chores around renovate, security context, and appVersion
move renovate.json to the root dir and allow ignoring tests for merging GHA patch/minor updates only switch the appVersion in Chart.yaml to a specific sha tag that should actually work, until pixelfed does another official release set the securityContext and podSecurityContext to run as user 33, which is www-data to solve security root escalation issue Signed-off-by: jessebot <jessebot@linux.com>
This commit is contained in:
jessebot
@@ -0,0 +1,34 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"customManagers": [
|
||||
{
|
||||
"customType": "regex",
|
||||
"datasourceTemplate": "docker",
|
||||
"fileMatch": [
|
||||
"(^|/)Chart\\.yaml$"
|
||||
],
|
||||
"matchStrings": [
|
||||
"#\\s*renovate: image=(?<depName>.*?)\\s+appVersion:\\s*[\"']?(?<currentValue>[\\w+\\.\\-]*)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"packageRules": [
|
||||
{
|
||||
"description": "Bump helm chart versions by a patch when updating values files. Digests, pins, rollbacks, replacements and pinDigest updates are deliberately ignored since in our use case, these need a manual decision about the version bump for the chart. This can be removed when https://github.com/renovatebot/renovate/issues/8231 is implemented and enabled.",
|
||||
"matchManagers": ["helm-values", "regex"],
|
||||
"postUpgradeTasks": {
|
||||
"commands": [
|
||||
"scripts/bump-chart-version.sh '{{{parentDir}}}' '{{{updateType}}}'"
|
||||
],
|
||||
"fileFilters": ["**/Chart.yaml"],
|
||||
"executionMode": "branch"
|
||||
}
|
||||
},
|
||||
{
|
||||
"matchManagers": ["github-actions"],
|
||||
"matchUpdateTypes": ["patch", "minor"],
|
||||
"automerge": true,
|
||||
"ignoreTests": true
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user