GitHub Actions
580e20d573
Patch vulnerable transitive dependencies across all three compiled binaries in the Docker image (backend, Caddy, CrowdSec): - go-jose/v3 and v4: JOSE/JWT validation bypass (CVE-2026-34986) - otel/sdk: resource leak in OpenTelemetry SDK (CVE-2026-39883) - pgproto3/v2: buffer overflow via pgx/v4 bump (CVE-2026-32286) - AWS SDK v2: event stream injection in CrowdSec deps (GHSA-xmrv-pmrh-hhx2) - OTel HTTP exporters: request smuggling (CVE-2026-39882) - gRPC: bumped to v1.80.0 for transitive go-jose/v4 resolution All Dockerfile patches include Renovate annotations for automated future tracking. Renovate config extended to cover Go version and GitHub Action refs in skill example workflows, preventing version drift in non-CI files. SECURITY.md updated with pre-existing Alpine base image CVE (no upstream fix available). Nightly Go stdlib CVEs (1.26.1) self-heal on next development sync; example workflow pinned to 1.26.2 for correctness.
309 lines
10 KiB
JSON
309 lines
10 KiB
JSON
{
|
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
"extends": [
|
|
"config:recommended",
|
|
":semanticCommits",
|
|
":separateMultipleMajorReleases",
|
|
"helpers:pinGitHubActionDigests"
|
|
],
|
|
"baseBranches": [
|
|
"feature/beta-release",
|
|
"development"
|
|
|
|
],
|
|
"postUpdateOptions": ["npmDedupe"],
|
|
"timezone": "America/New_York",
|
|
"dependencyDashboard": true,
|
|
"dependencyDashboardApproval": true,
|
|
"prConcurrentLimit": 10,
|
|
"prHourlyLimit": 0,
|
|
"labels": [
|
|
"dependencies"
|
|
],
|
|
|
|
"ignorePaths": [
|
|
".docker/**"
|
|
],
|
|
|
|
"rebaseWhen": "auto",
|
|
|
|
"vulnerabilityAlerts": {
|
|
"enabled": true,
|
|
"dependencyDashboardApproval": false,
|
|
"automerge": false,
|
|
"labels": ["security", "vulnerability"]
|
|
},
|
|
|
|
"rangeStrategy": "bump",
|
|
"automerge": false,
|
|
"automergeType": "pr",
|
|
"platformAutomerge": true,
|
|
|
|
"customManagers": [
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track caddy-security plugin version in Dockerfile",
|
|
"managerFilePatterns": [
|
|
"/^Dockerfile$/"
|
|
],
|
|
"matchStrings": [
|
|
"ARG CADDY_SECURITY_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/greenpau/caddy-security",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
|
|
"managerFilePatterns": [
|
|
"/^Dockerfile$/"
|
|
],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
|
|
],
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Alpine base image digest in Dockerfile for security updates",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG ALPINE_IMAGE=alpine:(?<currentValue>[^@\\s]+)@(?<currentDigest>sha256:[a-f0-9]+)"
|
|
],
|
|
"depNameTemplate": "alpine",
|
|
"datasourceTemplate": "docker",
|
|
"versioningTemplate": "docker"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Go toolchain version ARG in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=docker\\s+depName=golang.*\\nARG GO_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang",
|
|
"datasourceTemplate": "docker",
|
|
"versioningTemplate": "docker"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track expr-lang version ARG in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/expr-lang/expr.*\\nARG EXPR_LANG_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/expr-lang/expr",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track golang.org/x/net version ARG in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"#\\s*renovate:\\s*datasource=go\\s+depName=golang\\.org/x/net.*\\nARG XNET_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang.org/x/net",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Delve version in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"ARG DLV_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/go-delve/delve",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track xcaddy version in Dockerfile",
|
|
"managerFilePatterns": ["/^Dockerfile$/"],
|
|
"matchStrings": [
|
|
"ARG XCADDY_VERSION=(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "github.com/caddyserver/xcaddy",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track gotestsum version in codecov workflow",
|
|
"managerFilePatterns": [
|
|
"/^\\.github/workflows/codecov-upload\\.yml$/"
|
|
],
|
|
"matchStrings": [
|
|
"gotestsum@v(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "gotest.tools/gotestsum",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track gotestsum version in quality checks workflow",
|
|
"managerFilePatterns": [
|
|
"/^\\.github/workflows/quality-checks\\.yml$/"
|
|
],
|
|
"matchStrings": [
|
|
