5bbae48b6b
The Dockerfile already centralizes all version pins into top-level ARGs
(GO_VERSION, ALPINE_IMAGE, CROWDSEC_VERSION, EXPR_LANG_VERSION, XNET_VERSION).
This change closes the remaining gaps so those ARGs are the single source of
truth end-to-end:
- nightly-build.yml now resolves the Alpine image digest at build time and
passes ALPINE_IMAGE as a build-arg, matching the docker-build.yml pattern.
Previously, nightly images were built with the Dockerfile ARG default and
without a pinned digest, making runtime Alpine differ from docker-build.yml.
- six CI workflows (quality-checks, codecov-upload, benchmark, e2e-tests-split,
release-goreleaser, codeql) declared a GO_VERSION env var but their setup-go
steps ignored it and hardcoded the version string directly. They now reference
${{ env.GO_VERSION }}, so Renovate only needs to update one value per file
and the env var actually serves its purpose.
- codeql.yml had no GO_VERSION env var at all; one is now added alongside the
existing GOTOOLCHAIN: auto entry.
When Renovate bumps Go, it updates the env var at the top of each workflow and
the Dockerfile ARG — zero manual hunting required.
261 lines
8.4 KiB
JSON
261 lines
8.4 KiB
JSON
{
|
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
"extends": [
|
|
"config:recommended",
|
|
":semanticCommits",
|
|
":separateMultipleMajorReleases",
|
|
"helpers:pinGitHubActionDigests"
|
|
],
|
|
"baseBranches": [
|
|
"feature/beta-release",
|
|
"development"
|
|
|
|
],
|
|
"timezone": "America/New_York",
|
|
"dependencyDashboard": true,
|
|
"dependencyDashboardApproval": true,
|
|
"prConcurrentLimit": 10,
|
|
"prHourlyLimit": 0,
|
|
"labels": [
|
|
"dependencies"
|
|
],
|
|
|
|
"ignorePaths": [
|
|
".docker/**"
|
|
],
|
|
|
|
"rebaseWhen": "auto",
|
|
|
|
"vulnerabilityAlerts": {
|
|
"enabled": true,
|
|
"dependencyDashboardApproval": false,
|
|
"automerge": false,
|
|
"labels": ["security", "vulnerability"]
|
|
},
|
|
|
|
"rangeStrategy": "bump",
|
|
"automerge": false,
|
|
"automergeType": "pr",
|
|
"platformAutomerge": true,
|
|
|
|
"customManagers": [
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track caddy-security plugin version in Dockerfile",
|
|
"managerFilePatterns": [
|
|
"/^Dockerfile$/"
|
|
],
|
|
"matchStrings": [
|
|
"ARG CADDY_SECURITY_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/greenpau/caddy-security",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
|
|
"managerFilePatterns": [
|
|
"/^Dockerfile$/"
|
|
],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
|
|
],
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Alpine base image digest in Dockerfile for security updates",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG ALPINE_IMAGE=alpine:(?<currentValue>[^@\\s]+)@(?<currentDigest>sha256:[a-f0-9]+)"
|
|
],
|
|
"depNameTemplate": "alpine",
|
|
"datasourceTemplate": "docker",
|
|
"versioningTemplate": "docker"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Go toolchain version ARG in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=docker\\s+depName=golang.*\\nARG GO_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang",
|
|
"datasourceTemplate": "docker",
|
|
"versioningTemplate": "docker"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track expr-lang version ARG in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/expr-lang/expr.*\\nARG EXPR_LANG_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/expr-lang/expr",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track golang.org/x/net version ARG in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=go\\s+depName=golang\\.org/x/net.*\\nARG XNET_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang.org/x/net",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Delve version in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"ARG DLV_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/go-delve/delve",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track xcaddy version in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"ARG XCADDY_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/caddyserver/xcaddy",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track govulncheck version in scripts",
|
|
"managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"],
|
|
"matchStrings": [
|
|
"govulncheck@v(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang.org/x/vuln",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track gopls version in Go install script",
|
|
"managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"],
|
|
"matchStrings": [
|
|
"gopls@v(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang.org/x/tools",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Go toolchain version in go.work for the dl shim",
|
|
"managerFilePatterns": ["/^go\\.work$/"],
|
|
"matchStrings": [
|
|
"^go (?<currentValue>\\d+\\.\\d+\\.\\d+)$"
|
|
],
|
|
"depNameTemplate": "golang/go",
|
|
"datasourceTemplate": "golang-version",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track GO_VERSION in Actions workflows",
|
|
"managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"],
|
|
"matchStrings": [
|
|
"GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
|
|
],
|
|
"depNameTemplate": "golang/go",
|
|
"datasourceTemplate": "golang-version",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Syft version in workflows and scripts",
|
|
"managerFilePatterns": [
|
|
"/^\\.github/workflows/nightly-build\\.yml$/",
|
|
"/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
|
|
],
|
|
"matchStrings": [
|
|
"SYFT_VERSION=\\\"v(?<currentValue>[^\\\"\\s]+)\\\"",
|
|
"set_default_env \\\"SYFT_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
|
|
],
|
|
"depNameTemplate": "anchore/syft",
|
|
"datasourceTemplate": "github-releases",
|
|
"versioningTemplate": "semver",
|
|
"extractVersionTemplate": "^v(?<version>.*)$"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Grype version in workflows and scripts",
|
|
"managerFilePatterns": [
|
|
"/^\\.github/workflows/supply-chain-pr\\.yml$/",
|
|
"/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
|
|
],
|
|
"matchStrings": [
|
|
"anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)",
|
|
"set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
|
|
],
|
|
"depNameTemplate": "anchore/grype",
|
|
"datasourceTemplate": "github-releases",
|
|
"versioningTemplate": "semver",
|
|
"extractVersionTemplate": "^v(?<version>.*)$"
|
|
}
|
|
],
|
|
|
|
"packageRules": [
|
|
{
|
|
"description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",
|
|
"matchPackagePatterns": ["*"],
|
|
"matchUpdateTypes": [
|
|
"minor",
|
|
"patch",
|
|
"pin",
|
|
"digest"
|
|
],
|
|
"groupName": "non-major-updates"
|
|
},
|
|
{
|
|
"description": "Feature branches: Auto-merge non-major updates after proven stable",
|
|
"matchBaseBranches": ["feature/**"],
|
|
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
|
|
"automerge": false
|
|
},
|
|
{
|
|
"description": "Development branch: Auto-merge non-major updates after proven stable",
|
|
"matchBaseBranches": ["development"],
|
|
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
|
|
"automerge": false,
|
|
"minimumReleaseAge": "14 days"
|
|
},
|
|
{
|
|
"description": "Preserve your custom Caddy patch labels but allow them to group into a single PR",
|
|
"matchManagers": ["custom.regex"],
|
|
"matchFileNames": ["Dockerfile"],
|
|
"labels": ["caddy-patch", "security"],
|
|
"matchPackageNames": [
|
|
"/expr-lang/expr/",
|
|
"/quic-go/quic-go/",
|
|
"/smallstep/certificates/"
|
|
]
|
|
},
|
|
{
|
|
"description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
|
|
"matchManagers": ["dockerfile"],
|
|
"matchPackageNames": ["caddy"],
|
|
"allowedVersions": "<3.0.0"
|
|
},
|
|
{
|
|
"description": "Safety: Keep MAJOR updates separate and require manual review",
|
|
"matchUpdateTypes": ["major"],
|
|
"automerge": false,
|
|
"labels": ["manual-review"]
|
|
}
|
|
]
|
|
}
|