Automate dependency and image updates in GitHub Actions using Renovat…

…e Bot Add functionality to automate updates in GitHub Actions: • Pins and bumps all dependencies, aka `action/checkout`. • Updates the `EC` image in `action.yaml` to use the newest digest snapshot from quay.io. • Updates 'check.yaml' to use the latest SHA for the golden-image from GHCR. Golden-image is updated using a regex match, as it's not technically a dependency. Additional Renovate Bot settings: • Schedule: Before 10pm (America/New_York) • Auto-merge enabled • Custom manager for checks.yaml to update golden-image using Docker datasource. resloves: EC-205 signed-off-by: Sean Conroy [email protected]
enterprise-contract · Oct 18, 2023 · cff078d · cff078d
1 parent bb370fb
commit cff078d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -0,0 +1,17 @@
+  {
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": ["config:base"],
+    "timezone": "America/New_York",
+    "schedule": ["before 10pm"],
+    "automerge": true,
+    "automergeType": "pr",
+    "platformAutomerge": true,
+    "pinDigests": true,
+    "customManagers": [
+      {
+        "fileMatch": ["^\\.github/workflows/checks.yaml$"],
+        "matchStrings": ["image:\\s+(?<depName>ghcr\\.io/.*?):(?<currentValue>.*?)@(?<currentDigest>.*?)\\s"],
+        "datasourceTemplate": "docker"
+      }
+    ]
+  }
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -20,7 +20,7 @@ jobs:
     - name : Run EC Validate (keyless)
       uses: ./
       with:
-        image: ghcr.io/enterprise-contract/golden-container:latest
+        image: ghcr.io/enterprise-contract/golden-container:latest@sha256:bee6221c769593e9d01833a8b42d771f8610d30d87b56e3d8d016e13ff33477c # Latest
         identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|enterprise-contract\/golden-container)\/
         issuer: https://token.actions.githubusercontent.com
 

diff --git a/action.yaml b/action.yaml
@@ -31,7 +31,7 @@ runs:
 
   steps:
     - name: Run EC Validate
-      uses: docker://quay.io/hacbs-contract/ec-cli:snapshot
+      uses: docker://quay.io/hacbs-contract/ec-cli:snapshot@sha256:fa09380c91a30f01ab26765d403f72a59e073e874abf9160b79d8167c8307a3f
       id: ec_validate
       continue-on-error: true
       with: