Commit graph

561 commits

Author SHA1 Message Date
Will Greenberg
c777edbf77
fix lil syntax error (#10735)
Some checks are pending
PR test suite / Standard tests (push) Waiting to run
PR test suite / PR test suite success (push) Blocked by required conditions
2026-07-15 14:22:50 -07:00
dependabot[bot]
0265abfa62
Bump msgpack from 1.1.2 to 1.2.1 in /tools (#10727)
Some checks failed
PR test suite / Standard tests (push) Has been cancelled
PR test suite / PR test suite success (push) Has been cancelled
Bumps [msgpack](https://github.com/msgpack/msgpack-python) from 1.1.2 to
1.2.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/msgpack/msgpack-python/releases">msgpack's
releases</a>.</em></p>
<blockquote>
<h2>v1.2.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump pypa/cibuildwheel from 4.0.0 to 4.1.0 in the all-dependencies
group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/694">msgpack/msgpack-python#694</a></li>
<li>release v1.2.1 by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/698">msgpack/msgpack-python#698</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/msgpack/msgpack-python/compare/v1.2.0...v1.2.1">https://github.com/msgpack/msgpack-python/compare/v1.2.0...v1.2.1</a></p>
<h2>v1.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>relax setuptools version by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/652">msgpack/msgpack-python#652</a></li>
<li>update setuptools requirements to &gt;=78.1.1 by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/653">msgpack/msgpack-python#653</a></li>
<li>cython: freethreading_compatible by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/654">msgpack/msgpack-python#654</a></li>
<li>drop Python 3.9 by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/656">msgpack/msgpack-python#656</a></li>
<li>update cython and cibuildwheel by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/658">msgpack/msgpack-python#658</a></li>
<li>ci: add riscv64 manylinux/musllinux wheels by <a
href="https://github.com/justeph"><code>@​justeph</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/664">msgpack/msgpack-python#664</a></li>
<li>fix: check <code>unpack_callback_uint32</code> result by <a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/666">msgpack/msgpack-python#666</a></li>
<li>fix: re-raise existing exception when available by <a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/667">msgpack/msgpack-python#667</a></li>
<li>fix: check return code in <code>unpack_callback_int64</code> by <a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/665">msgpack/msgpack-python#665</a></li>
<li>Fixed README example by <a
href="https://github.com/vallsv"><code>@​vallsv</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/668">msgpack/msgpack-python#668</a></li>
<li>Bump the all-dependencies group with 6 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/669">msgpack/msgpack-python#669</a></li>
<li>ci: use ubuntu-slim for lint by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/670">msgpack/msgpack-python#670</a></li>
<li>fix: enforce <code>strict_map_key</code> with
<code>object_pairs_hook</code> by <a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/673">msgpack/msgpack-python#673</a></li>
<li>Raise DEFAULT_RECURSE_LIMIT from 511 to 1024 by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/676">msgpack/msgpack-python#676</a></li>
<li>fix: properly handle return codes in <code>pack_timestamp</code> by
<a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/672">msgpack/msgpack-python#672</a></li>
<li>fix: avoid memory leak when decoding invalid nested arrays by <a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/671">msgpack/msgpack-python#671</a></li>
<li>Add missing autoreset in Packer.pack_ext_type by <a
href="https://github.com/bysiber"><code>@​bysiber</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/663">msgpack/msgpack-python#663</a></li>
<li>Add no-GIL interpreter support by <a
href="https://github.com/clin1234"><code>@​clin1234</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/641">msgpack/msgpack-python#641</a></li>
<li>skip recursion limit test on free-threaded CPython builds by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/679">msgpack/msgpack-python#679</a></li>
<li>Fix Timestamp.from_datetime returning wrong value for pre-epoch
datetimes by <a
href="https://github.com/bysiber"><code>@​bysiber</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/662">msgpack/msgpack-python#662</a></li>
<li>Add 3.15 to CI by <a
href="https://github.com/clin1234"><code>@​clin1234</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/678">msgpack/msgpack-python#678</a></li>
<li>fix: use-after-free in <code>get_data_from_buffer</code> by <a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/677">msgpack/msgpack-python#677</a></li>
<li>change changelog format to markdown by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/680">msgpack/msgpack-python#680</a></li>
<li>Bump the all-dependencies group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/684">msgpack/msgpack-python#684</a></li>
<li>Bump sys.setrecursionlimit within test_nest_limit_1024 by <a
href="https://github.com/clin1234"><code>@​clin1234</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/682">msgpack/msgpack-python#682</a></li>
<li>Guard <code>Packer</code> buffer protocol hooks with Cython critical
sections by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/686">msgpack/msgpack-python#686</a></li>
<li>Harden <code>Unpacker.__init__</code> re-entry cleanup to prevent
buffer/context leaks by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/687">msgpack/msgpack-python#687</a></li>
<li>release v1.2.0rc1 by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/681">msgpack/msgpack-python#681</a></li>
<li>Wheels CI hangs for MacOS Intel by <a
href="https://github.com/crusaderky"><code>@​crusaderky</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/689">msgpack/msgpack-python#689</a></li>
<li>Bump pypa/cibuildwheel from 3.4.1 to 4.0.0 in the all-dependencies
group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/691">msgpack/msgpack-python#691</a></li>
<li>release v1.2.0 by <a
href="https://github.com/methane"><code>@​methane</code></a> in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/692">msgpack/msgpack-python#692</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/justeph"><code>@​justeph</code></a> made
their first contribution in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/664">msgpack/msgpack-python#664</a></li>
<li><a
href="https://github.com/KowalskiThomas"><code>@​KowalskiThomas</code></a>
made their first contribution in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/666">msgpack/msgpack-python#666</a></li>
<li><a href="https://github.com/vallsv"><code>@​vallsv</code></a> made
their first contribution in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/668">msgpack/msgpack-python#668</a></li>
<li><a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/669">msgpack/msgpack-python#669</a></li>
<li><a href="https://github.com/Copilot"><code>@​Copilot</code></a> made
their first contribution in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/676">msgpack/msgpack-python#676</a></li>
<li><a href="https://github.com/bysiber"><code>@​bysiber</code></a> made
their first contribution in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/663">msgpack/msgpack-python#663</a></li>
<li><a href="https://github.com/clin1234"><code>@​clin1234</code></a>
made their first contribution in <a
href="https://redirect.github.com/msgpack/msgpack-python/pull/641">msgpack/msgpack-python#641</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/msgpack/msgpack-python/blob/main/CHANGELOG.md">msgpack's
changelog</a>.</em></p>
<blockquote>
<h1>1.2.1</h1>
<p>Release Date: 2026-06-19</p>
<p>Fix a segfault when calling <code>Unpacker.unpack()</code> or
<code>Unpacker.skip()</code> after an unpacking failure.
But note that reusing the same <code>Unpacker</code> instance after an
unpacking failure is not supported.
Please create a new <code>Unpacker</code> instance instead.
GHSA-6v7p-g79w-8964</p>
<h1>1.2.0</h1>
<p>Release Date: 2026-06-11</p>
<ul>
<li>Support free threaded Python. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/654">#654</a>,
<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/686">#686</a></li>
<li>Dropped support for Python 3.9. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/656">#656</a></li>
<li>Fix missing error checks in C code. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/665">#665</a>,
<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/666">#666</a>,
<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/667">#667</a>,
<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/672">#672</a></li>
<li>Fix <code>strict_map_key</code> option didn't work for
<code>object_pairs_hook</code>. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/673">#673</a></li>
<li>Increase DEFAULT_RECURSE_LIMIT of Unpacker to 1024. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/676">#676</a></li>
<li>Fix memory leak when Unpacker returns error for invalid input. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/671">#671</a></li>
<li>Fix <code>Packer.pack_ext_type()</code> ignored
<code>autoreset</code> option. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/663">#663</a></li>
<li>Fix <code>Timestamp.from_datetime()</code> returning wrong value for
pre-epoch datetimes. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/662">#662</a></li>
<li>Fix use-after-free in <code>unpackb()</code> and
<code>Unpacker.unpack()</code> for non-contiguous input. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/677">#677</a></li>
<li>Fix possible memory leak when calling
<code>Unpacker.__init__()</code> several times. <a
href="https://redirect.github.com/msgpack/msgpack-python/issues/687">#687</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="448d43f5dc"><code>448d43f</code></a>
release v1.2.1 (<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/698">#698</a>)</li>
<li><a
href="2c56ddb5d0"><code>2c56ddb</code></a>
Merge commit from fork</li>
<li><a
href="0f4f350b6f"><code>0f4f350</code></a>
Bump pypa/cibuildwheel from 4.0.0 to 4.1.0 in the all-dependencies group
(<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/694">#694</a>)</li>
<li><a
href="11ed0a5110"><code>11ed0a5</code></a>
release v1.2.0 (<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/692">#692</a>)</li>
<li><a
href="c410a388c5"><code>c410a38</code></a>
Bump pypa/cibuildwheel from 3.4.1 to 4.0.0 (<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/691">#691</a>)</li>
<li><a
href="97ba6ca0d2"><code>97ba6ca</code></a>
skip ci: remove unneeded CIBW_SKIP option</li>
<li><a
href="cdde1b0d63"><code>cdde1b0</code></a>
Wheels CI hangs for MacOS Intel (<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/689">#689</a>)</li>
<li><a
href="5eb57e1545"><code>5eb57e1</code></a>
release v1.2.0rc1 (<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/681">#681</a>)</li>
<li><a
href="77395c19a5"><code>77395c1</code></a>
Harden <code>Unpacker.__init__</code> re-entry cleanup to prevent
buffer/context leaks (...</li>
<li><a
href="7df7136e20"><code>7df7136</code></a>
Guard <code>Packer</code> buffer protocol hooks with Cython critical
sections (<a
href="https://redirect.github.com/msgpack/msgpack-python/issues/686">#686</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/msgpack/msgpack-python/compare/v1.1.2...v1.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=msgpack&package-manager=pip&previous-version=1.1.2&new-version=1.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/certbot/certbot/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-06 13:42:45 -07:00
ohemorange
90f7404b19
Automate synchronizing github repo post-release (#10697)
Some checks are pending
PR test suite / Standard tests (push) Waiting to run
PR test suite / PR test suite success (push) Blocked by required conditions
This PR automates the release process steps to:
- update the candidate branch with the contents of the release branch on
the repo in the subfolder
- create a PR merging the candidate branch into main
- create a new branch without the version bump. usually `1.2.x`, unless
it's a point release.
- if it's a point release, create a PR merging the new branch without
version bumps into the existing `1.2.x` branch.

