fix: Implement dependency digest tracking for nightly builds

- Updated Docker Compose files to use digest-pinned images for CI contexts. - Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums. - Added Renovate configuration for tracking Go tool versions and digest updates. - Introduced a new design document outlining the architecture and data flow for dependency tracking. - Created tasks and requirements documentation to ensure compliance with the new digest pinning policy. - Updated security documentation to reflect the new digest pinning policy and exceptions.
2026-01-30 06:38:56 +00:00
parent dcb3e704a3
commit 6675f2a169
19 changed files with 545 additions and 70 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -55,6 +55,61 @@
      "depNameTemplate": "debian",
      "datasourceTemplate": "docker",
      "versioningTemplate": "docker"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Delve version in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "ARG DLV_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/go-delve/delve",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track xcaddy version in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "ARG XCADDY_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/caddyserver/xcaddy",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track govulncheck version in scripts",
+      "managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"],
+      "matchStrings": [
+        "govulncheck@v(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang.org/x/vuln",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track gopls version in Go install script",
+      "managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"],
+      "matchStrings": [
+        "gopls@v(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang.org/x/tools",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Go toolchain version in go.work for the dl shim",
+      "managerFilePatterns": ["/^go\\.work$/"],
+      "matchStrings": [
+        "^go (?<currentValue>\\d+\\.\\d+\\.\\d+)$"
+      ],
+      "depNameTemplate": "golang/go",
+      "datasourceTemplate": "golang-version",
+      "versioningTemplate": "semver"
    }
  ],