chore(ci): track trivy and gitleaks binary versions via renovate custom manager
Until now the Trivy and gitleaks pins in .gitea/workflows/*.yml were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. We had a comment in each workflow telling the next contributor to "bump manually from the releases page", which is exactly the kind of friction that gets forgotten between two security advisories. Add a `customManagers` regex in renovate.json that picks up any `# renovate: datasource=… depName=…` annotation immediately followed by an env-var assignment of the form `<NAME>_VERSION: '<version>'`. Annotate the four pins (TRIVY_VERSION + GITLEAKS_VERSION in ci.yml and security-scheduled.yml) accordingly, with the github-releases datasource and the upstream `owner/repo` depName. The `extractVersionTemplate: ^v?(?<version>.+)$` strips the `v` prefix used by both projects' release tags so the version substituted into the env var (which our shell script consumes without `v`) stays correct. The dashboard triage header in renovate.json that previously listed Trivy / gitleaks under "pinned constraints — not Renovate- tracked yet" is updated to reflect the new tracking. Verified with a Node-side dry-run of the regex against both workflow files: 4/4 expected matches with the right datasource / depName / currentValue captures.
This commit is contained in:
@@ -93,12 +93,7 @@ jobs:
|
||||
# unmetered, but auth is free insurance).
|
||||
- name: Install Trivy
|
||||
env:
|
||||
# Bump deliberately when a security advisory or new feature
|
||||
# warrants it. Renovate cannot manage this pin out of the
|
||||
# box (it is not a package-manager-tracked dep); a custom
|
||||
# regex manager could be added later if the cadence justifies
|
||||
# it. For now, manual updates from
|
||||
# https://github.com/aquasecurity/trivy/releases.
|
||||
# renovate: datasource=github-releases depName=aquasecurity/trivy
|
||||
TRIVY_VERSION: '0.70.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
@@ -133,9 +128,7 @@ jobs:
|
||||
# wrapper and gives us version pinning for free.
|
||||
- name: Install gitleaks
|
||||
env:
|
||||
# Bump deliberately. Same caveat as TRIVY_VERSION above —
|
||||
# not Renovate-tracked out of the box. Releases:
|
||||
# https://github.com/gitleaks/gitleaks/releases.
|
||||
# renovate: datasource=github-releases depName=gitleaks/gitleaks
|
||||
GITLEAKS_VERSION: '8.21.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
|
||||
Reference in New Issue
Block a user