From 387bd1f53912b2114fb6972496f40eb1a96c6619 Mon Sep 17 00:00:00 2001 From: Sijia Li <242334856+atngit2@users.noreply.github.com> Date: Wed, 1 Apr 2026 09:41:09 -0700 Subject: [PATCH 1/7] fix: push metadata commit to current branch, not hardcoded main --- .github/workflows/build-caddy.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-caddy.yml b/.github/workflows/build-caddy.yml index a35e60a..e6c8617 100644 --- a/.github/workflows/build-caddy.yml +++ b/.github/workflows/build-caddy.yml @@ -679,6 +679,10 @@ jobs: # ────────────────────────────────────────────────────────── # STEP 12 — Commit and push metadata (always runs) + # Pushes to the branch that triggered this workflow run + # (github.ref_name), not a hardcoded branch name. This allows + # the workflow to be tested on feature/audit branches without + # accidentally writing metadata back to main. # ────────────────────────────────────────────────────────── - name: Commit and Push Metadata if: always() @@ -700,13 +704,13 @@ jobs: # Rebase on any concurrent commits pushed while this job was running. # The concurrency group (cancel-in-progress: true) prevents two jobs # from running simultaneously, but a Renovate automerge or other - # automation could push to main between our checkout and this push. - git pull --rebase origin main || { - echo "ERROR: git rebase failed — likely a merge conflict with concurrent main changes." >&2 + # automation could push to the branch between our checkout and this push. + git pull --rebase origin "${{ github.ref_name }}" || { + echo "ERROR: git rebase failed — likely a merge conflict with concurrent branch changes." >&2 git rebase --abort 2>/dev/null || true exit 1 } - git push origin HEAD:main + git push origin "HEAD:${{ github.ref_name }}" # ────────────────────────────────────────────────────────── # STEP 13 — Create GitHub Release From adc69b17d652e13a4dd8b7dac710f620fa5f2298 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 1 Apr 2026 09:45:45 -0700 Subject: [PATCH 2/7] chore: update build metadata [skip ci] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a436e8a..439f3e9 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ [![Build](https://img.shields.io/github/actions/workflow/status/atnplex/caddy/build-caddy.yml?style=flat-square&label=Build)](https://github.com/atnplex/caddy/actions) -[![Last Run](https://img.shields.io/badge/Last_Run-Wed_Apr_01-brightgreen?style=flat-square)](https://github.com/atnplex/caddy/actions) +[![Last Run](https://img.shields.io/badge/Last_Run-Wed_Apr_01-blue?style=flat-square)](https://github.com/atnplex/caddy/actions) [![Next Run](https://img.shields.io/badge/Next_Run-Mon_Apr_06-blue?style=flat-square)](https://github.com/atnplex/caddy/actions) From 59e369b9736ba735066ecbef05f84d79add3ead6 Mon Sep 17 00:00:00 2001 From: Sijia Li <242334856+atngit2@users.noreply.github.com> Date: Wed, 1 Apr 2026 09:51:51 -0700 Subject: [PATCH 3/7] fix: use correct branch names for cache-handler and transform-encoder caddyserver/cache-handler and caddyserver/transform-encoder both use `master` as their default branch, not `main`. The ls-remote awk filter was matching nothing, causing CACHE_HANDLER_REF and TRANSFORM_ENCODER_REF to resolve to empty strings and aborting the workflow at the validation step. --- .github/workflows/build-caddy.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-caddy.yml b/.github/workflows/build-caddy.yml index e6c8617..d543157 100644 --- a/.github/workflows/build-caddy.yml +++ b/.github/workflows/build-caddy.yml @@ -159,15 +159,17 @@ jobs: )" echo "Resolving cache-handler HEAD commit..." + # caddyserver/cache-handler uses 'master' as its default branch (not 'main'). CACHE_HANDLER_REF="$( retry git ls-remote --heads https://github.com/caddyserver/cache-handler.git \ - | awk '/refs\/heads\/main/ {print $1}' + | awk '/refs\/heads\/master/ {print $1}' )" echo "Resolving transform-encoder HEAD commit..." + # caddyserver/transform-encoder uses 'master' as its default branch (not 'main'). TRANSFORM_ENCODER_REF="$( retry git ls-remote --heads https://github.com/caddyserver/transform-encoder.git \ - | awk '/refs\/heads\/main/ {print $1}' + | awk '/refs\/heads\/master/ {print $1}' )" echo "Resolving caddy-security version..." From 6b39e894cb988eb67122d7c205c8328a4440ba31 Mon Sep 17 00:00:00 2001 From: Sijia Li <242334856+atngit2@users.noreply.github.com> Date: Wed, 1 Apr 2026 09:53:10 -0700 Subject: [PATCH 4/7] fix(renovate): use config:recommended, fix automerge scope, add versioning to customManagers --- .github/renovate.json | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 1565ac0..819e2ee 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,10 +1,10 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": ["config:base"], + "extends": ["config:recommended"], "timezone": "America/Los_Angeles", "schedule": ["every weekend"], "prCreation": "not-pending", - "automerge": true, + "automerge": false, "automergeType": "pr", "automergeStrategy": "squash", "labels": ["dependencies", "docker"], @@ -26,6 +26,12 @@ "automerge": true, "commitMessageTopic": "go module {{depName}}" }, + { + "matchDatasources": ["github-releases"], + "matchUpdateTypes": ["minor", "patch"], + "automerge": true, + "commitMessageTopic": "github release {{depName}}" + }, { "matchUpdateTypes": ["major"], "automerge": false, @@ -46,25 +52,25 @@ }, { "customType": "regex", - "description": "Update cosign version and SHA in workflow", + "description": "Update cosign version in workflow (version field only; SHA256 must be updated manually or via a separate manager)", "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"], "matchStrings": [ - "COSIGN_VERSION: (?v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+COSIGN_SHA256: \"(?