This draws from steps 10, 12, and 13. Step 10 should still have the code
to push to pypi, since that's a different though, though I think that
could move here in the future as well.

My general design philosophy was "error out instead of letting the
script put git into a bad state," with the exception of PR creation
which seemed safe to skip and continue.

I've also added some flags, mostly to make testing this easier, but
could be useful for re-running the script as well. Unlike
`promote_snaps` and `generate_community_forum_post`,
`synchronize_github_repo` is *not* idempotent. I do not think it should
be, because of how git works. I think if branches already exist and the
user really did want to synchronize branches again, the user would want
to know that it can't be done automatically, and should instead be told
what to do to make it possible, or how to skip the whole thing. I don't
think we should, for example, go ahead and create a PR based on an old
version of a branch and just skip the pulling step, or automatically
delete a branch.

In `_create_and_push_branch_without_version_bump`, if you have created
the branch then fail after, you'll rerun and then get a message saying
to delete the branch. I think that's nicer than automatically deleting
it, in case you want to inspect it.

successful test run:
```
$ git switch create-pr
Switched to branch 'create-pr'
$ RELEASE_GPG_KEY=[test key] tools/release.sh 4.35.0 4.36.0
[release output]
$ tools/finish_release.py --test-version 4.35.0 --skip-snaps
Creating PR to merge candidate-4.35.0 into main...
PR location: https://github.com/certbot/certbot/pull/10714
Creating branch without version bump commit named 4.35.x...
Created.
Generating announcement text for community forum post
release not found
Generating announcement text failed.
$ git switch 4.35.x
Switched to branch '4.35.x'
$ RELEASE_GPG_KEY=[test key] tools/release.sh 4.35.1 4.36.0
[release output]
$ tools/finish_release.py --test-version 4.35.1 --skip-snaps
Creating PR to merge candidate-4.35.1 into main...
PR location: https://github.com/certbot/certbot/pull/10715
Creating branch without version bump commit named point-candidate-4.35.1...
Created.
Creating PR to merge point-candidate-4.35.1 into 4.35.x...
PR location: https://github.com/certbot/certbot/pull/10716
Generating announcement text for community forum post
release not found
Generating announcement text failed.
```

then here's some errors and their outputs --

trying to run `finish_release.py` again:
```
$ tools/finish_release.py --test-version 4.34.1 --skip-snaps
Creating PR to merge candidate-4.35.1 into main...
PR to merge release changes into main already exists...skipping creation. To create a new PR, delete the old one on GitHub.
PR location: https://github.com/certbot/certbot/pull/10715
Creating branch without version bump commit named point-candidate-4.35.1...
Error running `git branch point-candidate-4.35.1`
Branch point-candidate-4.35.1 already exists. Delete it using `git branch -D point-candidate-4.35.1`.

fatal: a branch named 'point-candidate-4.35.1' already exists

To skip pushing updated branches to GitHub and creating PRs, run this script with the `--skip-github-sync` flag.
Traceback (most recent call last):
  File "/Users/erica/certbot/tools/finish_release.py", line 370, in <module>
    main(sys.argv[1:])
    ~~~~^^^^^^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 366, in main
    synchronize_github_repo(version)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 329, in synchronize_github_repo
    _create_and_push_branch_without_version_bump(version, branch_name)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 280, in _create_and_push_branch_without_version_bump
    _run_silent_except_error(f'git branch {branch_name}'.split(), msg)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 209, in _run_silent_except_error
    raise e
  File "/Users/erica/certbot/tools/finish_release.py", line 201, in _run_silent_except_error
    process = subprocess.run(cmd, check=True, universal_newlines=True, capture_output=True)
  File "/Users/erica/.pyenv/versions/3.14.3/lib/python3.14/subprocess.py", line 577, in run
    raise CalledProcessError(retcode, process.args,
                             output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['git', 'branch', 'point-candidate-4.35.1']' returned non-zero exit status 128.
```

