audit: idempotency, consistency, and hardening improvements

.github/renovate.json

@@ -1,10 +1,10 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": ["config:base"],
+    "extends": ["config:recommended"],
     "timezone": "America/Los_Angeles",
     "schedule": ["every weekend"],
     "prCreation": "not-pending",
-    "automerge": true,
+    "automerge": false,
     "automergeType": "pr",
     "automergeStrategy": "squash",
     "labels": ["dependencies", "docker"],
@@ -26,6 +26,12 @@
             "automerge": true,
             "commitMessageTopic": "go module {{depName}}"
         },
+        {
+            "matchDatasources": ["github-releases"],
+            "matchUpdateTypes": ["minor", "patch"],
+            "automerge": true,
+            "commitMessageTopic": "github release {{depName}}"
+        },
         {
             "matchUpdateTypes": ["major"],
             "automerge": false,
@@ -46,25 +52,25 @@
         },
         {
             "customType": "regex",
-            "description": "Update cosign version and SHA in workflow",
+            "description": "Update cosign version in workflow (version field only; SHA256 must be updated manually or via a separate manager)",
             "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"],
             "matchStrings": [
-                "COSIGN_VERSION: (?<currentValue>v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+COSIGN_SHA256: \"(?<currentDigest>[a-f0-9]+)\""
+                "COSIGN_VERSION: (?<currentValue>v[^\\n]+)"
             ],
             "datasourceTemplate": "github-releases",
             "depNameTemplate": "sigstore/cosign",
-            "extractVersionTemplate": "^(?<version>.*)$"
+            "versioningTemplate": "semver"
         },
         {
             "customType": "regex",
-            "description": "Update docker-scout version and SHA in workflow",
+            "description": "Update docker-scout version in workflow (version field only; SHA256 must be updated manually or via a separate manager)",
             "fileMatch": ["^\\.github/workflows/build-caddy\\.yml$"],
             "matchStrings": [
-                "SCOUT_VERSION: (?<currentValue>v[^\\n]+)(?:\\n\\s+#[^\\n]*)*\\n\\s+SCOUT_SHA256: \"(?<currentDigest>[a-f0-9]+)\""
+                "SCOUT_VERSION: (?<currentValue>v[^\\n]+)"
             ],
             "datasourceTemplate": "github-releases",
             "depNameTemplate": "docker/scout-cli",
-            "extractVersionTemplate": "^(?<version>.*)$"
+            "versioningTemplate": "semver"
         }
     ]
 }

.github/workflows/build-caddy.yml

@@ -46,7 +46,7 @@ jobs:
             # STEP 1 — Checkout
             # ──────────────────────────────────────────────────────────
             - name: Checkout Repository
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   ref: ${{ github.ref_name }}
                   fetch-depth: 0
@@ -159,15 +159,17 @@ jobs:
                   )"
 
                   echo "Resolving cache-handler HEAD commit..."
+                  # caddyserver/cache-handler uses 'master' as its default branch (not 'main').
                   CACHE_HANDLER_REF="$(
                       retry git ls-remote --heads https://github.com/caddyserver/cache-handler.git \
-                      | awk '/refs\/heads\/main/ {print $1}'
+                      | awk '/refs\/heads\/master/ {print $1}'
                   )"
 
                   echo "Resolving transform-encoder HEAD commit..."
+                  # caddyserver/transform-encoder uses 'master' as its default branch (not 'main').
                   TRANSFORM_ENCODER_REF="$(
                       retry git ls-remote --heads https://github.com/caddyserver/transform-encoder.git \
-                      | awk '/refs\/heads\/main/ {print $1}'
+                      | awk '/refs\/heads\/master/ {print $1}'
                   )"
 
                   echo "Resolving caddy-security version..."
@@ -332,7 +334,7 @@ jobs:
             - name: Cache CLI tools
               if: steps.decide.outputs.should_build == 'true'
               id: cache-cli
-              uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+              uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
               with:
                   path: |
                       ~/.local/bin/cosign
@@ -382,14 +384,14 @@ jobs:
 
             - name: Login to DockerHub
               if: steps.decide.outputs.should_build == 'true'
-              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+              uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
               with:
                   username: ${{ env.DOCKERHUB_USERNAME }}
                   password: ${{ env.DOCKERHUB_TOKEN }}
 
             - name: Login to GHCR
               if: steps.decide.outputs.should_build == 'true'
-              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+              uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
               with:
                   registry: ${{ env.GHCR_REGISTRY }}
                   username: ${{ github.actor }}
@@ -401,7 +403,7 @@ jobs:
             - name: Build Local Test Image
               if: steps.decide.outputs.should_build == 'true'
               timeout-minutes: 30
-              uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+              uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
               with:
                   context: ./docker/caddy
                   platforms: linux/amd64
@@ -549,7 +551,7 @@ jobs:
               if: steps.decide.outputs.should_build == 'true'
               id: push
               timeout-minutes: 60
-              uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+              uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
               with:
                   context: ./docker/caddy
                   platforms: linux/amd64,linux/arm64
@@ -679,6 +681,10 @@ jobs:
 
             # ──────────────────────────────────────────────────────────
             # STEP 12 — Commit and push metadata (always runs)
+            # Pushes to the branch that triggered this workflow run
+            # (github.ref_name), not a hardcoded branch name. This allows
+            # the workflow to be tested on feature/audit branches without
+            # accidentally writing metadata back to main.
             # ──────────────────────────────────────────────────────────
             - name: Commit and Push Metadata
               if: always()
@@ -700,13 +706,13 @@ jobs:
                   # Rebase on any concurrent commits pushed while this job was running.
                   # The concurrency group (cancel-in-progress: true) prevents two jobs
                   # from running simultaneously, but a Renovate automerge or other
-                  # automation could push to main between our checkout and this push.
-                  git pull --rebase origin main || {
-                      echo "ERROR: git rebase failed — likely a merge conflict with concurrent main changes." >&2
+                  # automation could push to the branch between our checkout and this push.
+                  git pull --rebase origin "${{ github.ref_name }}" || {
+                      echo "ERROR: git rebase failed — likely a merge conflict with concurrent branch changes." >&2
                       git rebase --abort 2>/dev/null || true
                       exit 1
                   }
-                  git push origin HEAD:main
+                  git push origin "HEAD:${{ github.ref_name }}"
 
             # ──────────────────────────────────────────────────────────
             # STEP 13 — Create GitHub Release