fix: deep targets file path

.github/workflows/codeql-analysis.yml

@@ -37,14 +37,17 @@ jobs:
  # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
  steps:
- - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
- - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ - name: Checkout code
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+ - name: Setup - Go
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
  # Initializes the CodeQL tools for scanning.
  - name: Initialize CodeQL
- uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99
+ uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # 3.24.5
  with:
  languages: ${{ matrix.language }}
  # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,7 +58,7 @@ jobs:
  # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
  # If this step fails, then you should remove it and run the build manually (see below)
  - name: Autobuild
- uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99
+ uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # 3.24.5
 
  # ℹ️ Command-line programs to run using the OS shell.
  # 📚 https://git.io/JvXDl
@@ -69,4 +72,4 @@ jobs:
  # make release
 
  - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99
+ uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # 3.24.5

.github/workflows/examples.yml

@@ -28,12 +28,14 @@ jobs:
  runs-on: ${{ matrix.os }}
  steps:
  - name: Checkout code
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
  - name: Setup - Go
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
+
  - run: make example-client
 
  repository:
@@ -44,12 +46,14 @@ jobs:
  runs-on: ${{ matrix.os }}
  steps:
  - name: Checkout code
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
  - name: Setup - Go
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
+
  - run: make example-repository
 
  multirepo:
@@ -60,12 +64,14 @@ jobs:
  runs-on: ${{ matrix.os }}
  steps:
  - name: Checkout code
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
  - name: Setup - Go
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
+
  - run: make example-multirepo
 
  tuf-client-cli:
@@ -76,12 +82,14 @@ jobs:
  runs-on: ${{ matrix.os }}
  steps:
  - name: Checkout code
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
  - name: Setup - Go
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
+
  - run: make example-tuf-client-cli
 
  root-signing:
@@ -92,10 +100,12 @@ jobs:
  runs-on: ${{ matrix.os }}
  steps:
  - name: Checkout code
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
  - name: Setup - Go
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
+
  - run: make example-root-signing

.github/workflows/linting.yml

@@ -23,25 +23,27 @@ jobs:
  name: govulncheck
  steps:
  - id: govulncheck
- uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4
+ uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0
+ continue-on-error: true
  with:
  go-version-file: 'go.mod'
  go-package: ./...
+
  golangci:
  name: golangci-lint
  runs-on: ubuntu-latest
  steps:
  - name: Checkout code
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Setup - Go
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
 
  - name: Run golangci-lint
- uses: golangci/golangci-lint-action@v3
+ uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
  with:
  # Require: The version of golangci-lint to use.
  # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.

.github/workflows/tests.yml

@@ -30,10 +30,10 @@ jobs:
  run: git config --global core.autocrlf false
 
  - name: Checkout code
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Setup - Go
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+ uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version-file: 'go.mod'
  cache: true
@@ -42,4 +42,4 @@ jobs:
  run: go test -race -covermode=atomic -coverpkg=./metadata/... -coverprofile=coverage.out ./...
 
  - name: Send coverage
- uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
+ uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0

README.md

@@ -1,20 +1,17 @@
-![GitHub Workflow Status (with branch)](https://img.shields.io/github/actions/workflow/status/rdimitrov/go-tuf-metadata/ci.yml?branch=main)
-[![codecov](https://codecov.io/github/rdimitrov/go-tuf-metadata/branch/main/graph/badge.svg?token=2ZUA68ZL13)](https://codecov.io/github/rdimitrov/go-tuf-metadata)
-[![Go Reference](https://pkg.go.dev/badge/github.com/rdimitrov/go-tuf-metadata.svg)](https://pkg.go.dev/github.com/rdimitrov/go-tuf-metadata)
-[![Go Report Card](https://goreportcard.com/badge/github.com/rdimitrov/go-tuf-metadata)](https://goreportcard.com/report/github.com/rdimitrov/go-tuf-metadata)
+![GitHub Workflow Status (with branch)](https://img.shields.io/github/actions/workflow/status/theupdateframework/go-tuf/ci.yml?branch=master)
+[![codecov](https://codecov.io/github/theupdateframework/go-tuf/branch/master/graph/badge.svg?token=2ZUA68ZL13)](https://codecov.io/github/theupdateframework/go-tuf)
+[![Go Reference](https://pkg.go.dev/badge/github.com/theupdateframework/go-tuf.svg)](https://pkg.go.dev/github.com/theupdateframework/go-tuf)
+[![Go Report Card](https://goreportcard.com/badge/github.com/theupdateframework/go-tuf)](https://goreportcard.com/report/github.com/theupdateframework/go-tuf)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
-# <img src="https://cdn.rawgit.com/theupdateframework/artwork/3a649fa6/tuf-logo.svg" height="100" valign="middle" alt="TUF"/> A Framework for Securing Software Update Systems
+# <img src="https://cdn.rawgit.com/theupdateframework/artwork/3a649fa6/tuf-logo.svg" height="100" valign="middle" alt="TUF"/> go-tuf/v2 - Framework for Securing Software Update Systems
 
 ----------------------------
 
 [The Update Framework (TUF)](https://theupdateframework.io/) is a framework for
 secure content delivery and updates. It protects against various types of
 supply chain attacks and provides resilience to compromise.
 