local changes to branch:
```
$ touch test_file.txt
$ git add -A 
$ tools/finish_release.py --test-version 4.35.1 --skip-snaps
Error running `git diff --quiet HEAD`
You have uncommitted changes that will be deleted. Stash your changes before rerunning this script.


To skip pushing updated branches to GitHub and creating PRs, run this script with the `--skip-github-sync` flag.
Traceback (most recent call last):
  File "/Users/erica/certbot/tools/finish_release.py", line 370, in <module>
    main(sys.argv[1:])
    ~~~~^^^^^^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 366, in main
    synchronize_github_repo(version)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 315, in synchronize_github_repo
    _run_silent_except_error('git diff --quiet HEAD'.split(), message)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 209, in _run_silent_except_error
    raise e
  File "/Users/erica/certbot/tools/finish_release.py", line 201, in _run_silent_except_error
    process = subprocess.run(cmd, check=True, universal_newlines=True, capture_output=True)
  File "/Users/erica/.pyenv/versions/3.14.3/lib/python3.14/subprocess.py", line 577, in run
    raise CalledProcessError(retcode, process.args,
                             output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['git', 'diff', '--quiet', 'HEAD']' returned non-zero exit status 1.
```

branch doesn't match the one on github (shows that stdout is now also
printed on error):
```
$ cd releases/le.4.35.1.89372/
$ git commit --amend # change the message
[candidate-4.35.1 8d34a67a4] Bump version to 4.36.0 new message
 Date: Tue Jun 23 10:47:56 2026 -0700
 20 files changed, 20 insertions(+), 20 deletions(-)
$ cd ../../
$ tools/finish_release.py --test-version 4.35.1 --skip-snaps
Error running `git push origin candidate-4.35.1`
To delete the branch on GitHub, run `git push origin --delete candidate-4.35.1`.

To https://github.com/certbot/certbot.git
 ! [rejected]            candidate-4.35.1 -> candidate-4.35.1 (non-fast-forward)
error: failed to push some refs to 'https://github.com/certbot/certbot.git'
hint: Updates were rejected because the tip of your current branch is behind
hint: its remote counterpart. If you want to integrate the remote changes,
hint: use 'git pull' before pushing again.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.

To skip pushing updated branches to GitHub and creating PRs, run this script with the `--skip-github-sync` flag.
Traceback (most recent call last):
  File "/Users/erica/certbot/tools/finish_release.py", line 370, in <module>
    main(sys.argv[1:])
    ~~~~^^^^^^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 366, in main
    synchronize_github_repo(version)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 317, in synchronize_github_repo
    _sync_candidate_from_temp_to_origin(version)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 247, in _sync_candidate_from_temp_to_origin
    _run_silent_except_error(command_str.split(), message)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/erica/certbot/tools/finish_release.py", line 209, in _run_silent_except_error
    raise e
  File "/Users/erica/certbot/tools/finish_release.py", line 201, in _run_silent_except_error
    process = subprocess.run(cmd, check=True, universal_newlines=True, capture_output=True)
  File "/Users/erica/.pyenv/versions/3.14.3/lib/python3.14/subprocess.py", line 577, in run
    raise CalledProcessError(retcode, process.args,
                             output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['git', 'push', 'origin', 'candidate-4.35.1']' returned non-zero exit status 1.
```

I've hit basically all of the errors with text at some point during
testing, but can recreate them if you'd like.

Once this is merged, I'll update the release instructions and delete the
test branches and PRs.

---------

Co-authored-by: Will Greenberg <ifnspifn@gmail.com>
Co-authored-by: Will Greenberg <willg@eff.org>
2026-06-23 11:21:41 -07:00
ohemorange
184091fa3e
Add temp remote and fetch temp from release folder in release script (#10699)
Some checks failed
PR test suite / Standard tests (push) Has been cancelled
PR test suite / PR test suite success (push) Has been cancelled
I don't understand why this wasn't already in the release script, and
can see no reason to not add it. This doesn't do anything publicly or
permanently, it just fetches the branch from the release folder. If we
need to add the previous temp, it's right there in a `releases.*.bak`
folder.

This is step 8 of the release process, and should be deleted when this
is merged.

I did test this and it worked.
2026-06-17 11:58:45 -07:00
ohemorange
94f610ee3b
Get log path from process output to once again print snapcraft logs (#10674)
Some checks failed
PR test suite / Standard tests (push) Has been cancelled
PR test suite / PR test suite success (push) Has been cancelled
Fixes https://github.com/certbot/certbot/issues/10662

Launchpad is failing, so this should make testing this code pretty easy.
There is only one log per target, no matter how many arches, so we can
skip the per-arch code.

---------

Co-authored-by: Will Greenberg <willg@eff.org>
2026-06-11 12:48:40 -07:00
ohemorange
dda67bfb9a
Get version number from github instead of azure pipelines in finish_release.py (#10669) 2026-06-10 15:33:22 -07:00
ohemorange
9cacd51003
in release script, check that certbot's virtual environment isn't activated and deactivate it if it is (#10658)
Some checks are pending
PR test suite / Standard tests (push) Waiting to run
PR test suite / PR test suite success (push) Blocked by required conditions
Item 1 of https://github.com/certbot/certbot/issues/10600

Once this is merged, the [release
instructions](https://github.com/EFForg/certbot-misc/wiki/The-Mystical-Release-Process)
should be updated to no longer say "Make sure Certbot's virtual
environment isn't activated."

Why in `release.sh` instead of `_release.sh`? This seemed to be the
"check the environment status" file.

`venv/bin/activate` does several things.
1. create `deactivate` shell function
2. create `_OLD_VIRTUAL_PATH` and modify `PATH` to prepend `venv/bin`
location. `_OLD_VIRTUAL_PATH` isn't exported.
3. unset `PYTHONHOME` and store the old `PYTHONHOME` in
`_OLD_VIRTUAL_PYTHONHOME`, again not exported.
4. export `VIRTUAL_ENV_PROMPT`
5. call `hash -r 2> /dev/null` for some sort of edge case
6. set `VIRTUAL_ENV`
7. change the prompt appearance (PS1)

1, 4, and 7 don't need to be undone. 2, 4, and 6 are managed here
manually.