[a-f0-9]+)\"" + "COSIGN_VERSION: (?v[^\\n]+)" ], "datasourceTemplate": "github-releases", "depNameTemplate": "sigstore/cosign", - "extractVersionTemplate": "^(?.*)$" + "versioningTemplate": "semver" }, { "customType": "regex", - "description": "Update docker-scout version and SHA in workflow", + "description": "Update docker-scout version in workflow (version field only; SHA256 must be updated manually or via a separate manager)", "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"], "matchStrings": [ - "SCOUT_VERSION: (?v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+SCOUT_SHA256: \"(?[a-f0-9]+)\"" + "SCOUT_VERSION: (?v[^\\n]+)" ], "datasourceTemplate": "github-releases", "depNameTemplate": "docker/scout-cli", - "extractVersionTemplate": "^(?.*)$" + "versioningTemplate": "semver" } ] } From cda4a8141e439cc37c8a8b2e1f32e00cd92eb8bf Mon Sep 17 00:00:00 2001 From: Sijia Li <242334856+atngit2@users.noreply.github.com> Date: Wed, 1 Apr 2026 09:56:27 -0700 Subject: [PATCH 5/7] fix(workflow): correct actions/checkout SHA comment from v6.0.2 to v4.2.2; annotate all action SHAs with verified version comments --- .github/workflows/build-caddy.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-caddy.yml b/.github/workflows/build-caddy.yml index d543157..bdd6ae9 100644 --- a/.github/workflows/build-caddy.yml +++ b/.github/workflows/build-caddy.yml @@ -46,7 +46,7 @@ jobs: # STEP 1 — Checkout # ────────────────────────────────────────────────────────── - name: Checkout Repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.ref_name }} fetch-depth: 0 @@ -334,7 +334,7 @@ jobs: - name: Cache CLI tools if: steps.decide.outputs.should_build == 'true' id: cache-cli - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.local/bin/cosign @@ -376,22 +376,22 @@ jobs: # ────────────────────────────────────────────────────────── - name: Set up QEMU if: steps.decide.outputs.should_build == 'true' - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff9c71e6827abe58fad # v3.6.0 - name: Set up Docker Buildx if: steps.decide.outputs.should_build == 'true' - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@b5730b8a8cf1d6d48e48cf989e2cec73a5748dae # v3.10.0 - name: Login to DockerHub if: steps.decide.outputs.should_build == 'true' - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ env.DOCKERHUB_TOKEN }} - name: Login to GHCR if: steps.decide.outputs.should_build == 'true' - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} @@ -403,7 +403,7 @@ jobs: - name: Build Local Test Image if: steps.decide.outputs.should_build == 'true' timeout-minutes: 30 - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 with: context: ./docker/caddy platforms: linux/amd64 @@ -551,7 +551,7 @@ jobs: if: steps.decide.outputs.should_build == 'true' id: push timeout-minutes: 60 - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 with: context: ./docker/caddy platforms: linux/amd64,linux/arm64 From caa67fa91f14880c5fb71be87f822738cc093fab Mon Sep 17 00:00:00 2001 From: Sijia Li <242334856+atngit2@users.noreply.github.com> Date: Wed, 1 Apr 2026 10:07:20 -0700 Subject: [PATCH 6/7] fix: update docker/setup-qemu-action and docker/setup-buildx-action to correct v4 SHAs --- .github/workflows/build-caddy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-caddy.yml b/.github/workflows/build-caddy.yml index bdd6ae9..3740441 100644 --- a/.github/workflows/build-caddy.yml +++ b/.github/workflows/build-caddy.yml @@ -376,11 +376,11 @@ jobs: # ────────────────────────────────────────────────────────── - name: Set up QEMU if: steps.decide.outputs.should_build == 'true' - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff9c71e6827abe58fad # v3.6.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx if: steps.decide.outputs.should_build == 'true' - uses: docker/setup-buildx-action@b5730b8a8cf1d6d48e48cf989e2cec73a5748dae # v3.10.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to DockerHub if: steps.decide.outputs.should_build == 'true' From ff2062ee12bbc6ebd4a6f36f7a9fc260b9463f4d Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 1 Apr 2026 10:10:57 -0700 Subject: [PATCH 7/7] chore: update build metadata [skip ci] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 439f3e9..a436e8a 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ [![Build](https://img.shields.io/github/actions/workflow/status/atnplex/caddy/build-caddy.yml?style=flat-square&label=Build)](https://github.com/atnplex/caddy/actions) -[![Last Run](https://img.shields.io/badge/Last_Run-Wed_Apr_01-blue?style=flat-square)](https://github.com/atnplex/caddy/actions) +[![Last Run](https://img.shields.io/badge/Last_Run-Wed_Apr_01-brightgreen?style=flat-square)](https://github.com/atnplex/caddy/actions) [![Next Run](https://img.shields.io/badge/Next_Run-Mon_Apr_06-blue?style=flat-square)](https://github.com/atnplex/caddy/actions)