audit: idempotency, consistency, and hardening improvements#10
Conversation
caddyserver/cache-handler and caddyserver/transform-encoder both use `master` as their default branch, not `main`. The ls-remote awk filter was matching nothing, causing CACHE_HANDLER_REF and TRANSFORM_ENCODER_REF to resolve to empty strings and aborting the workflow at the validation step.
…oning to customManagers
….2.2; annotate all action SHAs with verified version comments
…o correct v4 SHAs
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughUpdated Renovate configuration from Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Renovate configuration by switching to the recommended preset and disabling top-level automerge. It introduces a new package rule to automerge minor and patch updates for GitHub releases and simplifies the regex managers for 'cosign' and 'docker-scout' to track only version strings. Feedback was provided regarding the risk of enabling automerge for GitHub releases, as the simplified regex managers now require manual SHA256 updates which would be bypassed by automation, potentially leading to broken workflows.
| { | ||
| "matchDatasources": ["github-releases"], | ||
| "matchUpdateTypes": ["minor", "patch"], | ||
| "automerge": true, |
There was a problem hiding this comment.
Enabling automerge for github-releases is risky given the changes to the cosign and docker-scout custom managers (lines 53-74). Since those managers have been updated to only track the version string and explicitly require manual SHA256 updates, any automated version bump will result in a checksum mismatch in the workflow. If automerge is set to true, Renovate will attempt to merge these broken updates automatically if CI passes (or if the checksum check is not part of the CI gate). It is safer to set this to false to ensure a human verifies and updates the corresponding SHA256 before merging.
| "automerge": true, | |
| "automerge": false, |
There was a problem hiding this comment.
Pull request overview
This PR focuses on hardening and making the automation more deterministic by tightening the GitHub Actions workflow’s behavior and refining Renovate’s update/automerge rules.
Changes:
- Update/pin several GitHub Actions to specific SHAs with corrected version annotations, and fix default-branch resolution for upstream dependencies.
- Improve metadata push behavior by targeting the triggering ref name (instead of hardcoding
main). - Adjust Renovate baseline and rules (recommended preset, restrict major automerge) and refine custom managers for workflow-managed versions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/build-caddy.yml | Updates action pins/annotations, fixes upstream default-branch resolution, and adjusts metadata rebase/push targeting. |
| .github/renovate.json | Switches to config:recommended, tightens automerge policy, and updates custom managers/versioning templates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| git pull --rebase origin "${{ github.ref_name }}" || { | ||
| echo "ERROR: git rebase failed — likely a merge conflict with concurrent branch changes." >&2 | ||
| git rebase --abort 2>/dev/null || true | ||
| exit 1 | ||
| } |
There was a problem hiding this comment.
github.ref_name can be a tag name when the workflow is run via workflow_dispatch on a tag. In that case git pull --rebase origin "${{ github.ref_name }}" will fail (no remote branch), and the subsequent push may create/overwrite an unintended branch named after the tag. Consider guarding this step to only run on branch refs (e.g., if: github.ref_type == 'branch' or startsWith(github.ref, 'refs/heads/')), and skip the commit/push on tag runs.
| "description": "Update cosign version in workflow (version field only; SHA256 must be updated manually or via a separate manager)", | ||
| "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"], | ||
| "matchStrings": [ | ||
| "COSIGN_VERSION: (?<currentValue>v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+COSIGN_SHA256: \"(?<currentDigest>[a-f0-9]+)\"" | ||
| "COSIGN_VERSION: (?<currentValue>v[^\\n]+)" | ||
| ], | ||
| "datasourceTemplate": "github-releases", | ||
| "depNameTemplate": "sigstore/cosign", | ||
| "extractVersionTemplate": "^(?<version>.*)$" | ||
| "versioningTemplate": "semver" |
There was a problem hiding this comment.
This customManager now updates only COSIGN_VERSION, but the workflow enforces a pinned COSIGN_SHA256 for the downloaded binary. A Renovate PR that bumps the version without updating the SHA will reliably break CI at the SHA verification step. Consider managing the SHA alongside the version again (single regex manager capturing both), or disabling Renovate updates/automerge for these fields until both values can be updated together.
| "customType": "regex", | ||
| "description": "Update docker-scout version and SHA in workflow", | ||
| "description": "Update docker-scout version in workflow (version field only; SHA256 must be updated manually or via a separate manager)", | ||
| "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"], | ||
| "matchStrings": [ | ||
| "SCOUT_VERSION: (?<currentValue>v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+SCOUT_SHA256: \"(?<currentDigest>[a-f0-9]+)\"" | ||
| "SCOUT_VERSION: (?<currentValue>v[^\\n]+)" | ||
| ], | ||
| "datasourceTemplate": "github-releases", | ||
| "depNameTemplate": "docker/scout-cli", | ||
| "extractVersionTemplate": "^(?<version>.*)$" | ||
| "versioningTemplate": "semver" |
There was a problem hiding this comment.
Same issue as cosign: this manager updates only SCOUT_VERSION, but the workflow verifies the downloaded tarball against SCOUT_SHA256. Renovate version-only bumps will fail CI unless the SHA is updated in the same PR. Consider updating both fields together (or preventing Renovate from proposing these updates until SHA automation is added).
Summary
Comprehensive audit and hardening pass covering the GitHub Actions workflow, Dockerfile, Renovate config, and README. All changes were tested by running the workflow against this branch.
Changes
Workflow (
build-caddy.yml)docker manifest inspectto prevent race condition when image is not yet publicly accessibledate -d 'next monday'HEAD:${{ github.ref_name }}) instead of hardcodedmainactions/checkoutSHA comment fromv6.0.2→v4.2.2; annotate all action SHAs with verified version commentsdocker/setup-qemu-actionanddocker/setup-buildx-actionto correct v4 SHAscache-handlerandtransform-encoderbranch resolution — both repos usemaster, notmainDockerfile
IMPORTANTsync comment linking builder ARG default to FROM tagcaddy environvs HTTP admin API)Renovate (
.github/renovate.json)config:recommendedbaseversioningTemplateto allcustomManagersREADME
2.11.2patch-level tag row to Tag Strategy tableManual action still required
https://hub.docker.com/r/atnplex/caddy), and topics (caddy,docker,reverse-proxy,cloudflare,homelab,xcaddy,github-actions) via the GitHub UI gear icon on the repo homepage.Summary by CodeRabbit