3 is the hard one, since we don't have access to
`_OLD_VIRTUAL_PYTHONHOME`, and there's not a great way of grabbing it
from the shell. One thought I had was to modify `venv/bin/activate` in
`venv.py` so that it is exported. That's possible, but at least for me,
`PYTHONHOME` isn't set in the first place and so it doesn't seem worth
doing that. Given that this script only needs to run on a few people's
machines, I would say we can hold off on doing that if and until it
becomes necessary.

Added some prints and an `exit 0` after the relevant code in the script
to test:

```bash
$ RELEASE_GPG_KEY=dontmatter tools/release.sh 1.2.3 4.5.6
$ source venv/bin/activate
(venv) $ RELEASE_GPG_KEY=dontmatter tools/release.sh 1.2.3 4.5.6
Deactivating venv...
previous path:
/Users/erica/certbot/venv/bin:/opt/homebrew/opt/coreutils/libexec/gnubin:[rest of path omitted]
new path:
/opt/homebrew/opt/coreutils/libexec/gnubin:[rest of path omitted]
(venv) $ printenv PATH
/Users/erica/certbot/venv/bin:/opt/homebrew/opt/coreutils/libexec/gnubin:[rest of path omitted]
```

---------

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2026-06-10 14:07:43 -07:00
ohemorange
cb02885928
Migrate release pipeline from azure to github actions (#10643)
Related to https://github.com/certbot/certbot/issues/10581

Following up on https://github.com/certbot/certbot/pull/10631,
https://github.com/certbot/certbot/pull/10622, and
https://github.com/certbot/certbot/pull/10634, this PR converts the
release
[pipeline](https://dev.azure.com/certbot/certbot/_build?definitionId=3)
from Azure to Github Actions.

While this is the last migration PR, I don't think we should close the
issue, as we're still using launchpad for armhf builds. I plan to
continue investigating that and at minimum write up my findings.

To test
[notifications](https://opensource.eff.org/eff-open-source/pl/nfgh6obi8tfqikn4ydp7dshakr)
and creating a [github
release](https://github.com/ohemorange/Things-that-are-gr9/releases/tag/v1.0.19),
I ran workflows that no-oped most the other jobs [in a test
repo](https://github.com/ohemorange/Things-that-are-gr9/actions/runs/25938082721)
(I've made minor changes to names and comments since then, but no code
changes). Everything else is basically the same as nightly, with
different tags. For the docker deployment, `${{ github.ref_name }}` is
the tag name, so `v1.2.3`.

Why not parametrize the tests a bit more, by putting an `env` at the top
with `dockerTag: ${{ github.ref_name }}` and `snapReleaseChannel: beta`?
Because the `env` context is [not
available](https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#context-availability)
to `with`; only `github, needs, strategy, matrix, inputs, vars`. We
could use `vars`, by creating `docker_tag_release` or whatever in the
[variable
section](https://github.com/certbot/certbot/settings/variables/actions)
of the repo settings by using the web interface, but that seems worse to
me than having it in the file but twice.

You will note that the contents of `release.yml` are very similar to
`nightly.yml`. While it would be nice to factor that out and reuse the
code, github actions would then flatten everything in the grouped code
together, making the results much harder to check. You can see what that
flattening would look like
[here](https://github.com/ohemorange/Things-that-are-gr9/actions/runs/25941524972)
(if we put them all in one workflow). Currently, it will look something
like
[this](https://github.com/certbot/certbot/actions/runs/25688414262),
which is much more readable.

We could split it into "stages" like we had in azure pipelines (probably
1. standard and extended tests (and changelog?), 2. snap package and
deploy (depend on tests), 3. docker package and deploy (depend on
tests), 4. github release (depend on snap package and deploy), 5-6.
notify (depend on github release)), but in addition to a minor slowdown
(currently github release only depends on snap and docker package, not
deploy, just so we're trying to do all the deployments simultaneously
and not partially in case of build failures), it would still be only
like three fewer jobs, since we'd still want all the info passing and
dependency relationships.

While it would be nice from a UX perspective to group the two
notification jobs together, you can't do that cleanly using the built-in
`if` key, and I don't think it's worth switching to a messier github
api-based version just to group them.

For mattermost notifications, we currently get the person to tag by
running `AUTHOR_NAME="$(git log -1 --pretty=format:'%an')"` and mapping
that to mattermost username. We could instead use `github.actor` to get
the github handle, and map that instead. I didn't bother since we
already have working, tested code, but can if a reviewer thinks it's
worth it.

---------

Co-authored-by: Will Greenberg <willg@eff.org>
Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2026-06-10 11:43:49 -07:00
ohemorange
724ee110d8
Automatically create a candidate-$VERSION-NUM branch in the release script (#10657)
Some checks are pending
PR test suite / Standard tests (push) Waiting to run
PR test suite / PR test suite success (push) Blocked by required conditions
Item 3 of https://github.com/certbot/certbot/issues/10600

If this is merged, the [release
instructions](https://github.com/EFForg/certbot-misc/wiki/The-Mystical-Release-Process)
should be updated to no longer manually create the branch.

I intentionally do not add error checking to `git switch -c` because I
think if the command fails, the script should fail, and we should
manually fix the error, which will probably be something like `fatal: a
branch named 'candidate-5.5.0' already exists` which is clear enough.

I do check if we're already on the intended branch, because we may want
to be able to rerun the release script without having to switch back to
main and delete the candidate branch each time.

I remove the check later on because I believe it is a holdover from a
previous version where it was possible for `RELEASE_BRANCH` to be not
equal to `candidate-$version`, but even in the existing code before the
other change, that should not be possible.
2026-06-09 13:02:51 -07:00
ohemorange
6652cffccb
Generate and print post-release community forum post text in finish_release.py (#10659)
Some checks are pending
PR test suite / Standard tests (push) Waiting to run
PR test suite / PR test suite success (push) Blocked by required conditions
Item 5 of https://github.com/certbot/certbot/issues/10600

When this is merged, the setup section of the [release
process](https://github.com/EFForg/certbot-misc/wiki/The-Mystical-Release-Process)
should be modified.
- `gh` should be added to os packages for mac and debian
- A new step should be added: "Run `gh auth login` and log into a GitHub
account." Technically any account should work here.

