将主要/次要/补丁自动逻辑应用于SHA固定的依赖项
我正在使用GITHUB存储库进行翻新,以使依赖关系保持最新。 我想使用stosebilitydaysdays设置,我想让次要版本成熟几天。这似乎正在使用此配置:
"minor": {
"automerge": true,
"stabilityDays": 3,
"prCreation": "not-pending"
},
"patch": {
"automerge": true,
"stabilityDays": 0
},
"major": {
"automerge": false
},
我使用ossf/corecard-action在回购中使用“记分卡”打开了安全代码扫描,并且安全扫描结果带有有用的缓解路径的一些发现。建议之一是使用SHA Digest值将Docker依赖性而不是版本编号用于Pin。
例如,
uses: actions/checkout@v3
变成
uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
感觉更安全,所以我喜欢。但是现在,翻新的PR并没有像以前那样自动化和翻新 - 机器人在我不使用SHA Impests时会自动化的PR中我的此消息:
I am using Renovate on a GitHub repository to keep dependencies up to date.
I want to automerge patches and minor releases, but I want to let minor releases ripen for a few days, using the stabilityDays setting. This seemed to be working with this config:
"minor": {
"automerge": true,
"stabilityDays": 3,
"prCreation": "not-pending"
},
"patch": {
"automerge": true,
"stabilityDays": 0
},
"major": {
"automerge": false
},
I turned on security code scanning in my repo with "Scorecards" using the ossf/scorecard-action and the security scanning turned up some findings with helpful mitigation paths. One of the suggestions was to use the SHA digest values to pin Docker dependencies instead of version numbers.
For example,
uses: actions/checkout@v3
becomes
uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
That feels safer, so I like that. But now the renovate PRs are not automerging like they used to and Renovate-bot leaves me this message in a PR that would have automerged when I was not using SHA digests:
???? Automerge: Disabled by config. Please merge this manually once you are satisfied.
when before it would say:
???? Automerge: Enabled.
How can I configure Renovate to support better security and less noise and less manual intervention, while not allowing automerging of major versions?
I think that
"digest": {
"automerge": true,
"stabilityDays": 3,
"prCreation": "not-pending"
},
would turn on automerge for dependencies pinned by SHA digest keys, but now I think major version changes would be automerged, and I do not want that.
I have pored over the docs and other SO posts and could not winkle out a fix.
How can I have the serenity of SHA pinning and the convenience of minor and patch automerging?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这个问题的答案是,您可以配置翻新,以遵循您首选的专业/次要/补丁自动逻辑,当使用SHA Digest版本来固定依赖性时。
诀窍是在依赖关系摘要版本后使用注释。
因此,如果您不想自动化主要版本更改,并且想要给次要更新一个三天的稳定性期,并且您想快速自动化补丁,同时使用摘要,则可以在
renovate.json中使用此补丁。配置:然后使用
tag =< version>comment命令固定,我们使用摘要来固定action> actike> Actions/Checkout@v3 在GitHub Action工作流程中:使用Digest PIN的版本注释的存在告诉RenovateBot尊重任何主要/次要/次要/补丁自动逻辑,并将该版本与Digest版本保持最新。
感谢@viceice RenovateBot讨论板为我指出了这个答案。它对我来说很好。
You can see this syntax in practice at https:/ /GITHUB.com/RENOVATEBOT/RENOVATE/BLOB/A9A81275BF1FA40A4BA986601AB9FEFD13FC9D41/.github/workflows/workflows/build.yml#l57
The answer to this question is that you can configure Renovate to follow your preferred major/minor/patch automerge logic when using SHA digest versions to pin dependencies.
The trick is the use of a comment after dependency digest version.
So, if you want to not automerge major version changes, and you want to give minor updates a three day stability period and you want to automerge patches quickly, all while pinning with digests, you could have this in your
renovate.jsonconfiguration:Then go about pinning with the
tag=<version>comment command like this, where we use a digest to pin the verion ofactions/checkout@v3in a GitHub action workflow:The presence of the version comment with the digest pin tells Renovatebot to respect any major/minor/patch automerge logic and to keep the version in the comment up to date with the digest version.
Thanks to @viceice on the Renovatebot discussion board for pointing me to this answer. It's been working great for me.
You can see this syntax in practice at https://github.com/renovatebot/renovate/blob/a9a81275bf1fa40a4ba986601ab9fefd13fc9d41/.github/workflows/build.yml#L57