marcel/familienarchiv
1
0
Fork 0
Code Issues 127 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

chore(renovate): require manual review for privileged CI image digest bumps
Some checks failed
CI / Unit & Component Tests (push) Failing after 2m49s
Details
CI / OCR Service Tests (push) Successful in 15s
Details
CI / Backend Unit Tests (push) Successful in 4m7s
Details
CI / fail2ban Regex (push) Successful in 38s
Details
CI / Compose Bucket Idempotency (push) Successful in 57s
Details
CI / Unit & Component Tests (pull_request) Failing after 2m47s
Details
CI / OCR Service Tests (pull_request) Successful in 15s
Details
CI / Backend Unit Tests (pull_request) Successful in 4m9s
Details
CI / fail2ban Regex (pull_request) Successful in 37s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 55s
Details

Browse Source 
Adds a packageRule matching .gitea/workflows/** digest updates with
automerge: false. Digest bumps for images running --privileged --pid=host
have root-equivalent host access and must not be auto-merged.

Addresses Nora's review concern on #537.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-11 23:15:05 +02:00
parent a3f1260c23
commit 08c7dbcaa2
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
renovate.json
View File

@@ -5,6 +5,13 @@
"matchPackagePatterns": ["^@tiptap/"], "matchPackagePatterns": ["^@tiptap/"],
"groupName": "tiptap", "groupName": "tiptap",
"automerge": false "automerge": false
},
{
"description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
"matchPaths": [".gitea/workflows/**"],
"matchUpdateTypes": ["digest"],
"automerge": false,
"reviewersFromCodeOwners": false
} }
] ]
} }