The contents of the step saying to post to the community forum should be
shortened to say something like "copy the output from the terminal." We
could add the link to the client-dev tag here, but personally I think
it's easiest to just keep it in the release instructions.
2026-06-08 16:11:52 -07:00
ohemorange
ab34e5dcf7
Check to see if launchpad snap build put html in the .snap file (#10646)
Fixes #10617

I restructured the conditionals to avoid too much nesting. This should
have the same effect, just with the additional check conditioned on all
the target snap files being available. Here is the logic I used for the
restructuring:

start

```python
dump_output = exit_code != 0 or failed_archs
if exit_code == 0 and not failed_archs:
    # We expect to have all target snaps available, or something bad happened.
    snaps_list = glob.glob(join(workspace, '*.snap'))
    if not len(snaps_list) == len(archs):
        print('Some of the expected snaps for a successful build are missing '
              f'(current list: {snaps_list}).')
        dump_output = True
    else:
        build_success = True
        break
```

note that `(exit_code == 0 and not failed_archs) == not (exit_code != 0
or failed_archs) == not dump_output`

```python
dump_output = exit_code != 0 or failed_archs
if not dump_output:
    # We expect to have all target snaps available, or something bad happened.
    snaps_list = glob.glob(join(workspace, '*.snap'))
    if not len(snaps_list) == len(archs):
        print('Some of the expected snaps for a successful build are missing '
              f'(current list: {snaps_list}).')
        dump_output = True
    else:
        build_success = True
        break
```

distribute the if

```python
dump_output = exit_code != 0 or failed_archs
snaps_list = glob.glob(join(workspace, '*.snap'))
if not dump_output and (not len(snaps_list) == len(archs)):
    # We expect to have all target snaps available, or something bad happened.
    print('Some of the expected snaps for a successful build are missing '
          f'(current list: {snaps_list}).')
    dump_output = True
    
if not dump_output and (len(snaps_list) == len(archs)): # redundant; if it were false, we would have changed dump_output right above this
    build_success = True
    break
```

remove redundant check

```python
dump_output = exit_code != 0 or failed_archs
snaps_list = glob.glob(join(workspace, '*.snap'))
if not dump_output and (not len(snaps_list) == len(archs)):
    # We expect to have all target snaps available, or something bad happened.
    print('Some of the expected snaps for a successful build are missing '
          f'(current list: {snaps_list}).')
    dump_output = True
    
if not dump_output:
    build_success = True
    break
```

As this shows, we can now add additional checks that only happen if we
think we're in danger of succeeding based on checks thus far, and simply
change `dump_output` to `True` if the additional check fails.

You can see the build step failing when the [file contains
html](https://github.com/certbot/certbot/compare/html-problem...refs/heads/test-html-problem-2)
at
https://github.com/certbot/certbot/actions/runs/26071811878/job/76654623490#step:5:42
2026-05-19 12:27:11 -07:00
Will Greenberg
7440ff40dd
repin dependencies (#10645)
Some checks are pending
PR test suite / Standard tests (push) Waiting to run
PR test suite / PR test suite success (push) Blocked by required conditions
This pulls in an updated urllib3, which addresses two security vulns
found by dependabot:
* https://github.com/certbot/certbot/security/dependabot/133
* https://github.com/certbot/certbot/security/dependabot/135
2026-05-18 12:49:59 -07:00
Mike Fara
c8ebcb49bd
Migrate certbot-dns-cloudflare to cloudflare 4.x SDK (#10587)
## Summary

- Migrate `certbot-dns-cloudflare` from the archived `python-cloudflare`
2.x library (`import CloudFlare`) to the actively maintained Cloudflare
Python SDK 4.x (`import cloudflare`)
- Update all API calls to the new SDK surface:
`dns.records.create/list/delete`, `zones.list`, typed response objects
instead of dicts
- Replace `CloudFlare.exceptions.CloudFlareAPIError` with
`cloudflare.APIStatusError` and extract CF error codes from
`response.json()`
- Bump dependency from `cloudflare>=2.19, <2.20` to `cloudflare>=4.0`
- Update oldest pinning from `cloudflare 2.19` to `4.0.0`
- Update all test mocks and assertions accordingly

Fixes #9938

## API Migration

| Operation | Old 2.x | New 4.x |
|---|---|---|
| Import | `import CloudFlare` | `import cloudflare` |
| Client (token) | `CloudFlare.CloudFlare(token=t)` |
`cloudflare.Cloudflare(api_token=t)` |
| Client (key) | `CloudFlare.CloudFlare(email, key)` |
`cloudflare.Cloudflare(api_email=e, api_key=k)` |
| List zones | `cf.zones.get(params={...})` → `list[dict]` |
`cf.zones.list(name=n)` → iterable of Zone objects |
| Create record | `cf.zones.dns_records.post(zone_id, data={...})` |
`cf.dns.records.create(zone_id=id, **data)` |
| List records | `cf.zones.dns_records.get(zone_id, params={...})` |
`cf.dns.records.list(zone_id=id, type=..., ...)` |
| Delete record | `cf.zones.dns_records.delete(zone_id, record_id)` |
`cf.dns.records.delete(dns_record_id=rid, zone_id=zid)` |
| Exceptions | `CloudFlare.exceptions.CloudFlareAPIError` |
`cloudflare.APIStatusError` |

## Test plan

- [x] All 20 existing tests pass with updated mocks
- [x] Credentials INI file format is unchanged — no user-facing config
changes
- [x] Live dry-run renewal tested successfully across 5 domains

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Ember <BeigeBox@users.noreply.github.com>
Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2026-05-06 09:35:38 -07:00
ohemorange
6114144bd2
Merge pull request #10630 from certbot/lexicon-repin
Repin dependencies to pull in updated dns-lexicon, which contains the fix for OVH challenge deletion bug
2026-04-28 12:28:31 -07:00
Brad Warren
3a5c92c6be
update base docker image (#10620)
fixes https://github.com/certbot/certbot/issues/10619

you can see docker builds and tests passing on this change at
https://dev.azure.com/certbot/certbot/_build/results?buildId=10360&view=results

i'm also creating a calendar event for us so we remember to keep this
updated in the future

i don't think this PR requires two reviews
2026-04-13 12:21:34 -07:00
ohemorange
0eb8af20a5
Add @ing mattermost notifications to release build successes and failures (#10604)
Fixes https://github.com/certbot/certbot/issues/10599

This approach creates a new azure stage Notify and posts to the
mattermost webhook directly from within azure.

The python script uses the azure rest api to get the status of the
Deploy stage specifically. This will be failed if it failed, or skipped
if a previous stage failed, or abandoned if it timed out.

We may want to remove the existing azure build failure notification when
this is merged. It can be deleted from
[here](https://dev.azure.com/certbot/certbot/_settings/serviceHooks)
(it's the one that says "Build release, status Failed"), although
personally I think it's fine to keep it.

History of alternate general approaches I investigated:

1. give azure a custom file to say a message that depends on the
requestedBy field. impossible. no custom messages at all, much less
dependant ones.
2. hook azure build completed webhook trigger directly to github
respository_dispatch event. impossible. azure will send data in a
[specific
format](https://learn.microsoft.com/en-us/azure/devops/service-hooks/events?view=azure-devops#build.complete),
which is not the format [github
requires](https://docs.github.com/en/rest/repos/repos?apiVersion=2026-03-10#create-a-repository-dispatch-event).
3. option 2, but put a custom server somewhere to translate them. or to
grab azure and send directly to mattermost. this is a horrible idea; no
one wants to be managing a production server with secrets on it.
4. a mattermost bot is just a special user account. the sender still has
to format the data so mm can read it.
5. block on migrating from azure to github actions. drawback: this will
likely take a while, and also we're not definitely doing it. see
https://github.com/certbot/certbot/issues/10581
6. smaller than 5; wrap release in a github action that calls azure
inside of it. and then if we end up migrating more, it should be pretty
smooth to move things inside of actions. drawback: this will probably
not integrate as smoothly, given we use the azure integration. I did not
investigate further.
7. there doesn't seem to be any sort of github actions event about
builds passing on a certain branch that we can check
8. just message mattermost directly from within the pipeline as a final
stage --> where I landed.

