fix: update renovate configuration for scheduling and automerge settings

Merge branch 'development' into main
fix: update Go version to 1.25.5 in go.work
2025-12-14 07:22:35 +00:00 · 2025-12-14 02:11:40 -05:00 · 2025-12-14 07:11:04 +00:00 · 2025-12-14 07:09:10 +00:00 · 2025-12-14 02:02:53 -05:00 · 2025-12-14 02:01:51 -05:00
11 changed files with 24 additions and 9 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -14,8 +14,11 @@
  "labels": ["dependencies"],
  "rebaseWhen": "conflicted",
  "vulnerabilityAlerts": { "enabled": true },
-  "schedule": ["every weekday"],
+  "schedule": ["before 4am on Monday"],
  "rangeStrategy": "bump",
+  "automerge": true,
+  "automergeType": "pr",
+  "platformAutomerge": true,
  "customManagers": [
    {
      "customType": "regex",
@@ -29,6 +32,11 @@
    }
  ],
  "packageRules": [
+    {
+      "description": "Automerge digest updates (action pins, Docker SHAs)",
+      "matchUpdateTypes": ["digest", "pin"],
+      "automerge": true
+    },
    {
      "description": "Caddy transitive dependency patches in Dockerfile",
      "matchManagers": ["regex"],
@@ -55,7 +63,7 @@
      "matchManagers": ["gomod"],
      "labels": ["dependencies", "go"],
      "matchUpdateTypes": ["minor", "patch"],
-      "automerge": false
+      "automerge": true
    },
    {
      "description": "GitHub Actions updates",
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -110,6 +110,7 @@ jobs:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          pull: true  # Always pull fresh base images to get latest security patches
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -114,6 +114,8 @@ jobs:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          # Always pull fresh base images to get latest security patches
+          pull: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
--- a/.github/workflows/release-goreleaser.yml
+++ b/.github/workflows/release-goreleaser.yml
@@ -26,7 +26,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
-          go-version: '1.23.x'
+          go-version: '1.25.5'

      - name: Set up Node.js
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -71,6 +71,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          no-cache: ${{ github.event_name == 'schedule' || inputs.force_rebuild }}
+          pull: true  # Always pull fresh base images to get latest security patches
          build-args: |
            VERSION=security-scan
            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
@@ -109,7 +110,7 @@ jobs:
          severity: 'CRITICAL,HIGH,MEDIUM,LOW'

      - name: Upload Trivy JSON results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: trivy-weekly-scan-${{ github.run_number }}
          path: trivy-weekly-results.json
@@ -122,7 +123,7 @@ jobs:
          echo "Checking key security packages:" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          docker run --rm --entrypoint "" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
-            sh -c "apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
+            sh -c "apk update >/dev/null 2>&1 && apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY

      - name: Create security scan summary
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.4.0
+0.7.9
--- a/2
+++ b/2
@@ -18,6 +18,7 @@ ARG CADDY_VERSION=2.10.2
 ## plain Alpine base image and overwrite its caddy binary with our
 ## xcaddy-built binary in the later COPY step. This avoids relying on
 ## upstream caddy image tags while still shipping a pinned caddy binary.
+# renovate: datasource=docker depName=alpine
 ARG CADDY_IMAGE=alpine:3.23

 # ---- Cross-Compilation Helpers ----
@@ -203,6 +204,7 @@ RUN mkdir -p /crowdsec-out/config && \
    cp -r config/* /crowdsec-out/config/ || true

 # ---- CrowdSec Fallback (for architectures where build fails) ----
+# renovate: datasource=docker depName=alpine
 FROM alpine:3.23 AS crowdsec-fallback

 WORKDIR /tmp/crowdsec
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,6 +1,6 @@
 module github.com/Wikid82/charon/backend

