diff --git a/.github/renovate.json b/.github/renovate.json index 1565ac0..819e2ee 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,10 +1,10 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": ["config:base"], + "extends": ["config:recommended"], "timezone": "America/Los_Angeles", "schedule": ["every weekend"], "prCreation": "not-pending", - "automerge": true, + "automerge": false, "automergeType": "pr", "automergeStrategy": "squash", "labels": ["dependencies", "docker"], @@ -26,6 +26,12 @@ "automerge": true, "commitMessageTopic": "go module {{depName}}" }, + { + "matchDatasources": ["github-releases"], + "matchUpdateTypes": ["minor", "patch"], + "automerge": true, + "commitMessageTopic": "github release {{depName}}" + }, { "matchUpdateTypes": ["major"], "automerge": false, @@ -46,25 +52,25 @@ }, { "customType": "regex", - "description": "Update cosign version and SHA in workflow", + "description": "Update cosign version in workflow (version field only; SHA256 must be updated manually or via a separate manager)", "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"], "matchStrings": [ - "COSIGN_VERSION: (?v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+COSIGN_SHA256: \"(?[a-f0-9]+)\"" + "COSIGN_VERSION: (?v[^\\n]+)" ], "datasourceTemplate": "github-releases", "depNameTemplate": "sigstore/cosign", - "extractVersionTemplate": "^(?.*)$" + "versioningTemplate": "semver" }, { "customType": "regex", - "description": "Update docker-scout version and SHA in workflow", + "description": "Update docker-scout version in workflow (version field only; SHA256 must be updated manually or via a separate manager)", "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"], "matchStrings": [ - "SCOUT_VERSION: (?v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+SCOUT_SHA256: \"(?[a-f0-9]+)\"" + "SCOUT_VERSION: (?v[^\\n]+)" ], "datasourceTemplate": "github-releases", "depNameTemplate": "docker/scout-cli", - "extractVersionTemplate": "^(?.*)$" + "versioningTemplate": "semver" } ] } diff --git a/.github/workflows/build-caddy.yml b/.github/workflows/build-caddy.yml index a35e60a..3740441 100644 --- a/.github/workflows/build-caddy.yml +++ b/.github/workflows/build-caddy.yml @@ -46,7 +46,7 @@ jobs: # STEP 1 — Checkout # ────────────────────────────────────────────────────────── - name: Checkout Repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.ref_name }} fetch-depth: 0 @@ -159,15 +159,17 @@ jobs: )" echo "Resolving cache-handler HEAD commit..." + # caddyserver/cache-handler uses 'master' as its default branch (not 'main'). CACHE_HANDLER_REF="$( retry git ls-remote --heads https://github.com/caddyserver/cache-handler.git \ - | awk '/refs\/heads\/main/ {print $1}' + | awk '/refs\/heads\/master/ {print $1}' )" echo "Resolving transform-encoder HEAD commit..." + # caddyserver/transform-encoder uses 'master' as its default branch (not 'main'). TRANSFORM_ENCODER_REF="$( retry git ls-remote --heads https://github.com/caddyserver/transform-encoder.git \ - | awk '/refs\/heads\/main/ {print $1}' + | awk '/refs\/heads\/master/ {print $1}' )" echo "Resolving caddy-security version..." @@ -332,7 +334,7 @@ jobs: - name: Cache CLI tools if: steps.decide.outputs.should_build == 'true' id: cache-cli - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.local/bin/cosign @@ -382,14 +384,14 @@ jobs: - name: Login to DockerHub if: steps.decide.outputs.should_build == 'true' - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ env.DOCKERHUB_TOKEN }} - name: Login to GHCR if: steps.decide.outputs.should_build == 'true' - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} @@ -401,7 +403,7 @@ jobs: - name: Build Local Test Image if: steps.decide.outputs.should_build == 'true' timeout-minutes: 30 - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 with: context: ./docker/caddy platforms: linux/amd64 @@ -549,7 +551,7 @@ jobs: if: steps.decide.outputs.should_build == 'true' id: push timeout-minutes: 60 - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 with: context: ./docker/caddy platforms: linux/amd64,linux/arm64 @@ -679,6 +681,10 @@ jobs: # ────────────────────────────────────────────────────────── # STEP 12 — Commit and push metadata (always runs) + # Pushes to the branch that triggered this workflow run + # (github.ref_name), not a hardcoded branch name. This allows + # the workflow to be tested on feature/audit branches without + # accidentally writing metadata back to main. # ────────────────────────────────────────────────────────── - name: Commit and Push Metadata if: always() @@ -700,13 +706,13 @@ jobs: # Rebase on any concurrent commits pushed while this job was running. # The concurrency group (cancel-in-progress: true) prevents two jobs # from running simultaneously, but a Renovate automerge or other - # automation could push to main between our checkout and this push. - git pull --rebase origin main || { - echo "ERROR: git rebase failed — likely a merge conflict with concurrent main changes." >&2 + # automation could push to the branch between our checkout and this push. + git pull --rebase origin "${{ github.ref_name }}" || { + echo "ERROR: git rebase failed — likely a merge conflict with concurrent branch changes." >&2 git rebase --abort 2>/dev/null || true exit 1 } - git push origin HEAD:main + git push origin "HEAD:${{ github.ref_name }}" # ────────────────────────────────────────────────────────── # STEP 13 — Create GitHub Release