There's further discussion in the comments about others ways we tried to
structure the pipeline and get information from azure that's not super
necessary to read to review this PR.

Relevant links:

https://learn.microsoft.com/en-us/azure/devops/service-hooks/events?view=azure-devops#build.complete

https://learn.microsoft.com/en-us/azure/devops/service-hooks/services/webhooks?view=azure-devops#resource-details-to-send

https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#agent-variables

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml#job-status-functions


https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows

https://docs.github.com/en/rest/repos/repos?apiVersion=2026-03-10#create-a-repository-dispatch-event

https://docs.github.com/en/webhooks/webhook-events-and-payloads#repository_dispatch

Results of tests with the latest code are here:

https://dev.azure.com/certbot/certbot/_build/results?buildId=10309&view=results

https://dev.azure.com/certbot/certbot/_build/results?buildId=10310&view=results

https://dev.azure.com/certbot/certbot/_build/results?buildId=10311&view=results

Plus the mattermost messages did get sent.

---------

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2026-04-02 14:14:27 -07:00
Brad Warren
08c2354f46
update poetry (#10615)
this is in response to
https://github.com/certbot/certbot/security/dependabot/126

as you can see by examining the github status checks on this PR, i ran
the full test suite and everything passed

i also don't think this PR requires two reviews
2026-04-02 14:11:07 -07:00
ohemorange
3d803821b7
Repin dependencies (#10611) 2026-03-27 09:03:31 -07:00
Will Greenberg
6f1c0b0abd
merge certbot-apache and certbot-nginx into certbot (#10522)
based on the suggestion @bmw made in #10484, this moves nearly
everything from `certbot-apache` and `certbot-nginx` into subdirectories
in `certbot/src/certbot/_internal`, and corresponding "extra"
dependencies are made for the certbot distribution. in their place,
entrypoint shims are made in the old distributions.

this way, installing `certbot[nginx]` will pull in the extra
dependencies needed for the nginx code, and also pull in the shim in
`certbot-nginx`, letting our plugin discovery system work just as it did
before. ditto for apache.

note that this doesn't yet deprecate anything, which was one of the
primary goals of the original issue -- i spun out that work into #10521

fixes #10484

---------

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
Co-authored-by: ohemorange <erica@eff.org>
2026-03-23 18:09:04 -07:00
ohemorange
15e73753a6
Fix link in docker readme (#10582)
The link in the docker README is no longer accurate, we've changed the
headings on the website. This updates the README to match.
2026-02-25 21:17:09 -08:00
Brad Warren
410ee87242
fix compatibility with pyparsing 3 and update to it (#10560)
on main if you run tools/pinning/current/repin.sh and run our unit
tests, they will fail due to new deprecation warnings from pyparsing.
the cause of these warnings is described at
dc009668d8/docs/whats_new_in_3_0_0.rst (L613-L708)

this PR fixes these warnings and updates our minimum required pyparsing
version to 3.0 where the new naming convention is available. i ran our
full test suite on the first commit here and it passed

i don't think it's worth trying to keep compatibility with pyparsing<3
unless we get a request for us to do so which i really doubt we will
2026-02-03 11:51:26 -08:00
ohemorange
b362109bf6
Fix certbot tests after updating pytest to 9.0.2 (#10545)
Fixes  #10518.

`tools/pinning/current/repin.sh` is not run; only pytest version is
updated. This is because `pypinning` had a bunch of syntax changes that
seem simply but I believe should be in a separate PR, which I think
should be done after this to collect all repin changes.

As discussed further in #10518, these issues were caused by pytest's
internalization of pytest-subtest, which had several implementation
changes.

To fix these, we simply no longer use subtest in the failing tests. The
test in acme is now parametrized instead, and the tests in apache only
ever had a single parameter.

To use parametrization in the acme test, I converted `DNSTest` from
unittest to pytest style, which was pretty straightforward. The only
note there is that while it would be nice to make `ec_secp384r1_key` a
fixture, you [can't use fixtures in
parameters](https://github.com/pytest-dev/pytest/issues/349). You could
use requests, but that seemed less clear and messier, because then you'd
be checking the value of the parameter and only sometimes loading it.
Could also make it a global variable, but that didn't really seem
necessary, as it's only called twice. Happy to consider other options,
not strongly tied to this one, just seemed nicest to me.
2026-02-02 12:13:24 -08:00
Brad Warren
991ecd7c8e
update dependencies (#10552)
as of writing this, this resolves all alerts those with access can see
at https://github.com/certbot/certbot/security/dependabot

i ran the full test suite on this branch at
https://dev.azure.com/certbot/certbot/_build/results?buildId=10057&view=results
and everything passed

i don't think this PR requires two reviews
2026-02-02 10:09:02 -08:00
Brad Warren
36ddada4b3
update pinned dependencies (#10516)
this fixes the dependabot alerts those with access can see at
https://github.com/certbot/certbot/security/dependabot

i don't think those alerts are particularly relevant to us, but i think
it's good for us to update anyway
2025-12-15 15:05:27 -08:00
Brad Warren
9e7a98f4cd
fix finish_release.py (#10503)
in https://github.com/canonical/snapcraft/pull/5720, snapcraft made a
change. `snapcraft status certbot` output changed from something like
this:
```
Track    Arch    Channel    Version     Revision    Progress
latest   amd64   stable     5.1.0       5057        -
                 candidate  ↑           ↑           -
                 beta       5.2.1       5214        -
                 edge       5.2.0.dev0  5210        -
         arm64   stable     5.1.0       5058        -
                 candidate  ↑           ↑           -
                 beta       5.2.1       5215        -
                 edge       5.2.0.dev0  5211        -
         armhf   stable     5.1.0       5056        -
                 candidate  ↑           ↑           -
                 beta       5.2.1       5213        -
                 edge       5.2.0.dev0  5212        -
```
to this:
```
Track    Arch    Channel    Version     Revision    Progress
latest   amd64   stable     5.1.0       5057        -
latest   amd64   candidate  ↑           ↑           -
latest   amd64   beta       5.2.1       5214        -
latest   amd64   edge       5.2.0.dev0  5210        -
latest   arm64   stable     5.1.0       5058        -
latest   arm64   candidate  ↑           ↑           -
latest   arm64   beta       5.2.1       5215        -
latest   arm64   edge       5.2.0.dev0  5211        -
latest   armhf   stable     5.1.0       5056        -
latest   armhf   candidate  ↑           ↑           -
latest   armhf   beta       5.2.1       5213        -
latest   armhf   edge       5.2.0.dev0  5212        -
```
when its output is captured like it is in finish_release.py in the lines
above the code i'm modifying here

