08c7dbcaa2
Some checks failed
CI / Unit & Component Tests (push) Failing after 2m49s
CI / OCR Service Tests (push) Successful in 15s
CI / Backend Unit Tests (push) Successful in 4m7s
CI / fail2ban Regex (push) Successful in 38s
CI / Compose Bucket Idempotency (push) Successful in 57s
CI / Unit & Component Tests (pull_request) Failing after 2m47s
CI / OCR Service Tests (pull_request) Successful in 15s
CI / Backend Unit Tests (pull_request) Successful in 4m9s
CI / fail2ban Regex (pull_request) Successful in 37s
CI / Compose Bucket Idempotency (pull_request) Successful in 55s
Adds a packageRule matching .gitea/workflows/** digest updates with automerge: false. Digest bumps for images running --privileged --pid=host have root-equivalent host access and must not be auto-merged. Addresses Nora's review concern on #537. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
18 lines
551 B
JSON
18 lines
551 B
JSON
{
|
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
"packageRules": [
|
|
{
|
|
"matchPackagePatterns": ["^@tiptap/"],
|
|
"groupName": "tiptap",
|
|
"automerge": false
|
|
},
|
|
{
|
|
"description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
|
|
"matchPaths": [".gitea/workflows/**"],
|
|
"matchUpdateTypes": ["digest"],
|
|
"automerge": false,
|
|
"reviewersFromCodeOwners": false
|
|
}
|
|
]
|
|
}
|