all: add renovate-bot config #21
Conversation
There was a problem hiding this comment.
As discussed, I don't think this is the most desirable outcome:
- Pin Docker images to SHA256 digests.
- Pin GitHub Actions to SHA1 commit hashes.
And if we are automatically updating the hashes of the actions and images, we are losing all the benefits of pinning those. So it is much simpler to use tags for trusted targets. Otherwise we should do a full audit of the target before pinning it to a hash and re-do the audit for every hash change.
|
We can't audit every dep, but at least if we pin by hash, we know we are getting the same thing each time. Obviously, once github fixes the immutable action stuff at which point it is a totally different discussion. The question isn't 'is pinning to hash' perfect, but is it better? |
|
if I understood correctly, I think there are several rules that can be configured for RenovateBot (similar to Dependabot). Perhaps we could pin actions with hashes with one rule, and use a different rule for docker and github actions. This would be in line with what discussed online, about allowing known actions to be used with tags |
Add a configuration preset (reusable) for Renovate bot and use it in this repository.
This configuration will:
all: update X to v1.2.3(e.g.all: update image golang to 1.24.4-alpine3.21,all: update actions/checkout action to v4.5.0)type: dependenciesThis configuration is a base, and should be improved later as needed - it can also be reused in other repositories (with optional overrides) in the future if we want.