not matching on the beginning of lines makes this pattern a little less
strict, but based on the rest of the pattern and the output here, i
personally think this is fine

after carefully verifying this works with the current state of things, i
went ahead and finished the release with this change and it worked just
fine. instead, this PR proposes a way to fix things going forward
2025-12-04 15:15:25 -08:00
ohemorange
2ec8320763
Add python 3.14 support (#10481)
fixes https://github.com/certbot/certbot/issues/10477. this is based on
the PR that did this for 3.13 at
https://github.com/certbot/certbot/pull/10164
2025-11-04 10:49:51 -08:00
Brad Warren
e9dd4eb03b
stop running setup.py and switch to python -m build (#10442)
fixes #10404

unfortunately, exactly what `python setup.py clean` did doesn't seem
well documented so i dug into the code with a debugger. executing the
`clean` subcommand is done by [this
code](9cc2f5c05c/setuptools/_distutils/command/clean.py (L54-L77))
where the relevant build variables are set by the `build` subcommand
[here](9cc2f5c05c/setuptools/_distutils/command/build.py (L52))
and
[here](9cc2f5c05c/setuptools/_distutils/command/build.py (L112)).
it turns out us running `python setup.py clean` was already redundant
with `rm -rf build` on the next line

i built two releases, one on the latest commit in this PR and another on
44f1dd677b
before the switch to `python -m build`. a simple diff of the resulting
tarballs and wheels fails, presumably because of metadata differences,
but after untaring or unzipping the files, the contents are identical
for all of our built packages
2025-08-22 11:03:00 -07:00
ohemorange
00a51ab22b
Drop in uv for pip (#10428)
It's a [drop-in
replacement](https://docs.astral.sh/uv/pip/compatibility/) that speeds
things up. I don't see any reason why not.

`--use-pep517` is [set by default](
https://docs.astral.sh/uv/pip/compatibility/#pep-517-build-isolation),
so we don't need it.

`--disable-pip-version-check` also does nothing on uv.

`uv` [uses
separate](https://docs.astral.sh/uv/pip/compatibility/#build-constraints)
`UV_BUILD_CONSTRAINT` and `UV_CONSTRAINT`. I just added it to both to do
the simplest thing here. We could split them.

We probably don't actually need to pipstrap pip anymore, I could take
that out.

What's happening with `parsedatetime` and `python-digitalocean` is that
they were always secretly wrong. Since `pip` compiles bytecode by
default, it was suppressing the errors. If you add the
`--compile-bytecode` flag to `uv`, it passes, but I don't think we
should do that. You can see the failure happen on main by passing
`--no-compile` to the pip args and running `certbot -r -e oldest`.

Now what I don't understand is that some places seem to say the `'\/'`
error from `parsedatetime` only started in python 3.12, whereas others
see it on earlier python. Perhaps pytest is vendorizing python or
something. Not too worried about that, needed to get updated anyway, and
it's an accurate oldest version based on our oldest OSes.
`python-digitalocean` is techincally newer than debian 11, but we've
made that decision before so it seems fine to me.
2025-08-18 13:17:02 -07:00
ohemorange
1816e56557
Set up unreleased packages minus dns plugins to use pyproject.toml (#10424)
Part of https://github.com/certbot/certbot/issues/10403

We were never actually updating the versions in certbot-ci and letstest.
Not that it really matters, but let's do that there as well.
2025-08-18 09:57:14 -07:00
ohemorange
407dc158f6
Set up dns plugins to use pyproject.toml (#10425)
Final part of https://github.com/certbot/certbot/issues/10403

I tested running `tools/snap/generate_dnsplugins_snapcraft.sh
certbot-dns-dnsimple` and it put the correct description in to the
`snapcraft.yaml` file.
2025-08-15 09:17:15 -07:00
ohemorange
80fa8ad738
Remove unnecessary code from release script (#10426)
This code [never did
anything](https://github.com/certbot/certbot/pull/10417#issuecomment-3190266418),
and it is not now. Let's remove it so we don't have to keep taking it
into account. I did a test release and it removed the `dev0`s just fine.
2025-08-15 02:01:34 +00:00
ohemorange
49900b27d3
Update pinned oldest dependencies (#10420)
This is not necessarily the absolute minimum versions/pins we could use,
but it does get tests working. Fixes
https://github.com/certbot/certbot/issues/10418.

---------

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2025-08-14 16:37:10 -07:00
Brad Warren
34a128ae88
update pinned dependencies (#10416)
this fixes the alert those with access can see at
https://github.com/certbot/certbot/security/dependabot
2025-08-13 17:59:55 +00:00
ohemorange
5d05984dd9
remove python 3.9 support (#10406)
Fixes https://github.com/certbot/certbot/issues/10389. you can compare
this to the PR that did this for python 3.8 at
https://github.com/certbot/certbot/pull/10077

additional changes:
- linux-py310 test is removed from extended tests, since it's now run in
standard tests. additionally, openssl will never be < 1.1.1 now, due to
https://peps.python.org/pep-0644/.
- `letstest/scripts/test_openssl_version.py` was testing functionality
that was removed in https://github.com/certbot/certbot/pull/10373 so it
was deleted

---------

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2025-08-12 17:49:02 +00:00
Brad Warren
f0f036a34c
fixup pinning (#10400)
this is in response to
https://github.com/certbot/certbot/pull/10399#issuecomment-3166305086

this PR does two things:

1. it clarifies what is meant by "build dependencies" in DESIGN.md
2. fixes our workaround for
https://github.com/python-poetry/poetry/issues/4103 which broke when we
moved most of our code under `src` directories. i kept the previous `rm
-rf ${REPO_ROOT}/*/*.egg-info` line around for `letstest` and to
hopefully add some robustness for us if we ever move our code around
again
2025-08-08 10:08:44 -07:00
ohemorange
dea3e5f1c4
Set up ruff so that test files have at least some linting (#10399)
Alternative implementation for #7908.

