From 88eadfaf47869ba451ff5bc3788d0f80396e1ecb Mon Sep 17 00:00:00 2001 From: Petr Ruzicka Date: Sun, 11 Feb 2024 11:45:29 +0100 Subject: [PATCH] fix(renovate): skip terraform updates (#154) --- .github/renovate.json5 | 4 ++++ .github/workflows/links.yml | 5 +++-- .github/workflows/markdown-check.yml | 3 ++- .github/workflows/mega-linter.yml | 8 ++++---- .github/workflows/release-please.yml | 2 +- .github/workflows/renovate.yml | 8 ++++---- .github/workflows/semantic-pull-request.yml | 6 +++--- .github/workflows/stale.yml | 5 +++-- .github/workflows/vuepress-build.yml | 5 +++-- .gitignore | 19 ++++++++++--------- .trivyignore.yaml | 16 ++++++++++------ 11 files changed, 47 insertions(+), 34 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 1117e58..0ee1648 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -13,6 +13,10 @@ "git-submodules": { enabled: true, }, + ignorePaths: [ + // Ignore Terraform files + "terraform/**", + ], labels: [ "renovate", "renovate/{{replace '.*/' '' depName}}", diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index faa15b5..e87a462 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -1,4 +1,5 @@ -name: Links +--- +name: links on: workflow_dispatch: @@ -12,7 +13,7 @@ on: permissions: read-all jobs: - linkChecker: + links: runs-on: ubuntu-latest steps: - name: Checkout diff --git a/.github/workflows/markdown-check.yml b/.github/workflows/markdown-check.yml index 7bbca4b..5badb5f 100644 --- a/.github/workflows/markdown-check.yml +++ b/.github/workflows/markdown-check.yml @@ -1,3 +1,4 @@ +--- name: markdown-check on: @@ -43,7 +44,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Node.js LTS version - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - name: Install markdown-spellcheck run: npm install -g markdown-spellcheck diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index da4e06b..e6aab5f 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -1,5 +1,5 @@ --- -name: MegaLinter +name: mega-linter on: workflow_dispatch: @@ -10,8 +10,7 @@ on: permissions: read-all jobs: - build: - name: MegaLinter + mega-linter: runs-on: ubuntu-latest steps: - name: Checkout Code @@ -28,12 +27,13 @@ jobs: run: | set -euxo pipefail echo '#!/usr/bin/env bash' > README.sh - find . -name '*.md' -print0 | while IFS= read -r -d '' FILE ; do + find . -name '*.md' -print0 | while IFS= read -r -d '' FILE; do # Extract: ```bash ... ``` sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh # Extract: ```bash ... ``` sed -n "/^ \`\`\`\(bash\|shell\)$/,/^ \`\`\`$/p" "${FILE}" | sed '/^ ```*/d; s/^ //' >> README.sh done + ls -la README.sh chmod a+x README.sh - name: 💡 MegaLinter diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index faff21a..89a0688 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -12,7 +12,7 @@ permissions: pull-requests: write jobs: - release-please-pr: + release-please: runs-on: ubuntu-latest steps: - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4.0.2 diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index cc55c46..1e3f609 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -1,5 +1,5 @@ --- -name: Renovate +name: renovate on: workflow_dispatch: @@ -20,7 +20,7 @@ on: - main - "!renovate/*" schedule: - - cron: "0 0,2,4 * * *" + - cron: "0 0,2,4 * * 0" env: # https://docs.renovatebot.com/troubleshooting/#log-debug-levels @@ -44,12 +44,12 @@ jobs: renovate: runs-on: ubuntu-latest concurrency: - group: renovate + group: ${{ github.workflow }}-${{ github.ref }} steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/create-github-app-token@86576b355dd19da0519e0bdb63d8edb5bcf76a25 # v1.7.0 + - uses: actions/create-github-app-token@f4c6bf6752984b3a29fcc135a5e70eb792c40c6b # v1.8.0 id: app-token with: app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }} diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml index 90d4309..fbaa8d1 100644 --- a/.github/workflows/semantic-pull-request.yml +++ b/.github/workflows/semantic-pull-request.yml @@ -1,4 +1,5 @@ -name: Semantic Pull Request +--- +name: semantic-pull-request on: pull_request_target: @@ -11,8 +12,7 @@ permissions: pull-requests: read jobs: - main: - name: Semantic Pull Request + semantic-pull-request: runs-on: ubuntu-latest steps: - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e872faa..1c370eb 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,4 +1,5 @@ -name: Close stale issues and PRs +--- +name: stale on: schedule: @@ -9,7 +10,7 @@ permissions: pull-requests: write jobs: - mark-stale-issues-and-prs: + stale: runs-on: ubuntu-latest steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 diff --git a/.github/workflows/vuepress-build.yml b/.github/workflows/vuepress-build.yml index f9bdc83..d42a396 100644 --- a/.github/workflows/vuepress-build.yml +++ b/.github/workflows/vuepress-build.yml @@ -1,3 +1,4 @@ +--- name: vuepress-build on: @@ -21,7 +22,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Node.js - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 16.x @@ -42,7 +43,7 @@ jobs: with: url: ${{ steps.pages.outputs.base_url }} pages_path: . - cmd_params: '--exclude=(mylabs.dev|myexample.dev|github.com/ruzickap/k8s-flux-repository|azure.microsoft.com) --buffer-size=8192 --max-connections-per-host=5 --color=always --rate-limit=5 --header="User-Agent:Mozilla" --skip-tls-verification' + cmd_params: '--exclude=(mylabs.dev|localhost|myexample.dev|github.com/ruzickap/k8s-flux-repository|azure.microsoft.com) --buffer-size=8192 --max-connections-per-host=5 --color=always --rate-limit=5 --header="User-Agent:Mozilla" --skip-tls-verification' - name: Deploy uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 diff --git a/.gitignore b/.gitignore index bdf002b..0f0c20c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,27 +1,28 @@ # pre-commit configuration file .pre-commit-config.yaml -# Kubernetes kubeconfig file -kubeconfig*.conf* +# demo-magic.sh script +demo-magic.sh # Vuepress Pages docs/.vuepress/dist -docs/.vuepress/.temp/ -docs/.vuepress/.cache/ -# tmp directory -tmp/ +# Kubernetes kubeconfig file +kubeconfig*.conf* # Node modules node_modules/ +# nohup output +nohup.out + # README.sh script README.sh -# demo-magic.sh script -demo-magic.sh +# tmp directory +tmp/ # Terraform files -.terraform +.terraform* *.tfstate* crash.log diff --git a/.trivyignore.yaml b/.trivyignore.yaml index 7d9b90c..60d006a 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -1,16 +1,20 @@ vulnerabilities: - # │ glob-parent │ CVE-2020-28469 │ HIGH │ fixed │ 3.1.0 │ 5.1.2 │ Regular expression denial of service │ + # │ glob-parent │ CVE-2020-28469 │ HIGH │ fixed │ 3.1.0 │ 5.1.2 │ Regular expression denial of service │ - id: CVE-2020-28469 - # │ json5 │ CVE-2022-46175 │ HIGH │ fixed │ 0.5.1 │ 2.2.2, 1.0.2 │ json5: Prototype Pollution in JSON5 via Parse Method │ + # │ json5 │ CVE-2022-46175 │ HIGH │ fixed │ 0.5.1 │ 2.2.2, 1.0.2 │ json5: Prototype Pollution in JSON5 via Parse Method │ - id: CVE-2022-46175 - # │ loader-utils │ CVE-2022-37601 │ CRITICAL │ fixed │ 0.2.17 │ 2.0.3, 1.4.1 │ loader-utils: prototype pollution in function parseQuery in │ + # │ loader-utils │ CVE-2022-37601 │ CRITICAL │ fixed │ 0.2.17 │ 2.0.3, 1.4.1 │ loader-utils: prototype pollution in function parseQuery in │ - id: CVE-2022-37601 - # │ node-forge │ CVE-2022-24771 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification leniency in checking │ + # │ node-forge │ CVE-2022-24771 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification leniency in checking │ - id: CVE-2022-24771 - # │ node-forge │ CVE-2022-24772 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification failing to check tailing │ + # │ node-forge │ CVE-2022-24772 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification failing to check tailing │ - id: CVE-2022-24772 - # │ nth-check │ CVE-2021-3803 │ HIGH │ fixed │ 1.0.2 │ 2.0.1 │ inefficient regular expression complexity │ + # │ nth-check │ CVE-2021-3803 │ HIGH │ fixed │ 1.0.2 │ 2.0.1 │ inefficient regular expression complexity │ - id: CVE-2021-3803 + # | ip │ CVE-2023-42282 │ HIGH │ affected │ 1.1.8 │ │ An issue in NPM IP Package v.1.1.8 and before allows an │ + - id: CVE-2023-42282 + # │ normalize-url │ CVE-2021-33502 │ HIGH │ fixed │ 4.5.0 │ 4.5.1, 5.3.1, 6.0.1 │ ReDoS for data URLs │ + - id: CVE-2021-33502 misconfigurations: # Launch configuration with unencrypted block device.