3590553519
Implements all 13 fixes identified in the CI/CD audit against github-actions-ci-cd-best-practices.instructions.md Critical fixes: Remove hardcoded encryption key from playwright.yml (security) Fix artifact filename mismatch in supply-chain-pr.yml (bug) Pin GoReleaser to ~> v2.5 instead of latest (supply chain) High priority fixes: Upgrade CodeQL action from v3 to v4 in supply-chain-pr.yml Add environment protection for release workflow Fix shell variable escaping ($$ → $) in release-goreleaser.yml Medium priority fixes: Add timeout-minutes to playwright.yml (20 min) Add explicit permissions to quality-checks.yml Add timeout-minutes to codecov-upload.yml jobs (15 min) Fix benchmark.yml permissions (workflow-level read, job-level write) Low priority fixes: Add timeout-minutes to docs.yml jobs (10/5 min) Add permissions block to docker-lint.yml Add timeout-minutes to renovate.yml (30 min)
34 lines
766 B
YAML
34 lines
766 B
YAML
name: Renovate
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 5 * * *' # daily 05:00 UTC
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
issues: write
|
|
|
|
jobs:
|
|
renovate:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Run Renovate
|
|
uses: renovatebot/github-action@66387ab8c2464d575b933fa44e9e5a86b2822809 # v44.2.4
|
|
with:
|
|
configurationFile: .github/renovate.json
|
|
token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}
|
|
env:
|
|
LOG_LEVEL: debug
|