75293c6aa8
The reload-caddy pinned alpine digest moved out of the workflow files into a composite action. Add .gitea/actions/** to the manual-review digest rule so the digest stays watched and never silently goes stale (#603). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
25 lines
965 B
JSON
25 lines
965 B
JSON
{
|
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
"packageRules": [
|
|
{
|
|
"description": "bucket4j-core is manually pinned outside the Spring BOM — track patch auto-merge, minor/major as PRs.",
|
|
"matchPackageNames": ["com.bucket4j:bucket4j-core"],
|
|
"groupName": "bucket4j",
|
|
"automerge": true,
|
|
"matchUpdateTypes": ["patch"]
|
|
},
|
|
{
|
|
"matchPackagePatterns": ["^@tiptap/"],
|
|
"groupName": "tiptap",
|
|
"automerge": false
|
|
},
|
|
{
|
|
"description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
|
|
"matchPaths": [".gitea/workflows/**", ".gitea/actions/**"],
|
|
"matchUpdateTypes": ["digest"],
|
|
"automerge": false,
|
|
"reviewersFromCodeOwners": false
|
|
}
|
|
]
|
|
}
|