"gotestsum@v(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "gotest.tools/gotestsum",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track govulncheck version in scripts",
|
|
"managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"],
|
|
"matchStrings": [
|
|
"govulncheck@v(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang.org/x/vuln",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track gopls version in Go install script",
|
|
"managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"],
|
|
"matchStrings": [
|
|
"gopls@v(?<currentValue>[^\\s]+)"
|
|
],
|
|
"depNameTemplate": "golang.org/x/tools",
|
|
"datasourceTemplate": "go",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Go toolchain version in go.work for the dl shim",
|
|
"managerFilePatterns": ["/^go\\.work$/"],
|
|
"matchStrings": [
|
|
"^go (?<currentValue>\\d+\\.\\d+\\.\\d+)$"
|
|
],
|
|
"depNameTemplate": "golang/go",
|
|
"datasourceTemplate": "golang-version",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track GO_VERSION in Actions workflows",
|
|
"managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"],
|
|
"matchStrings": [
|
|
"GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
|
|
],
|
|
"depNameTemplate": "golang/go",
|
|
"datasourceTemplate": "golang-version",
|
|
"versioningTemplate": "semver"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Syft version in workflows and scripts",
|
|
"managerFilePatterns": [
|
|
"/^\\.github/workflows/nightly-build\\.yml$/",
|
|
"/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
|
|
],
|
|
"matchStrings": [
|
|
"SYFT_VERSION=\\\"v(?<currentValue>[^\\\"\\s]+)\\\"",
|
|
"set_default_env \\\"SYFT_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
|
|
],
|
|
"depNameTemplate": "anchore/syft",
|
|
"datasourceTemplate": "github-releases",
|
|
"versioningTemplate": "semver",
|
|
"extractVersionTemplate": "^v(?<version>.*)$"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track Grype version in workflows and scripts",
|
|
"managerFilePatterns": [
|
|
"/^\\.github/workflows/supply-chain-pr\\.yml$/",
|
|
"/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
|
|
],
|
|
"matchStrings": [
|
|
"anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)",
|
|
"set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
|
|
],
|
|
"depNameTemplate": "anchore/grype",
|
|
"datasourceTemplate": "github-releases",
|
|
"versioningTemplate": "semver",
|
|
"extractVersionTemplate": "^v(?<version>.*)$"
|
|
},
|
|
{
|
|
"customType": "regex",
|
|
"description": "Track go-version in skill example workflows",
|
|
"managerFilePatterns": ["/^\\.github/skills/examples/.*\\.yml$/"],
|
|
"matchStrings": [
|
|
"go-version: [\"']?(?<currentValue>[\\d\\.]+)[\"']?"
|
|
],
|
|
"depNameTemplate": "golang/go",
|
|
"datasourceTemplate": "golang-version",
|
|
"versioningTemplate": "semver"
|
|
}
|
|
],
|
|
|
|
"github-actions": {
|
|
"fileMatch": ["^\\.github/skills/examples/.*\\.ya?ml$"]
|
|
},
|
|
|
|
"packageRules": [
|
|
{
|
|
"description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",
|
|
"matchPackagePatterns": ["*"],
|
|
"matchUpdateTypes": [
|
|
"minor",
|
|
"patch",
|
|
"pin",
|
|
"digest"
|
|
],
|
|
"groupName": "non-major-updates"
|
|
},
|
|
{
|
|
"description": "Feature branches: Auto-merge non-major updates after proven stable",
|
|
"matchBaseBranches": ["feature/**"],
|
|
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
|
|
"automerge": false
|
|
},
|
|
{
|
|
"description": "Development branch: Auto-merge non-major updates after proven stable",
|
|
"matchBaseBranches": ["development"],
|
|
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
|
|
"automerge": false,
|
|
"minimumReleaseAge": "14 days"
|
|
},
|
|
{
|
|
"description": "Preserve your custom Caddy patch labels but allow them to group into a single PR",
|
|
"matchManagers": ["custom.regex"],
|
|
"matchFileNames": ["Dockerfile"],
|
|
"labels": ["caddy-patch", "security"],
|
|
"matchPackageNames": [
|
|
"/expr-lang/expr/",
|
|
"/quic-go/quic-go/",
|
|
"/smallstep/certificates/"
|
|
]
|
|
},
|
|
{
|
|
"description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
|
|
"matchManagers": ["dockerfile"],
|
|
"matchPackageNames": ["caddy"],
|
|
"allowedVersions": "<3.0.0"
|
|
},
|
|
{
|
|
"description": "Safety: Keep MAJOR updates separate and require manual review",
|
|
"matchUpdateTypes": ["major"],
|
|
"automerge": false,
|
|
"labels": ["manual-review"]
|
|
},
|
|
{
|
|
"description": "Fix Renovate lookup for geoip2-golang v2 module path",
|
|
"matchDatasources": ["go"],
|
|
"matchPackageNames": ["github.com/oschwald/geoip2-golang/v2"],
|
|
"sourceUrl": "https://github.com/oschwald/geoip2-golang"
|
|
}
|
|
]
|
|
}
|