diff --git a/.github/renovate.json5 b/.github/renovate.json5 index a1fe6d7f..79e5d7ab 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -113,5 +113,19 @@ matchFileNames: ['.github/workflows/rebuild.yaml'], enabled: false, }, + /** Packages published very recently are not pushed to stabilization branches for security reasons */ + { + matchBaseBranches: [ + '/^[0-9]+\\.[0-9]+$/', + '/^[0-9]+\\.[0-9]+-gdal[0-9]+\\.[0-9]+$/', + '/^[0-9]+\\.[0-9]+-ubuntu[0-9]+\\.[0-9]+$/', + ], + minimumReleaseAge: '7 days', + }, + /** Ungroup Python dependencies */ + { + matchDepNames: ['python'], + groupName: 'Python', + }, ], } diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml deleted file mode 100644 index 3aab9a6c..00000000 --- a/.github/workflows/audit.yaml +++ /dev/null @@ -1,59 +0,0 @@ -name: Audit - -on: - schedule: - - cron: '30 2 * * *' - -jobs: - audit: - name: Audit - runs-on: ubuntu-24.04 - timeout-minutes: 10 - - strategy: - fail-fast: false - matrix: - branch: - - 7.6-gdal3.3 - - 7.6-gdal3.7 - - 7.6-gdal3.8 - - 7.6-ubuntu18.04 - - 8.0-gdal3.6 - - 8.0-gdal3.7 - - 8.0-gdal3.8 - - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ matrix.branch }} - token: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }} - - - uses: camptocamp/initialise-gopass-summon-action@v2 - with: - ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}} - github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}} - - - run: python3 -m venv ~/.venv - - run: ~/.venv/bin/pip install --pre c2cciutils[audit] - - run: python3 -m pip install --pre c2cciutils[audit] - - - name: Snyk audit - run: ~/.venv/bin/c2cciutils-audit --branch=${{ matrix.branch }} - env: - GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }} - - name: Debug Snyk audit - run: ~/.venv/bin/c2cciutils-audit --branch=${{ matrix.branch }} || true - env: - GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }} - DEBUG: '*snyk*' - if: failure() - - name: Check ci/dpkg-versions.yaml file existence - id: dpkg-versions - uses: andstor/file-existence-action@v3 - with: - files: ci/dpkg-versions.yaml - - name: Update dpkg packages versions - run: ~/.venv/bin/c2cciutils-docker-versions-update --branch=${{ matrix.branch }} - env: - GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }} - if: steps.dpkg-versions.outputs.files_exists == 'true' diff --git a/.github/workflows/clean.yaml b/.github/workflows/clean.yaml index eaf29bf0..2c8252fd 100644 --- a/.github/workflows/clean.yaml +++ b/.github/workflows/clean.yaml @@ -25,6 +25,9 @@ jobs: sudo rm /etc/apt/sources.list.d/*.list sudo apt update sudo apt install --yes python3-wheel + - uses: actions/setup-python@v5 + with: + python-version: '3.11' - run: sudo python3 -m pip install --requirement=ci/requirements.txt - name: Clean Docker hub tags run: c2cciutils-clean diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 8fd3d2bc..3bab4b27 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -35,7 +35,7 @@ jobs: - uses: actions/setup-python@v5 with: python-version: '3.11' - - run: python3 -m pip install --user --requirement=ci/requirements.txt + - run: python3 -m pip install --requirement=ci/requirements.txt - name: Print environment information run: c2cciutils-env diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ece18582..ee5a02af 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -90,11 +90,7 @@ repos: hooks: - id: jsonschema-validator files: ^ci/config\.yaml$ -ci: - autoupdate_schedule: quarterly - skip: - - copyright - - poetry-check - - poetry-lock - - ripsecrets - - jsonschema-validator + - repo: https://github.com/renovatebot/pre-commit-hooks + rev: 37.428.1 + hooks: + - id: renovate-config-validator