From f39614078634bd54f122e4f383d3260e8d1a8906 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 10 May 2026 04:05:49 +0200 Subject: [PATCH] chore(ci): track trivy and gitleaks binary versions via renovate custom manager MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Until now the Trivy and gitleaks pins in .gitea/workflows/*.yml were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. We had a comment in each workflow telling the next contributor to "bump manually from the releases page", which is exactly the kind of friction that gets forgotten between two security advisories. Add a `customManagers` regex in renovate.json that picks up any `# renovate: datasource=… depName=…` annotation immediately followed by an env-var assignment of the form `_VERSION: ''`. Annotate the four pins (TRIVY_VERSION + GITLEAKS_VERSION in ci.yml and security-scheduled.yml) accordingly, with the github-releases datasource and the upstream `owner/repo` depName. The `extractVersionTemplate: ^v?(?.+)$` strips the `v` prefix used by both projects' release tags so the version substituted into the env var (which our shell script consumes without `v`) stays correct. The dashboard triage header in renovate.json that previously listed Trivy / gitleaks under "pinned constraints — not Renovate- tracked yet" is updated to reflect the new tracking. Verified with a Node-side dry-run of the regex against both workflow files: 4/4 expected matches with the right datasource / depName / currentValue captures. --- .gitea/workflows/ci.yml | 11 ++--------- .gitea/workflows/security-scheduled.yml | 2 ++ renovate.json | 13 ++++++++++++- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 23bd7df..82b9405 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -93,12 +93,7 @@ jobs: # unmetered, but auth is free insurance). - name: Install Trivy env: - # Bump deliberately when a security advisory or new feature - # warrants it. Renovate cannot manage this pin out of the - # box (it is not a package-manager-tracked dep); a custom - # regex manager could be added later if the cadence justifies - # it. For now, manual updates from - # https://github.com/aquasecurity/trivy/releases. + # renovate: datasource=github-releases depName=aquasecurity/trivy TRIVY_VERSION: '0.70.0' GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} run: | @@ -133,9 +128,7 @@ jobs: # wrapper and gives us version pinning for free. - name: Install gitleaks env: - # Bump deliberately. Same caveat as TRIVY_VERSION above — - # not Renovate-tracked out of the box. Releases: - # https://github.com/gitleaks/gitleaks/releases. + # renovate: datasource=github-releases depName=gitleaks/gitleaks GITLEAKS_VERSION: '8.21.0' GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} run: | diff --git a/.gitea/workflows/security-scheduled.yml b/.gitea/workflows/security-scheduled.yml index 324dada..008778f 100644 --- a/.gitea/workflows/security-scheduled.yml +++ b/.gitea/workflows/security-scheduled.yml @@ -39,6 +39,7 @@ jobs: # pattern as ci.yml — see the rationale there. - name: Install Trivy env: + # renovate: datasource=github-releases depName=aquasecurity/trivy TRIVY_VERSION: '0.70.0' GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} run: | @@ -59,6 +60,7 @@ jobs: # don't leak it via CI logs themselves. - name: Install gitleaks env: + # renovate: datasource=github-releases depName=gitleaks/gitleaks GITLEAKS_VERSION: '8.21.0' GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} run: | diff --git a/renovate.json b/renovate.json index 4b4763d..f80837f 100644 --- a/renovate.json +++ b/renovate.json @@ -4,13 +4,24 @@ "gitAuthor": "APF Portal Bot ", "dependencyDashboard": true, "dependencyDashboardTitle": "Renovate Dependency Dashboard", - "dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | **Minor** PRs (and any patch / lockfile-maintenance PRs whose CI is currently red). Patch / pin / digest / lockfile bumps with green CI auto-merge — they appear here only briefly while CI runs. | Review & merge minors once green; investigate red patches as they show up. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n", + "dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | **Minor** PRs (and any patch / lockfile-maintenance PRs whose CI is currently red). Patch / pin / digest / lockfile bumps with green CI auto-merge — they appear here only briefly while CI runs. | Review & merge minors once green; investigate red patches as they show up. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are tracked via a custom regex manager — `# renovate: …` annotations above the `TRIVY_VERSION` / `GITLEAKS_VERSION` env vars drive normal Renovate PRs against the GitHub releases datasource.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n", "labels": ["dependencies"], "prHourlyLimit": 4, "prConcurrentLimit": 10, "lockFileMaintenance": { "enabled": true }, + "customManagers": [ + { + "customType": "regex", + "description": "Track Trivy and gitleaks binary versions pinned in workflow YAML. The pin lives in an env var (TRIVY_VERSION / GITLEAKS_VERSION) right under a `# renovate:` annotation that names the github-releases datasource and depName. Without this manager, Renovate ignores the pins and we drift on security tools.", + "fileMatch": ["^\\.gitea/workflows/.+\\.ya?ml$"], + "matchStrings": [ + "# renovate: datasource=(?.*?) depName=(?.*?)\\s+\\w+_VERSION:\\s*['\"](?.+?)['\"]" + ], + "extractVersionTemplate": "^v?(?.+)$" + } + ], "osvVulnerabilityAlerts": true, "vulnerabilityAlerts": { "enabled": true,