Pin GitHub Actions to digests and add 1-day Renovate quarantine#62
Merged
BergCyrill merged 1 commit intomainfrom May 8, 2026
Merged
Pin GitHub Actions to digests and add 1-day Renovate quarantine#62BergCyrill merged 1 commit intomainfrom
BergCyrill merged 1 commit intomainfrom
Conversation
…ith OSV bypass Signed-off-by: Cyrill Berg <cyrill.berg@opendefense.cloud>
📝 WalkthroughWalkthroughThis PR pins GitHub Actions to specific commit SHAs across four CI/CD workflows and configures Renovate to automatically manage these pinned digests. All workflows continue executing their existing logic; only the action references are pinned for supply chain security and reproducibility. ChangesGitHub Actions Security Pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@renovate.json`:
- Around line 4-8: The OSV alerts setting currently won't bypass the 1-day
quarantine because osV-specific behavior ignores the top-level
minimumReleaseAge; add an explicit osvVulnerabilityAlerts block in renovate.json
(symbol: osvVulnerabilityAlerts) with minimumReleaseAge: "0" to allow OSV
vulnerability PRs to be created immediately, or alternatively remove/adjust the
global minimumReleaseAge if you prefer a different policy; update the Renovate
config where vulnerabilityAlerts and minimumReleaseAge are defined to include
this new block.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3337c08c-b104-4121-b04b-3529487b3e91
📒 Files selected for processing (5)
.github/workflows/docker.yaml.github/workflows/golang.yaml.github/workflows/helm-lint.yaml.github/workflows/helm-publish.yamlrenovate.json
Contributor
|
Checked the Shas myself. LGTM |
Perseus985
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Solves #55
Additional adds a quarantine for non-vulnerable bumps to 1 day.
Renovate config edited to use digest pinning for GitHub Actions.
Summary by CodeRabbit