diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..a87f7e04c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,68 @@ +version: 2 + +updates: + - package-ecosystem: github-actions + directories: + - '/' + schedule: + interval: weekly + cooldown: + default-days: 3 + commit-message: + prefix: 'chore' + include: 'scope' + labels: + - 'dependencies' + - 'automated' + groups: + github-actions: + patterns: + - '*' + + - package-ecosystem: docker + directories: + - '/' + - '/localgit' + schedule: + interval: weekly + cooldown: + default-days: 3 + commit-message: + prefix: 'chore' + include: 'scope' + labels: + - 'dependencies' + - 'automated' + groups: + docker: + patterns: + - '*' + + - package-ecosystem: npm + directories: + - '/' + - '/packages/git-proxy-cli' + - '/plugins/git-proxy-plugin-samples' + - '/test/fixtures/test-package' + - '/website' + schedule: + interval: weekly + versioning-strategy: increase-if-necessary + cooldown: + semver-patch-days: 3 + semver-minor-days: 3 + semver-major-days: 7 + open-pull-requests-limit: 10 + commit-message: + prefix: 'chore' + include: 'scope' + labels: + - 'dependencies' + - 'automated' + groups: + npm-non-major: + patterns: + - '*' + update-types: + - minor + - patch diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8305cf72..79ac40218 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -145,6 +145,11 @@ jobs: name: build result needs: [build-ubuntu, build-windows] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Check build results run: | ubuntu_result="${{ needs.build-ubuntu.result }}" diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 699e72572..7852df636 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -6,6 +6,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: docker-build-publish: permissions: @@ -14,6 +17,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 054585321..405fd0f19 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -21,6 +21,11 @@ jobs: BUILDX_CACHE_SCOPE: ${{ matrix.suite }}-build steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -95,6 +100,11 @@ jobs: name: e2e needs: [e2e] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Check e2e results run: | result="${{ needs.e2e.result }}" diff --git a/renovate.json b/renovate.json deleted file mode 100644 index 2566f5f90..000000000 --- a/renovate.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "config:best-practices", - ":separateMultipleMajorReleases", - "group:allNonMajor", - "group:allDigest", - "group:jsTest", - "group:linters", - "group:nodeJs" - ], - "ignorePaths": ["experimental/**"], - "additionalBranchPrefix": "{{parentDir}}-", - "commitMessageSuffix": "- {{parentDir}} - {{packageFile}}", - "packageRules": [ - { - "matchDatasources": ["npm"], - "rangeStrategy": "bump" - }, - { - "matchPackageNames": ["*"], - "groupName": "{{manager}}" - }, - { - "semanticCommitScope": "experimental", - "matchFileNames": ["experimental/*"] - } - ] -}