From cff078d9d14603935f40e962c248e63bedbf3ff3 Mon Sep 17 00:00:00 2001 From: Sean Date: Wed, 18 Oct 2023 16:23:35 +0100 Subject: [PATCH] Automate dependency and image updates in GitHub Actions using Renovate Bot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add functionality to automate updates in GitHub Actions: • Pins and bumps all dependencies, aka `action/checkout`. • Updates the `EC` image in `action.yaml` to use the newest digest snapshot from quay.io. • Updates 'check.yaml' to use the latest SHA for the golden-image from GHCR. Golden-image is updated using a regex match, as it's not technically a dependency. Additional Renovate Bot settings: • Schedule: Before 10pm (America/New_York) • Auto-merge enabled • Custom manager for checks.yaml to update golden-image using Docker datasource. resloves: EC-205 signed-off-by: Sean Conroy sconroy@redhat.com --- .github/renovate.json | 17 +++++++++++++++++ .github/workflows/checks.yaml | 2 +- action.yaml | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 .github/renovate.json diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 00000000..45e89e77 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,17 @@ + { + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:base"], + "timezone": "America/New_York", + "schedule": ["before 10pm"], + "automerge": true, + "automergeType": "pr", + "platformAutomerge": true, + "pinDigests": true, + "customManagers": [ + { + "fileMatch": ["^\\.github/workflows/checks.yaml$"], + "matchStrings": ["image:\\s+(?ghcr\\.io/.*?):(?.*?)@(?.*?)\\s"], + "datasourceTemplate": "docker" + } + ] + } \ No newline at end of file diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 8928535d..a9b7b5d0 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -20,7 +20,7 @@ jobs: - name : Run EC Validate (keyless) uses: ./ with: - image: ghcr.io/enterprise-contract/golden-container:latest + image: ghcr.io/enterprise-contract/golden-container:latest@sha256:bee6221c769593e9d01833a8b42d771f8610d30d87b56e3d8d016e13ff33477c # Latest identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|enterprise-contract\/golden-container)\/ issuer: https://token.actions.githubusercontent.com diff --git a/action.yaml b/action.yaml index a9bf2bca..3bd0c330 100644 --- a/action.yaml +++ b/action.yaml @@ -31,7 +31,7 @@ runs: steps: - name: Run EC Validate - uses: docker://quay.io/hacbs-contract/ec-cli:snapshot + uses: docker://quay.io/hacbs-contract/ec-cli:snapshot@sha256:fa09380c91a30f01ab26765d403f72a59e073e874abf9160b79d8167c8307a3f id: ec_validate continue-on-error: true with: