Bump theupdateframework/tuf-on-ci from 0.7.0 to 0.8.0

[dependabot[bot]]

Bumps theupdateframework/tuf-on-ci from 0.7.0 to 0.8.0.

Release notes

Sourced from theupdateframework/tuf-on-ci's releases.

v0.8.0

See CHANGELOG.md for details.

Changelog

Sourced from theupdateframework/tuf-on-ci's changelog.

Changelog

Unreleased

v0.8.0

Changes

• Signer now opens PRs in a browser automatically when in non-maintainer signing flow
• Signer now has runtime version checking: A message is printed out if a new version is available
• Actions have dependency updates

GitHub Actions upgrade instructions

A plain version bump from 0.7 works: Workflows require no changes.

v0.7.0

Changes

• Signer has improved signing error handling
• Custom fields in TargetFile metadata are now preserved during target update (this is a workaround mostly for sigstore root-signing legacy artifacts)

Upgrade instructions

A plain version bump from 0.6 works: Workflows require no changes.

v0.6.0

NOTE: please see upgrade instructions below.

Changes

• Signing events now happen in GitHub pull requests
• Signer now probes for PKCS11 module: configuring that is no longer required, as long as as the module is in one of the expected locations.

Upgrade instructions

• As usual we recommend copying your workflows from https://github.com/theupdateframework/tuf-on-ci-template/.
  • signing event action no longer needs issues: write permission but instead requires pull-requests: write
• Custom token users need to create a new token with an additional permission Pull requests: write
• Settings->Actions->General->Allow GitHub Actions to create and approve pull requests needs to be enabled in repository settings

... (truncated)

Commits

• b20b159 Merge pull request #228 from jku/release-0.8.0
• 0576dba Release v0.8.0
• 3431937 Merge pull request #209 from jku/non-maintainer-flow
• 34717e8 signer: Open PR in browser when using forks
• c5db842 Merge pull request #225 from theupdateframework/dependabot/pip/repo/ruff-0.3.4
• 99341e5 Merge pull request #226 from theupdateframework/dependabot/pip/signer/ruff-0.3.4
• 1a3acc6 build(deps-dev): bump ruff from 0.3.3 to 0.3.4 in /signer
• 5ba92a2 build(deps-dev): bump ruff from 0.3.3 to 0.3.4 in /repo
• 91ad1ec build(deps): bump actions/download-artifact from 4.1.3 to 4.1.4 (#211)
• bc01b75 build(deps): bump pypa/gh-action-pypi-publish from 1.8.12 to 1.8.14 (#212)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Superseded by #30.