Files
apf_portal/.gitea/workflows/security-scheduled.yml
T
julien 4473b1d4a4
CI / check (push) Successful in 1m28s
CI / commits (push) Has been skipped
CI / scan (push) Successful in 56s
CI / a11y (push) Successful in 56s
CI / perf (push) Successful in 2m18s
chore(ci): track trivy and gitleaks binary versions via renovate custom manager (#78)
## Summary

Until now the Trivy and gitleaks pins in `.gitea/workflows/*.yml` were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. The comment in each workflow telling the next contributor to "bump manually from the releases page" is the kind of friction that gets forgotten between two security advisories.

Add a **custom regex manager** that picks up `# renovate: datasource=… depName=…` annotations immediately followed by an env-var assignment of the form `<NAME>_VERSION: '<version>'`. The 4 pins (`TRIVY_VERSION` + `GITLEAKS_VERSION` in both `ci.yml` and `security-scheduled.yml`) get annotated with the `github-releases` datasource and the upstream `owner/repo` depName.

`extractVersionTemplate: ^v?(?<version>.+)$` strips the `v` prefix used by both projects' release tags, so the version substituted into the env var (which our shell script consumes without `v`) stays correct.

## What lands

- **`renovate.json`** — new `customManagers` block. The dashboard triage header is updated to reflect the new tracking (was "not Renovate-tracked yet").
- **`.gitea/workflows/ci.yml`** — annotate the Trivy and gitleaks env vars; remove the dead "manual bump" comments.
- **`.gitea/workflows/security-scheduled.yml`** — same.

## Verified

Node-side dry-run of the regex against both workflow files:

```
ci.yml                       → trivy 0.70.0, gitleaks 8.21.0
security-scheduled.yml       → trivy 0.70.0, gitleaks 8.21.0
```

All 4 expected matches with the right `datasource` / `depName` / `currentValue` captures.

## Test plan

- [ ] CI green on this PR.
- [ ] After merge, the next Renovate run picks up Trivy and gitleaks as detected dependencies in the dashboard. New patch / minor releases should now produce normal Renovate PRs (auto-merging on patches per #74).
- [ ] No manual "bump from the releases page" reminders left in the workflow YAML.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #78
2026-05-10 04:07:06 +02:00

104 lines
4.1 KiB
YAML

# Per ADR-0015 (CI/CD on Gitea Actions). Weekly full-tree security
# scans plus a Lighthouse run against the production environment when
# its URL is configured. Complements the per-PR ci.yml workflow with
# broader / longer-running checks that don't fit the per-PR budget.
name: Security and perf — scheduled
on:
schedule:
# Mondays, 04:00 UTC — outside business hours; before the week starts.
- cron: '0 4 * * 1'
workflow_dispatch:
jobs:
full-tree-scan:
runs-on: [self-hosted, on-prem]
# Step ordering mirrors ci.yml: scanners run before `pnpm install`
# so the working tree is not polluted with node_modules content
# (READMEs / fixtures of upstream packages contain demo
# secrets that gitleaks false-positives on by the hundreds).
# The deep-history gitleaks scan here doesn't strictly need it
# (history doesn't contain node_modules), but consistency with
# ci.yml keeps the two workflows reading the same way.
steps:
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
# shallow + working-tree-only; this scheduled job is where we
# do the deep history scan that catches secrets ever committed
# (and not just what's currently checked in).
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
# gate filters by severity for speed; this run wants the full
# surface for the security feed). Manual install + curl, same
# pattern as ci.yml — see the rationale there.
- name: Install Trivy
env:
# renovate: datasource=github-releases depName=aquasecurity/trivy
TRIVY_VERSION: '0.70.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/trivy.tar.gz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
trivy --version
- name: Run Trivy
run: |
trivy fs \
--scanners vuln \
--ignore-unfixed \
.
# Deep gitleaks scan (full git history). Same install pattern as
# ci.yml. `--redact` masks any matched secret in the log so we
# don't leak it via CI logs themselves.
- name: Install gitleaks
env:
# renovate: datasource=github-releases depName=gitleaks/gitleaks
GITLEAKS_VERSION: '8.21.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
gitleaks version
- name: Run gitleaks (full history)
run: |
gitleaks detect \
--source . \
--redact \
--exit-code 1
# npm-advisory check (against pnpm-lock.yaml). Run last so
# `pnpm install` does not pollute the working tree before the
# scanners above.
- run: pnpm install --frozen-lockfile
- run: pnpm audit
lighthouse-prod:
# Skipped silently if the prod URL hasn't been configured yet.
if: vars.LHCI_PROD_URL != ''
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
- run: pnpm exec lhci assert --config=./lighthouserc.js
- uses: actions/upload-artifact@v7
if: always()
with:
name: lighthouseci-prod-report
path: .lighthouseci/
retention-days: 90