e9caa3a1f7
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 1m46s
CI / OCR Service Tests (pull_request) Successful in 16s
CI / Backend Unit Tests (pull_request) Successful in 4m8s
CI / fail2ban Regex (pull_request) Successful in 38s
CI / Compose Bucket Idempotency (pull_request) Failing after 11s
CI / OCR Service Tests (push) Successful in 16s
CI / Unit & Component Tests (push) Failing after 1m52s
CI / Backend Unit Tests (push) Successful in 4m11s
CI / fail2ban Regex (push) Successful in 39s
CI / Compose Bucket Idempotency (push) Failing after 10s
Adds a packageRule matching .gitea/workflows/** digest updates with automerge: false. Digest bumps for images running --privileged --pid=host have root-equivalent host access and must not be auto-merged. Addresses Nora's review concern on #537. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
18 lines
551 B
JSON
18 lines
551 B
JSON
{
|
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
"packageRules": [
|
|
{
|
|
"matchPackagePatterns": ["^@tiptap/"],
|
|
"groupName": "tiptap",
|
|
"automerge": false
|
|
},
|
|
{
|
|
"description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
|
|
"matchPaths": [".gitea/workflows/**"],
|
|
"matchUpdateTypes": ["digest"],
|
|
"automerge": false,
|
|
"reviewersFromCodeOwners": false
|
|
}
|
|
]
|
|
}
|