chore(ci): track trivy and gitleaks binary versions via renovate custom manager #78
Reference in New Issue
Block a user
Delete Branch "chore/ci/renovate-custom-manager-binaries"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Until now the Trivy and gitleaks pins in
.gitea/workflows/*.ymlwere manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. The comment in each workflow telling the next contributor to "bump manually from the releases page" is the kind of friction that gets forgotten between two security advisories.Add a custom regex manager that picks up
# renovate: datasource=… depName=…annotations immediately followed by an env-var assignment of the form<NAME>_VERSION: '<version>'. The 4 pins (TRIVY_VERSION+GITLEAKS_VERSIONin bothci.ymlandsecurity-scheduled.yml) get annotated with thegithub-releasesdatasource and the upstreamowner/repodepName.extractVersionTemplate: ^v?(?<version>.+)$strips thevprefix used by both projects' release tags, so the version substituted into the env var (which our shell script consumes withoutv) stays correct.What lands
renovate.json— newcustomManagersblock. The dashboard triage header is updated to reflect the new tracking (was "not Renovate-tracked yet")..gitea/workflows/ci.yml— annotate the Trivy and gitleaks env vars; remove the dead "manual bump" comments..gitea/workflows/security-scheduled.yml— same.Verified
Node-side dry-run of the regex against both workflow files:
All 4 expected matches with the right
datasource/depName/currentValuecaptures.Test plan