chore(ci): track trivy and gitleaks binary versions via renovate custom manager (#78)
## Summary Until now the Trivy and gitleaks pins in `.gitea/workflows/*.yml` were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. The comment in each workflow telling the next contributor to "bump manually from the releases page" is the kind of friction that gets forgotten between two security advisories. Add a **custom regex manager** that picks up `# renovate: datasource=… depName=…` annotations immediately followed by an env-var assignment of the form `<NAME>_VERSION: '<version>'`. The 4 pins (`TRIVY_VERSION` + `GITLEAKS_VERSION` in both `ci.yml` and `security-scheduled.yml`) get annotated with the `github-releases` datasource and the upstream `owner/repo` depName. `extractVersionTemplate: ^v?(?<version>.+)$` strips the `v` prefix used by both projects' release tags, so the version substituted into the env var (which our shell script consumes without `v`) stays correct. ## What lands - **`renovate.json`** — new `customManagers` block. The dashboard triage header is updated to reflect the new tracking (was "not Renovate-tracked yet"). - **`.gitea/workflows/ci.yml`** — annotate the Trivy and gitleaks env vars; remove the dead "manual bump" comments. - **`.gitea/workflows/security-scheduled.yml`** — same. ## Verified Node-side dry-run of the regex against both workflow files: ``` ci.yml → trivy 0.70.0, gitleaks 8.21.0 security-scheduled.yml → trivy 0.70.0, gitleaks 8.21.0 ``` All 4 expected matches with the right `datasource` / `depName` / `currentValue` captures. ## Test plan - [ ] CI green on this PR. - [ ] After merge, the next Renovate run picks up Trivy and gitleaks as detected dependencies in the dashboard. New patch / minor releases should now produce normal Renovate PRs (auto-merging on patches per #74). - [ ] No manual "bump from the releases page" reminders left in the workflow YAML. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #78
This commit was merged in pull request #78.
This commit is contained in:
@@ -93,12 +93,7 @@ jobs:
|
||||
# unmetered, but auth is free insurance).
|
||||
- name: Install Trivy
|
||||
env:
|
||||
# Bump deliberately when a security advisory or new feature
|
||||
# warrants it. Renovate cannot manage this pin out of the
|
||||
# box (it is not a package-manager-tracked dep); a custom
|
||||
# regex manager could be added later if the cadence justifies
|
||||
# it. For now, manual updates from
|
||||
# https://github.com/aquasecurity/trivy/releases.
|
||||
# renovate: datasource=github-releases depName=aquasecurity/trivy
|
||||
TRIVY_VERSION: '0.70.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
@@ -133,9 +128,7 @@ jobs:
|
||||
# wrapper and gives us version pinning for free.
|
||||
- name: Install gitleaks
|
||||
env:
|
||||
# Bump deliberately. Same caveat as TRIVY_VERSION above —
|
||||
# not Renovate-tracked out of the box. Releases:
|
||||
# https://github.com/gitleaks/gitleaks/releases.
|
||||
# renovate: datasource=github-releases depName=gitleaks/gitleaks
|
||||
GITLEAKS_VERSION: '8.21.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
|
||||
@@ -39,6 +39,7 @@ jobs:
|
||||
# pattern as ci.yml — see the rationale there.
|
||||
- name: Install Trivy
|
||||
env:
|
||||
# renovate: datasource=github-releases depName=aquasecurity/trivy
|
||||
TRIVY_VERSION: '0.70.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
@@ -59,6 +60,7 @@ jobs:
|
||||
# don't leak it via CI logs themselves.
|
||||
- name: Install gitleaks
|
||||
env:
|
||||
# renovate: datasource=github-releases depName=gitleaks/gitleaks
|
||||
GITLEAKS_VERSION: '8.21.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
|
||||
Reference in New Issue
Block a user