diff --git a/.github/renovate.json b/.github/renovate.json index ff5961f8..2ad2fa19 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -36,6 +36,19 @@ "platformAutomerge": true, "customManagers": [ + { + "customType": "regex", + "description": "Track caddy-security plugin version in Dockerfile", + "managerFilePatterns": [ + "/^Dockerfile$/" + ], + "matchStrings": [ + "ARG CADDY_SECURITY_VERSION=(?[^\\s]+)" + ], + "depNameTemplate": "github.com/greenpau/caddy-security", + "datasourceTemplate": "go", + "versioningTemplate": "semver" + }, { "customType": "regex", "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes", diff --git a/.github/workflows/security-weekly-rebuild.yml b/.github/workflows/security-weekly-rebuild.yml index 1039e650..6394544c 100644 --- a/.github/workflows/security-weekly-rebuild.yml +++ b/.github/workflows/security-weekly-rebuild.yml @@ -36,6 +36,11 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + # Explicitly fetch the current HEAD of the ref at run time, not the + # SHA that was frozen when this scheduled job was queued. Without this, + # a queued job can run days later with stale code. + ref: ${{ github.ref_name }} - name: Normalize image name run: | diff --git a/Dockerfile b/Dockerfile index f26ed1e9..19fb5cc4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,8 @@ ARG CADDY_VERSION=2.11.1 ARG CADDY_CANDIDATE_VERSION=2.11.1 ARG CADDY_USE_CANDIDATE=0 ARG CADDY_PATCH_SCENARIO=B +# renovate: datasource=go depName=github.com/greenpau/caddy-security +ARG CADDY_SECURITY_VERSION=1.1.36 ## When an official caddy image tag isn't available on the host, use a ## plain Alpine base image and overwrite its caddy binary with our ## xcaddy-built binary in the later COPY step. This avoids relying on @@ -202,6 +204,7 @@ ARG CADDY_VERSION ARG CADDY_CANDIDATE_VERSION ARG CADDY_USE_CANDIDATE ARG CADDY_PATCH_SCENARIO +ARG CADDY_SECURITY_VERSION # renovate: datasource=go depName=github.com/caddyserver/xcaddy ARG XCADDY_VERSION=0.4.5 @@ -229,7 +232,8 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ echo "Stage 1: Generate go.mod with xcaddy..."; \ # Run xcaddy to generate the build directory and go.mod GOOS=$TARGETOS GOARCH=$TARGETARCH xcaddy build v${CADDY_TARGET_VERSION} \ - --with github.com/greenpau/caddy-security \ + --with github.com/caddyserver/caddy/v2@v${CADDY_TARGET_VERSION} \ + --with github.com/greenpau/caddy-security@v${CADDY_SECURITY_VERSION} \ --with github.com/corazawaf/coraza-caddy/v2 \ --with github.com/hslatman/caddy-crowdsec-bouncer@v0.10.0 \ --with github.com/zhangjiayin/caddy-geoip2 \