From ce560215bf141c81083dc2f66902614141802705 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 8 Aug 2024 15:48:13 +0300
Subject: [PATCH 1/3] Update tuf-conformance action to 1.0

Also update the client-under-test script
(this is a direct copy from tuf-conformance).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 .github/scripts/conformance-client.py | 22 ++--------------------
 .github/workflows/conformance.yml     |  2 +-
 2 files changed, 3 insertions(+), 21 deletions(-)

diff --git a/.github/scripts/conformance-client.py b/.github/scripts/conformance-client.py
index c31550df91..bc9054fafc 100755
--- a/.github/scripts/conformance-client.py
+++ b/.github/scripts/conformance-client.py
@@ -8,9 +8,8 @@
 import os
 import shutil
 import sys
-from datetime import datetime, timedelta, timezone
 
-from tuf.ngclient import Updater, UpdaterConfig
+from tuf.ngclient import Updater
 
 
 def init(metadata_dir: str, trusted_root: str) -> None:
@@ -21,23 +20,13 @@ def init(metadata_dir: str, trusted_root: str) -> None:
     print(f"python-tuf test client: Initialized repository in {metadata_dir}")
 
 
-def refresh(
-    metadata_url: str,
-    metadata_dir: str,
-    days_in_future: str,
-    max_root_rotations: int,
-) -> None:
+def refresh(metadata_url: str, metadata_dir: str) -> None:
     """Refresh local metadata from remote"""
 
     updater = Updater(
         metadata_dir,
         metadata_url,
-        config=UpdaterConfig(max_root_rotations=int(max_root_rotations)),
     )
-    if days_in_future != "0":
-        day_int = int(days_in_future)
-        day_in_future = datetime.now(timezone.utc) + timedelta(days=day_int)
-        updater._trusted_set.reference_time = day_in_future  # noqa: SLF001
     updater.refresh()
     print(f"python-tuf test client: Refreshed metadata in {metadata_dir}")
 
@@ -56,7 +45,6 @@ def download_target(
         metadata_url,
         download_dir,
         target_base_url,
-        config=UpdaterConfig(prefix_targets_with_hash=False),
     )
     target_info = updater.get_targetinfo(target_name)
     if not target_info:
@@ -73,10 +61,6 @@ def main() -> int:
     parser.add_argument("--target-name", required=False)
     parser.add_argument("--target-dir", required=False)
     parser.add_argument("--target-base-url", required=False)
-    parser.add_argument("--days-in-future", required=False, default="0")
-    parser.add_argument(
-        "--max-root-rotations", required=False, default=32, type=int
-    )
 
     sub_command = parser.add_subparsers(dest="sub_command")
     init_parser = sub_command.add_parser(
@@ -104,8 +88,6 @@ def main() -> int:
         refresh(
             command_args.metadata_url,
             command_args.metadata_dir,
-            command_args.days_in_future,
-            command_args.max_root_rotations,
         )
     elif command_args.sub_command == "download":
         download_target(
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index b594c48dc5..f1ccdd9c7f 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -11,6 +11,6 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Run test suite
-        uses: theupdateframework/tuf-conformance@main
+        uses: theupdateframework/tuf-conformance@5ae68349ec6b85ae443c110d967ac21807f1cdb7 # v1.0.0
         with:
           entrypoint: ".github/scripts/conformance-client.py"

From 3a429984bdc17dc18df3933f593eb4b1bef13d4c Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 8 Aug 2024 15:50:14 +0300
Subject: [PATCH 2/3] workflows: Enable tuf-conformance for PRs

tuf-conformance workflow now pins a release tag so we can enable this
on PRs.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 .github/workflows/conformance.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index f1ccdd9c7f..12705894f8 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -1,5 +1,8 @@
 on:
-  # manual dispatch only while the conformance test suite is under rapid development
+  push:
+    branches:
+      - develop
+  pull_request:
   workflow_dispatch:
 
 name: Conformance test

From 9b2a931c789157c30b4c05f90af422ff573bb759 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 12 Sep 2024 12:58:12 +0300
Subject: [PATCH 3/3] Update permissions

This does not really change the default much but it's a decent practice
and makes the SSF Scorecard look better.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 .github/workflows/conformance.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index 12705894f8..731fbf0007 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 name: Conformance test
 jobs:
   conformance: