chore(ci): track trivy and gitleaks binary versions via renovate custom manager #78

Merged
julien merged 1 commits from chore/ci/renovate-custom-manager-binaries into main 2026-05-10 04:07:07 +02:00
3 changed files with 16 additions and 10 deletions
Showing only changes of commit f396140786 - Show all commits
+2 -9
View File
@@ -93,12 +93,7 @@ jobs:
# unmetered, but auth is free insurance).
- name: Install Trivy
env:
# Bump deliberately when a security advisory or new feature
# warrants it. Renovate cannot manage this pin out of the
# box (it is not a package-manager-tracked dep); a custom
# regex manager could be added later if the cadence justifies
# it. For now, manual updates from
# https://github.com/aquasecurity/trivy/releases.
# renovate: datasource=github-releases depName=aquasecurity/trivy
TRIVY_VERSION: '0.70.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
@@ -133,9 +128,7 @@ jobs:
# wrapper and gives us version pinning for free.
- name: Install gitleaks
env:
# Bump deliberately. Same caveat as TRIVY_VERSION above —
# not Renovate-tracked out of the box. Releases:
# https://github.com/gitleaks/gitleaks/releases.
# renovate: datasource=github-releases depName=gitleaks/gitleaks
GITLEAKS_VERSION: '8.21.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
+2
View File
@@ -39,6 +39,7 @@ jobs:
# pattern as ci.yml — see the rationale there.
- name: Install Trivy
env:
# renovate: datasource=github-releases depName=aquasecurity/trivy
TRIVY_VERSION: '0.70.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
@@ -59,6 +60,7 @@ jobs:
# don't leak it via CI logs themselves.
- name: Install gitleaks
env:
# renovate: datasource=github-releases depName=gitleaks/gitleaks
GITLEAKS_VERSION: '8.21.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
+12 -1
View File
@@ -4,13 +4,24 @@
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
"dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | **Minor** PRs (and any patch / lockfile-maintenance PRs whose CI is currently red). Patch / pin / digest / lockfile bumps with green CI auto-merge — they appear here only briefly while CI runs. | Review & merge minors once green; investigate red patches as they show up. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n",
"dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | **Minor** PRs (and any patch / lockfile-maintenance PRs whose CI is currently red). Patch / pin / digest / lockfile bumps with green CI auto-merge — they appear here only briefly while CI runs. | Review & merge minors once green; investigate red patches as they show up. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are tracked via a custom regex manager — `# renovate: …` annotations above the `TRIVY_VERSION` / `GITLEAKS_VERSION` env vars drive normal Renovate PRs against the GitHub releases datasource.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n",
"labels": ["dependencies"],
"prHourlyLimit": 4,
"prConcurrentLimit": 10,
"lockFileMaintenance": {
"enabled": true
},
"customManagers": [
{
"customType": "regex",
"description": "Track Trivy and gitleaks binary versions pinned in workflow YAML. The pin lives in an env var (TRIVY_VERSION / GITLEAKS_VERSION) right under a `# renovate:` annotation that names the github-releases datasource and depName. Without this manager, Renovate ignores the pins and we drift on security tools.",
"fileMatch": ["^\\.gitea/workflows/.+\\.ya?ml$"],
"matchStrings": [
"# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+\\w+_VERSION:\\s*['\"](?<currentValue>.+?)['\"]"
],
"extractVersionTemplate": "^v?(?<version>.+)$"
}
],
"osvVulnerabilityAlerts": true,
"vulnerabilityAlerts": {
"enabled": true,