-go 1.25
+go 1.25.5

 require (
 	github.com/containrrr/shoutrrr v0.8.0
--- a/frontend/src/components/tests/LiveLogViewer.test.tsx
+++ b/frontend/src/components/tests/LiveLogViewer.test.tsx
@@ -406,7 +406,7 @@ describe('LiveLogViewer', () => {
      // Use findBy queries (built-in waiting) instead of single waitFor with multiple assertions
      // This avoids race conditions where one failing assertion causes the entire block to retry
      await screen.findByText('10.0.0.1');
-      await screen.findByText(/BLOCKED: SQL injection detected/);
+      await screen.findByText(/🚫 BLOCKED: SQL injection detected/);
      await screen.findByText(/\[SQL injection detected\]/);

      // For getAllByText, keep in waitFor but separate from other assertions
--- a/go.work
+++ b/go.work
@@ -1,3 +1,3 @@
-go 1.25
+go 1.25.5

 use ./backend
--- a/go.work.sum
+++ b/go.work.sum
@@ -42,6 +42,7 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/oschwald/maxminddb-golang/v2 v2.1.1/go.mod h1:PLdx6PR+siSIoXqqy7C7r3SB3KZnhxWr1Dp6g0Hacl8=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
Author	SHA1	Message	Date
GitHub Actions	7bca378275	fix: update renovate configuration for scheduling and automerge settings	2025-12-14 07:22:35 +00:00
Jeremy	7106efa94a	Merge branch 'development' into main	2025-12-14 02:11:40 -05:00
GitHub Actions	a26beefb08	fix: update Go version to 1.25.5 in go.work	2025-12-14 07:11:04 +00:00
GitHub Actions	833e2de2d6	fix: update version to 0.7.9 and add maxminddb-golang dependency	2025-12-14 07:09:10 +00:00
Jeremy	e65dfa3979	Merge pull request #390 from Wikid82/renovate/go-1.x chore(deps): update dependency go to v1.25.5	2025-12-14 02:02:53 -05:00
Jeremy	8f6ebf6107	Merge branch 'development' into renovate/go-1.x	2025-12-14 02:01:51 -05:00
Jeremy	e1925b0f5e	Merge pull request #389 from Wikid82/renovate/pin-dependencies chore(deps): pin actions/upload-artifact action to ea165f8	2025-12-14 02:01:10 -05:00
GitHub Actions	8c44d52b69	fix: update log message to include an icon for SQL injection detection	2025-12-14 06:50:39 +00:00
renovate[bot]	0600f9da2a	chore(deps): update dependency go to v1.25.5	2025-12-14 06:43:33 +00:00
renovate[bot]	e66404c817	chore(deps): pin actions/upload-artifact action to ea165f8	2025-12-14 06:43:09 +00:00
Jeremy	51cba4ec80	Merge pull request #387 from Wikid82/main Propagate changes from main into development	2025-12-14 01:39:22 -05:00
GitHub Actions	99b8ed1996	chore: add renovate comments for alpine base image tracking Ensures Renovate detects and updates Alpine 3.23 to future versions (3.24, 3.25, etc.) automatically without manual monitoring.	2025-12-14 06:36:42 +00:00
GitHub Actions	18868a47fc	fix: add pull:true to docker-publish for fresh base images The docker-publish.yml workflow was missing pull:true, causing it to use cached Alpine images with vulnerable c-ares 1.34.5-r0. This completes the fix across all three Docker workflows: - docker-build.yml ✓ - docker-publish.yml ✓ (this commit) - security-weekly-rebuild.yml ✓ Resolves CVE-2025-62408 (c-ares)	2025-12-14 06:28:47 +00:00
GitHub Actions	cb5bd01a93	fix: add pull:true to docker-build to ensure fresh base images Ensures all Docker builds pull fresh Alpine base images to get security patches like c-ares 1.34.6-r0 (CVE-2025-62408). This mirrors the change made to security-weekly-rebuild.yml.	2025-12-14 06:18:42 +00:00
GitHub Actions	72ebde31ce	fix: add pull:true to security rebuild to fetch fresh base images Without pull:true, the weekly security rebuild may use stale base images cached on GitHub runners, missing security patches like c-ares 1.34.6-r0 (CVE-2025-62408).	2025-12-14 05:21:15 +00:00
GitHub Actions	7c79bf066a	fix: update security package check to include apk update for accurate version info	2025-12-14 05:12:01 +00:00
@@ -1 +1 @@
 .4.0
 .7.9