull_request:
+
+permissions: read-all
+
+jobs:
+  dependabot:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' }}
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/tests.yml

@@ -30,7 +30,7 @@ jobs:
           go-version: ${{ matrix.go-version }}
 
       - name: Setup - Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
         with:
           python-version: "3.10"
           cache: "pip"

README.md

@@ -1,10 +1,18 @@
 # go-tuf
 
-[![build](https://github.com/theupdateframework/go-tuf/workflows/build/badge.svg)](https://github.com/theupdateframework/go-tuf/actions?query=workflow%3Abuild) [![Coverage Status](https://coveralls.io/repos/github/theupdateframework/go-tuf/badge.svg)](https://coveralls.io/github/theupdateframework/go-tuf) [![PkgGoDev](https://pkg.go.dev/badge/github.com/theupdateframework/go-tuf)](https://pkg.go.dev/github.com/theupdateframework/go-tuf) [![Go Report Card](https://goreportcard.com/badge/github.com/theupdateframework/go-tuf)](https://goreportcard.com/report/github.com/theupdateframework/go-tuf)
+![ci](https://github.com/theupdateframework/go-tuf/actions/workflows/ci.yml/badge.svg) [![Coverage Status](https://coveralls.io/repos/github/theupdateframework/go-tuf/badge.svg)](https://coveralls.io/github/theupdateframework/go-tuf) [![PkgGoDev](https://pkg.go.dev/badge/github.com/theupdateframework/go-tuf)](https://pkg.go.dev/github.com/theupdateframework/go-tuf) [![Go Report Card](https://goreportcard.com/badge/github.com/theupdateframework/go-tuf)](https://goreportcard.com/report/github.com/theupdateframework/go-tuf)
 
 This is a Go implementation of [The Update Framework (TUF)](http://theupdateframework.com/),
 a framework for securing software update systems.
 
+## API instability
+
+**Note**: go-tuf's API is in flux and backwards compatibility with version 0.7.0 and earlier will _**not**_ be maintained.
+
+We recommend production users of go-tuf pin their dependency so that changes in main do not cause disruptions.
+
+For more details on the changes, and the rationale for making them, see [issue #485](https://github.com/theupdateframework/go-tuf/issues/485) and the v0.7.0 [release notes](https://github.com/theupdateframework/go-tuf/releases/tag/v0.7.0)
+
 ## Directory layout
 
 A TUF repository has the following directory layout:

docs/MAINTAINERS

@@ -2,5 +2,6 @@ Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com> (github: trishanka
 Joshua Lock <jlock@vmware.com> (github: joshuagl)
 Marina Moore <mm9693@nyu.edu> (github: mnm678)
 Zack Newman <zjn@chainguard.dev> (github: znewman01)
-Radoslav Dimitrov <dimitrovr@vmware.com> (github: rdimitrov)
+Radoslav Dimitrov <radoslav@stacklok.com> (github: rdimitrov)
 Fredrik Skogman <kommendorkapten@github.com> (github: kommendorkapten)
+Marvin Drees <marvin.drees@9elements.com> (github: MDr164)

requirements-test.txt

@@ -1,5 +1,5 @@
 iso8601==2.1.0
 requests==2.31.0
-securesystemslib==0.30.0
+securesystemslib==0.31.0
 six==1.16.0
 tuf==3.1.0