The scheduled weekly rebuild was failing because GitHub Actions froze
github.sha at job-queue time. When the Sunday cron queued a job on
March 1 with Feb 23 code (CADDY_VERSION=2.11.0-beta.2), that job ran
two days later on March 3 still using the old code, missing the caddy
version fix that had since landed on main.
Additionally, caddy-security was unpinned, so xcaddy auto-resolved it
to v1.1.36 which requires caddy/v2@v2.11.1 — conflicting with xcaddy's
internally bundled v2.11.0-beta.2 reference.
- Add ref: github.ref_name to checkout step so the rebuild always
fetches current branch HEAD at run time, not the SHA frozen at queue
time
- Add CADDY_SECURITY_VERSION=1.1.36 ARG to pin the caddy-security
plugin to a known-compatible version; pass it via --with so xcaddy
picks up the pinned release
- Add --with github.com/caddyserver/caddy/v2@v${CADDY_TARGET_VERSION}
to force xcaddy to use the declared Caddy version, overriding its own
internal go.sum pin for caddy
- Add Renovate custom manager for CADDY_SECURITY_VERSION so future
caddy-security releases trigger an automated PR instead of silently
breaking the build
Fixes weekly security rebuild CI failures introduced ~Feb 22 when
caddy-security v1.1.36 was published.
GitHub Actions
e92e7edd70