From e6d55deb5bfcd235249ae5c210850d22c62f11e8 Mon Sep 17 00:00:00 2001 From: Fabian Kammel Date: Tue, 18 Oct 2022 15:20:50 +0200 Subject: [PATCH] document renovate exception for generator to use tags instead of digests. (#1074) Signed-off-by: Fabian Kammel Signed-off-by: Fabian Kammel --- README.md | 2 ++ RENOVATE.md | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 RENOVATE.md diff --git a/README.md b/README.md index 17a3f7c947..127fb4422a 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,8 @@ reusable workflow. It also needs to be referred as `@vX.Y.Z`, because the build This is contrary to the [GitHub best practice for third-party actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) which recommends referencing by digest, but intentional due to limits in GitHub Actions. The desire to be able to verify reusable workflows pinned by hash, and the reasons for the current status, are tracked as [Issue #12](https://github.com/slsa-framework/slsa-verifier/issues/12) in the slsa-verifier project. +For guidance on how to configure renovate see [RENOVATE.md](RENOVATE.md). + ### Builders Builders build and generate provenance. They let you meet the [build](https://slsa.dev/spec/v0.1/requirements#build-requirements) diff --git a/RENOVATE.md b/RENOVATE.md new file mode 100644 index 0000000000..d964311985 --- /dev/null +++ b/RENOVATE.md @@ -0,0 +1,19 @@ +# Renovate Best Practices and SLSA-GitHub-Generator + +Renovate helps users to enforce security best practices when continuously upgrading GitHub actions. + +Renovate provides a configuration snippet, which is used by most GitHub projects, to [automatically pin dependencies using the digest](https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests) instead of git tags: `helpers:pinGitHubActionDigests`. + +To add an exception to this rule for slsa-github-generator add the following package rule to your `renovate.json` config. + +```json +"packageRules": [ + { + "matchManagers": ["github-actions"], + "matchPackageNames": ["slsa-framework/slsa-github-generator"], + "pinDigests": false + } + ] +``` + +This will enable you to receive upgrades for the generator and keep the tagged version.