-[go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata) started from the idea of providing a Go implementation of TUF that is heavily influenced by the
-design decisions made in [python-tuf](https://github.com/theupdateframework/python-tuf).
-
 ## About The Update Framework
 
 ----------------------------
@@ -37,16 +34,16 @@ Please see [TUF's website](https://theupdateframework.com/) for more information
 
 ----------------------------
 
-The [go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata) project provides the following functionality:
+The go-tuf v2 project provides a lightweight library with the following functionality:
 
-* creation, reading, and writing of metadata
-* an easy object-oriented approach for interacting with metadata
+* creation, reading, and writing of TUF metadata
+* an easy object-oriented approach for interacting with TUF metadata
 * consistent snapshots
-* signing and verifying metadata
+* signing and verifying TUF metadata
 * ED25519, RSA, and ECDSA key types referenced by the latest TUF specification
 * top-level role delegation
 * target delegation via standard and hash bin delegations
-* support of [succinct hash bin delegations](https://github.com/theupdateframework/taps/blob/master/tap15.md) which significantly reduce the size of metadata
+* support of [succinct hash bin delegations](https://github.com/theupdateframework/taps/blob/master/tap15.md) which significantly reduce the size of the TUF metadata
 * support for unrecognized fields within the metadata (i.e. preserved and accessible through `root.Signed.UnrecognizedFields["some-unknown-field"]`, also used for verifying/signing (if included in the Signed portion of the metadata))
 * TUF client API
 * TUF multi-repository client API (implements [TAP 4 - Multiple repository consensus on entrusted targets](https://github.com/theupdateframework/taps/blob/master/tap4.md))
@@ -55,6 +52,8 @@ The [go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata) project prov
 
 ----------------------------
 
+There are several examples that can act as a guideline on how to use the library and its features. Some of which are:
+
 * [basic_repository.go](examples/repository/basic_repository.go) example which demonstrates how to *manually* create and
 maintain repository metadata using the low-level Metadata API.
 
@@ -114,17 +113,21 @@ and can be used to implement various TUF clients with relatively little effort.
 
 ----------------------------
 
-* [go-tuf-metadata documentation](https://pkg.go.dev/github.com/rdimitrov/go-tuf-metadata)
+* [Documentation](https://pkg.go.dev/github.com/theupdateframework/go-tuf)
 
 * [Introduction to TUF's Design](https://theupdateframework.io/overview/)
 
 * [The TUF Specification](https://theupdateframework.github.io/specification/latest/)
 
+## History - legacy go-tuf vs go-tuf/v2
+
+The [legacy go-tuf (v0.7.0)](https://github.com/theupdateframework/go-tuf/tree/v0.7.0) codebase was difficult to maintain and prone to errors due to its initial design decisions. Now it is considered deprecated in favour of go-tuf v2 (originaly from [rdimitrov/go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata)) which started from the idea of providing a Go implementation of TUF that is heavily influenced by the design decisions made in [python-tuf](https://github.com/theupdateframework/python-tuf).
+
 ## Contact
 
 ----------------------------
 
-Questions, feedback, and suggestions are welcomed on the [#tuf](https://cloud-native.slack.com/archives/C8NMD3QJ3) channel on
+Questions, feedback, and suggestions are welcomed on the [#tuf](https://cloud-native.slack.com/archives/C8NMD3QJ3) and/or [#go-tuf](https://cloud-native.slack.com/archives/C02D577GX54) channels on
 [CNCF Slack](https://slack.cncf.io/).
 
 We strive to make the specification easy to implement, so if you come across

examples/multirepo/repository/generate_metadata.go

@@ -19,6 +19,7 @@ package main
 
 import (
  "crypto"
+ "crypto/ed25519"
  "fmt"
  "os"
  "path/filepath"
@@ -28,7 +29,6 @@ import (
  "github.com/sigstore/sigstore/pkg/signature"
  "github.com/theupdateframework/go-tuf/v2/metadata"
  "github.com/theupdateframework/go-tuf/v2/metadata/repository"
- "golang.org/x/crypto/ed25519"
 )
 
 func main() {

examples/repository/basic_repository.go

@@ -20,6 +20,7 @@ package main
 import (
  "crypto"
  "crypto/ecdsa"
+ "crypto/ed25519"
  "crypto/elliptic"
  "crypto/rand"
  "crypto/rsa"
@@ -31,7 +32,6 @@ import (
  "github.com/sigstore/sigstore/pkg/signature"
  "github.com/theupdateframework/go-tuf/v2/metadata"
  "github.com/theupdateframework/go-tuf/v2/metadata/repository"
- "golang.org/x/crypto/ed25519"
 )
 
 // A TUF repository example using the low-level TUF Metadata API.

go.mod

@@ -5,27 +5,26 @@ go 1.21
 require (
  github.com/go-logr/stdr v1.2.2
  github.com/secure-systems-lab/go-securesystemslib v0.8.0
- github.com/sigstore/sigstore v1.8.1
- github.com/sirupsen/logrus v1.9.3
+ github.com/sigstore/sigstore v1.8.3
  github.com/spf13/cobra v1.8.0
- github.com/stretchr/testify v1.8.4
- golang.org/x/crypto v0.19.0
+ github.com/stretchr/testify v1.9.0
 )
 
 require (
  github.com/davecgh/go-spew v1.1.1 // indirect
  github.com/go-logr/logr v1.3.0 // indirect
- github.com/google/go-containerregistry v0.17.0 // indirect
+ github.com/google/go-containerregistry v0.19.0 // indirect
  github.com/inconshreveable/mousetrap v1.1.0 // indirect
  github.com/kr/pretty v0.3.1 // indirect
  github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
  github.com/opencontainers/go-digest v1.0.0 // indirect
  github.com/pmezard/go-difflib v1.0.0 // indirect
  github.com/spf13/pflag v1.0.5 // indirect
  github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
- golang.org/x/sys v0.17.0 // indirect
- golang.org/x/term v0.17.0 // indirect
+ golang.org/x/crypto v0.21.0 // indirect
+ golang.org/x/sys v0.18.0 // indirect
+ golang.org/x/term v0.18.0 // indirect
  google.golang.org/grpc v1.56.3 // indirect
- gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
+ gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
  gopkg.in/yaml.v3 v3.0.1 // indirect
 )