akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
35ca99866a2e9054eaedbd4e23ec93573e8a36a6
Charon/.github/renovate.json
GitHub Actions e92e7edd70 fix: prevent stale-SHA checkout and pin caddy-security in weekly security rebuild 
The scheduled weekly rebuild was failing because GitHub Actions froze
github.sha at job-queue time. When the Sunday cron queued a job on
March 1 with Feb 23 code (CADDY_VERSION=2.11.0-beta.2), that job ran
two days later on March 3 still using the old code, missing the caddy
version fix that had since landed on main.

Additionally, caddy-security was unpinned, so xcaddy auto-resolved it
to v1.1.36 which requires caddy/v2@v2.11.1 — conflicting with xcaddy's
internally bundled v2.11.0-beta.2 reference.

- Add ref: github.ref_name to checkout step so the rebuild always
  fetches current branch HEAD at run time, not the SHA frozen at queue
  time
- Add CADDY_SECURITY_VERSION=1.1.36 ARG to pin the caddy-security
  plugin to a known-compatible version; pass it via --with so xcaddy
  picks up the pinned release
- Add --with github.com/caddyserver/caddy/v2@v${CADDY_TARGET_VERSION}
  to force xcaddy to use the declared Caddy version, overriding its own
  internal go.sum pin for caddy
- Add Renovate custom manager for CADDY_SECURITY_VERSION so future
  caddy-security releases trigger an automated PR instead of silently
  breaking the build

Fixes weekly security rebuild CI failures introduced ~Feb 22 when
caddy-security v1.1.36 was published.
2026-03-03 04:22:39 +00:00

225 lines
7.0 KiB
JSON
Raw Blame History

{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":semanticCommits",
":separateMultipleMajorReleases",
"helpers:pinGitHubActionDigests"
],
"baseBranches": [
"feature/beta-release",
"development"
],
"timezone": "America/New_York",
"dependencyDashboard": true,
"dependencyDashboardApproval": true,
"prConcurrentLimit": 10,
"prHourlyLimit": 0,
"labels": [
"dependencies"
],
"ignorePaths": [
".docker/**"
],
"rebaseWhen": "auto",
"vulnerabilityAlerts": {
"enabled": true
},
"rangeStrategy": "bump",
"automerge": false,
"automergeType": "pr",
"platformAutomerge": true,
"customManagers": [
{
"customType": "regex",
"description": "Track caddy-security plugin version in Dockerfile",
"managerFilePatterns": [
"/^Dockerfile$/"
],
"matchStrings": [
"ARG CADDY_SECURITY_VERSION=(?<currentValue>[^\\s]+)"
],
"depNameTemplate": "github.com/greenpau/caddy-security",
"datasourceTemplate": "go",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
"managerFilePatterns": [
"/^Dockerfile$/"
],
"matchStrings": [
"#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
],
"datasourceTemplate": "go",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track Alpine base image digest in Dockerfile for security updates",
"managerFilePatterns": ["/^Dockerfile$/"],
"matchStrings": [
"#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG CADDY_IMAGE=alpine:(?<currentValue>[^\\s@]+@sha256:[a-f0-9]+)"
],
"depNameTemplate": "alpine",
"datasourceTemplate": "docker",
"versioningTemplate": "docker"
},
{
"customType": "regex",
"description": "Track Delve version in Dockerfile",
"managerFilePatterns": ["/^Dockerfile$/"],
"matchStrings": [
"ARG DLV_VERSION=(?<currentValue>[^\\s]+)"
],
"depNameTemplate": "github.com/go-delve/delve",
"datasourceTemplate": "go",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track xcaddy version in Dockerfile",
"managerFilePatterns": ["/^Dockerfile$/"],
"matchStrings": [
"ARG XCADDY_VERSION=(?<currentValue>[^\\s]+)"
],
"depNameTemplate": "github.com/caddyserver/xcaddy",
"datasourceTemplate": "go",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track govulncheck version in scripts",
"managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"],
"matchStrings": [
"govulncheck@v(?<currentValue>[^\\s]+)"
],
"depNameTemplate": "golang.org/x/vuln",
"datasourceTemplate": "go",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track gopls version in Go install script",
"managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"],
"matchStrings": [
"gopls@v(?<currentValue>[^\\s]+)"
],
"depNameTemplate": "golang.org/x/tools",
"datasourceTemplate": "go",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track Go toolchain version in go.work for the dl shim",
"managerFilePatterns": ["/^go\\.work$/"],
"matchStrings": [
"^go (?<currentValue>\\d+\\.\\d+\\.\\d+)$"
],
"depNameTemplate": "golang/go",
"datasourceTemplate": "golang-version",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track GO_VERSION in Actions workflows",
"managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"],
"matchStrings": [
"GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
],
"depNameTemplate": "golang/go",
"datasourceTemplate": "golang-version",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"description": "Track Syft version in workflows and scripts",
"managerFilePatterns": [
"/^\\.github/workflows/nightly-build\\.yml$/",
"/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
],
"matchStrings": [
"SYFT_VERSION=\\\"v(?<currentValue>[^\\\"\\s]+)\\\"",
"set_default_env \\\"SYFT_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
],
"depNameTemplate": "anchore/syft",
"datasourceTemplate": "github-releases",
"versioningTemplate": "semver",
"extractVersionTemplate": "^v(?<version>.*)$"
},
{
"customType": "regex",
"description": "Track Grype version in workflows and scripts",
"managerFilePatterns": [
"/^\\.github/workflows/supply-chain-pr\\.yml$/",
"/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
],
"matchStrings": [
"anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)",
"set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
],
"depNameTemplate": "anchore/grype",
"datasourceTemplate": "github-releases",
"versioningTemplate": "semver",
"extractVersionTemplate": "^v(?<version>.*)$"
}
],
"packageRules": [
{
"description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",
"matchPackagePatterns": ["*"],
"matchUpdateTypes": [
"minor",
"patch",
"pin",
"digest"
],
"groupName": "non-major-updates"
},
{
"description": "Feature branches: Auto-merge non-major updates after proven stable",
"matchBaseBranches": ["feature/**"],
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
"automerge": false
},
{
"description": "Development branch: Auto-merge non-major updates after proven stable",
"matchBaseBranches": ["development"],
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
"automerge": false,
"minimumReleaseAge": "14 days"
},
{
"description": "Preserve your custom Caddy patch labels but allow them to group into a single PR",
"matchManagers": ["custom.regex"],
"matchFileNames": ["Dockerfile"],
"labels": ["caddy-patch", "security"],
"matchPackageNames": [
"/expr-lang/expr/",
"/quic-go/quic-go/",
"/smallstep/certificates/"
]
},
{
"description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
"matchManagers": ["dockerfile"],
"matchPackageNames": ["caddy"],
"allowedVersions": "<3.0.0"
},
{
"description": "Safety: Keep MAJOR updates separate and require manual review",
"matchUpdateTypes": ["major"],
"automerge": false,
"labels": ["manual-review"]
}
]
}
Reference in New Issue View Git Blame Copy Permalink