To ensure that e.g. airgapped devices running on deprecated archs can still
update the Supervisor when they become online, the version of Supervisor in the
version file must stay available for all architectures. Since the base images
will no longer exist for those archs and to avoid the need for building it from
current source, add job that pulls the last available image, changes the label
in the metadata and publishes it under the new tag. That way we'll get a new
image with a different SHA (compared to a plain re-tag), so the GHCR metrics
should reflect how many devices still pull these old images.
Currently we're lacking control over what version of the base images is
used, and it only depends on when the build is launched. This doesn't
allow any (easy) rollback mechanisms and it's also not very transparent.
Use the newly introduced base image tags which include the release
version suffix so we have more control over this aspect.
* Bump Supervisor to Python 3.13
* Update ruff configuration to 0.9.1
Adjust pyproject.toml for ruff 0.9.1. Also make sure that latest version
of ruff is used in pre-commit.
* Set default configuration for pytest-asyncio
* Run ruff check
* Drop deprecated decorator no_type_check_decorator
The upstream PR (https://github.com/python/cpython/issues/106309) says
this never got really implemented by type checkers.
* Bump devcontainer to latest release
This reverts commit b1010c3c6167c127510a5021fb7dd03995f8b24e.
It seems that the git version deployed with the latest Alpine doesn't
play nice with Supervisor. Specifically it leads to "fatal: cannot exec
'remote-https': Permission denied" errors.
* Using CAS for content-trust
* v2
* Fix linting errors
* Adjust field checked for status in CAS response
* CI workflow needs CAS not VCN now
* Use cwd in test as code won't be in /usr/src
* Pre-cache CAS pub key for supervisor
* Cas doesn't actually need key file executable
Co-authored-by: Mike Degatano <michael.degatano@gmail.com>