In this PR:
- set up ruff in CI (add to `tox.ini`, mark dep in `certbot/setup.py`)
- add a `ruff.toml` that ignores particularly annoying errors. I think
line length isn't actually necessary to set with this workflow since
we're not checking it but putting it there for future usage.
- either fix or ignore the rest of the errors that come with the default
linting configuration. fixed errors are mostly unused variables. ignored
are usually where we're doing weird import things for a specific reason.
2025-08-08 08:48:43 -07:00
ohemorange
5859e50e44
Run ruff to fix test errors (#10398)
This is mostly removing unused imports, plus one unused `import as`. Had
to put back imports being used with `eval` -- see the second commit.
2025-08-07 22:10:02 +00:00
ohemorange
b782c52ede
Remove _snap_log_name and put back comments from #9956 (#10385)
https://github.com/certbot/certbot/pull/9956/ was accidentally merged,
so we rolled the thousand commits back, and put them back in
https://github.com/certbot/certbot/pull/9983/

In the process, commits
7d3ceb27b6
and
f62eab640e
were lost. The comment in `snapcraft.yaml` is superseded by
https://github.com/certbot/certbot/pull/10384, so let's just reapply the
remaining changes to `build_remote.py` and `snapcraft.yaml`.
2025-07-31 14:20:29 -07:00
Will Greenberg
2ac7baa651
Add towncrier for automatic changelog generation (#10379)
blast from the past! resurrects
https://github.com/certbot/certbot/pull/9803 with all of @bmw's changes.
i figured instead of force-pushing a basically brand new branch and
obliterating the old review, i'd just start from a clean slate

fixes #8272

---------

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
Co-authored-by: Brad Warren <bmw@eff.org>
2025-07-31 07:12:56 -07:00
SATOH Fumiyasu
6ba8abe8d5
Remove the dependency on pytz (#10350)
The `pytz` is obsoleted by Python 3.9.
2025-07-28 08:00:16 -07:00
Brad Warren
eb563ccc1d
update dependencies (#10368)
this fixes the security alerts those with access can see at
https://github.com/certbot/certbot/security/dependabot

setting `PIP_USE_PEP517: "true"` is needed with modern versions of
setuptools as described in the issue linked in the code comment. we're
already setting the equivalent flag in builds outside of snaps. see
https://github.com/certbot/certbot/pull/10249
2025-07-17 11:56:03 -07:00
Yaroslav Halchenko
86f76cd3df
Add codespell support (CI to check, not to fix) and make it fix a few typos (#10297)
Another token of gratitude for a super useful tool and service.

More about codespell: https://github.com/codespell-project/codespell .

I personally introduced it to dozens if not hundreds of projects already
and so far only positive feedback.

CI workflow has 'permissions' set only to 'read' so also should be safe.

---------

Signed-off-by: Yaroslav O. Halchenko <debian@onerussian.com>
2025-06-24 13:14:31 +09:00
ohemorange
bc0b54950a
Run changelog generation stage on ubuntu-latest, nightly (#10349)
Fixes https://github.com/certbot/certbot/issues/10328

This PR:
1) Moves changelog generation to ubuntu-latest instead of deprecated
windows, and
2) Sets it to run nightly so we catch breakages before release day
3) Modifies `update_changelog.py` to also allow `.dev0` version numbers
and headings with `main` instead of the date in them, for testing.

I could have been more specific about only matching `main` or a date,
but that seemed honestly unnecessary.

Here is a manually triggered nightly test; the test branch just
[removes](https://github.com/certbot/certbot/compare/changelog-gen...nightly-changelog-gen?expand=1)
all the other tests for speed:
https://dev.azure.com/certbot/certbot/_build/results?buildId=9250&view=results

You can download the created changelog artifact here:
https://dev.azure.com/certbot/certbot/_build/results?buildId=9250&view=artifacts&pathAsName=false&type=publishedArtifacts
2025-06-20 09:38:34 -07:00
Brad Warren
10747555ae
upgrade python-augeas (#10286)
a couple weeks ago, [python-augeas
1.2.0](https://pypi.org/project/python-augeas/#history) was uploaded to
pypi. unfortunately, this broke things for us

the first major change was from
https://github.com/hercules-team/python-augeas/pull/49 where
python-augeas now needs the new OS packages described in the initial
comment there

the second change was from
https://github.com/hercules-team/python-augeas/pull/51 which added a
python interface to augeas functions that weren't introduced until
[augeas
1.13.0](af2aa88ab3/NEWS (L65-L66)).
this isn't ideal, but i don't think it's a big deal for us. augeas
1.13.0 is over three years old and [ubuntu
20.04](https://ubuntu.com/blog/ubuntu-20-04-eol-for-devicesional) and
[debian bullseye](https://www.debian.org/releases/) which have older
versions than that are technically EOL'd

regardless of how we feel about these changes, our tests don't currently
work with an updated version of python-augeas and this PR fixes it. i'm
also tracking https://github.com/certbot/certbot/issues/10282 to update
certbot.eff.org to list the newly required OS packages
2025-05-08 13:03:31 -07:00
Brad Warren
cc08242abc
update pinned dependencies (#10278)
this fixes the security alerts those with access can see at
https://github.com/certbot/certbot/security/dependabot

i based what needed to be done to drop python < 3.9.2 support on
https://github.com/certbot/certbot/pull/10077 and concluded we only
really needed to update `python_requires`. we could do a deprecation
period for this, but i think it's not necessary. cryptography didn't
(it's not even in mentioned in [their
changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst))
and none of the major LTS distros use python 3.9.0 or 3.9.1
2025-05-06 10:56:19 -07:00
Brad Warren
5dcfd32a11
remove unneeded cryptography req (#10276)
since https://github.com/certbot/certbot/pull/10130, we depend on much
newer versions of cryptography so this restraint is no longer needed
2025-04-30 11:47:35 -07:00
ohemorange
16f858547f
Add --use-pep517 flag to pip to silence warning in tools/venv.py, and switch codebase to src-layout (#10249)
Fixes #10252.

See further discussion here: https://github.com/pypa/pip/issues/11457

We are doing option:

> Alternatively, enable the --use-pep517 pip option, possibly with
--no-build-isolation. The --use-pip517 flag will force pip to use the
modern mechanism for editable installs. --no-build-isolation may be
needed if your project has build-time requirements beyond setuptools and
wheel. By passing this flag, you are responsible for making sure your
environment already has the required dependencies to build your package.
Once the legacy mechanism is removed, --use-pep517 will have no effect
and will essentially be enabled by default in this context.

Major changes made here include:
- Add `--use-pep517` to use the modern mechanism, which will be the only
mechanism in future pip releases
- Change to `/src` layout to appease mypy, and because for editable
installs that really is the normal way these days.
  - `cd acme && mkdir src && mv acme src/` etc.
- add `where='src'` argument to `find_packages` and add
`package_dir={'': 'src'},` in `setup.py`s
  - update `MANIFEST.in` files with new path locations 
- Update our many hardcoded filepaths
- Update `importlib-metadata` requirement to fix
double-plugin-entry-point problem in oldest tests
2025-04-11 19:30:33 +00:00
Will Greenberg
15024aabd3
Repin dependencies for josepy 2.0 (#10254) 2025-04-02 18:17:44 +00:00
Jonathan Vanasco
dd876a40ed
Feature acme cryptography 2 (#10245)
redoing https://github.com/certbot/certbot/pull/10174 but lots of
mergecommits and ff wanted; so test in a clean environment
2025-04-02 10:53:47 -07:00
ohemorange
8a6138856f
Escape <TAG> in docker readme file (#10235)
Fixes https://github.com/certbot/certbot/issues/10229
2025-03-17 08:48:25 -07:00