Skip to content

chore(deps): add Renovate rule for org workflow SHA pin updates#39

Merged
williaby merged 2 commits into
mainfrom
chore/add-renovate-org-workflow-rule
May 28, 2026
Merged

chore(deps): add Renovate rule for org workflow SHA pin updates#39
williaby merged 2 commits into
mainfrom
chore/add-renovate-org-workflow-rule

Conversation

@williaby
Copy link
Copy Markdown
Contributor

@williaby williaby commented May 21, 2026
edited by coderabbitai Bot
Loading

Summary

  • Add a Renovate packageRules entry to track the floating v1 tag on ByronWilliamsCPA/.github org workflows
  • Fixes four issues from initial review:
    • versioning: semver-coerced (was semver; bare v1 is not valid semver, causing the rule to silently do nothing)
    • automerge: false added to prevent the broader "Auto-merge GitHub Actions minor/patch updates" rule from inheriting automerge behavior for org workflows (supply chain security risk)
    • pinDigests: true added so SHA pins are refreshed whenever the floating tag moves
    • matchPackagePatterns scoped to ByronWilliamsCPA/.github only (removed williaby/.github)
  • Restores 4-space indentation to match the main baseline

Why automerge is false

Org-level shared workflows run with elevated permissions and have a wider blast radius than individual action dependencies. Every SHA-pin update for these workflows should go through a human review before merge, even for patch-level bumps.

CI status

All CI failures on this PR are pre-existing on main (OSV vulnerability scanner flagging tracked CVEs in docs/known-vulnerabilities.md). The cascade failure in "Dependency vulnerability scan" is the same root cause. These are not introduced by this PR, which touches only renovate.json.

Test plan

  • pre-commit run --all-files passes in the fix worktree
  • JSON valid (check json hook passes)
  • Renovate config can be validated via the Renovate validator once merged
  • Confirm Renovate picks up the rule and opens a SHA-pin update PR for ByronWilliamsCPA/.github workflows after merge

Summary by CodeRabbit

  • Chores
    • Updated dependency automation configuration for GitHub Actions workflows.

Review Change Stack

Copilot AI review requested due to automatic review settings May 21, 2026 23:20
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 21, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3cbbaaae-4101-4078-bfd1-9ad333803753

📥 Commits

Reviewing files that changed from the base of the PR and between b2215ad and ff66b28.

📒 Files selected for processing (1)
  • renovate.json

Walkthrough

This PR updates the Renovate configuration to add a specialized rule for GitHub Actions updates in the .github workflow repository. The new packageRules entry ensures Actions are pinned to commit digests while tracking the floating v1 tag for version resolution.

Changes

GitHub Actions Renovate Configuration

Layer / File(s) Summary
GitHub Actions pin configuration
renovate.json		 New packageRules entry matches github-actions for the ByronWilliamsCPA/.github pattern, configures followTag: v1 with semver-coerced versioning for tag tracking, enables pinDigests: true to pin updates to commit hashes, and sets automerge: false.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

security

Poem

🐰 A rabbit's rules for Actions bright,
With v1 tags held tight,
Digests pinned, no auto-merge haste—
Each update placed with careful taste! 🏷️

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: adding a Renovate rule to pin organization workflow SHAs, which aligns with the primary objective of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/add-renovate-org-workflow-rule

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Renovate configuration to better manage dependency automation, including an added rule intended to track org-level reusable GitHub workflow references for SHA pin updates.

Changes:

  • Re-formats and slightly adjusts the global Renovate schedule (adds weekend coverage).
  • Adds a new packageRules entry intended to follow the v1 tag for specific org workflow dependencies.
  • Retains existing grouping/automerge/security/lockfile-maintenance rules while restructuring the JSON formatting.

Comment thread renovate.json Outdated
Comment on lines +153 to +154
"ByronWilliamsCPA/.github",
"williaby/.github"
@williaby williaby mentioned this pull request May 27, 2026
Merged
2 tasks
@williaby
Copy link
Copy Markdown
Contributor Author

williaby commented May 28, 2026

PR Review

#39 | chore(deps): add Renovate rule for org workflow SHA pin updates

BUILD FAILING (pre-existing): All CI failures trace to OSV/pip-audit dependency vulnerabilities already present on main. This PR (renovate.json only) introduces no Python dependencies. Resolving the tracked CVEs in docs/known-vulnerabilities.md is required separately.

Critical (must fix before merge)

  • [PR body] Description contains only @/tmp/tmpkuqul3bh/pr-body.txt — a temp file path was accidentally written as the body. No summary, motivation, or context is present for reviewers.

  • [renovate.json] "versioning": "semver" is incorrect for v1-style floating tags. Renovate's semver parser requires MAJOR.MINOR.PATCH; a bare v1 will fail to parse, causing the rule to silently do nothing — SHA pins for org workflows go stale with no notification. Fix: "versioning": "semver-coerced"

  • [renovate.json] The new followTag rule has no "automerge": false override. The existing "Auto-merge GitHub Actions minor/patch updates" rule matches all github-actions packages. When v1 moves, Renovate will open and auto-merge the update PR via squash with no human review. Org-level shared CI workflows execute in every consuming repo — a compromised v1 tag gets automatically merged into this repo's pipeline. Fix: add "automerge": false to the new rule.

  • [renovate.json] williaby/.github is included in matchPackagePatterns with no explanation of what the williaby org is or why it is trusted. The missing PR description makes this completely unverifiable. Fix: explain in the PR description (or remove if unintended).

Important (should fix)

  • [renovate.json] New rule omits "pinDigests": true. SHA pinning for these packages currently relies on implicit rule interaction with the existing global pin rule. A future packageRule reorder would silently break SHA pinning for the exact packages this PR tracks. Fix: add "pinDigests": true explicitly.

  • [renovate.json] 198 of 221 diff lines are pure 4→2 space indentation churn with no functional effect. No project standard enforces 2-space JSON. This makes future git blame/git bisect unreliable and the diff nearly unauditable. Fix: revert the reformat or separate it into a distinct commit.

  • [renovate.json] followTag: "v1" + pinDigests interaction is not verified — if Renovate resolves followTag to the tag string rather than the commit digest, SHA pin protection is silently lost for these packages. Resolved by the semver-coerced fix above and by adding explicit "pinDigests": true.

  • [PR title] Title says "add Renovate rule" but the diff is 221 lines (198 whitespace reformat). Update title if reformat is kept.

Suggested minimal fix for the new packageRule

{
  "description": "Track org workflow floating v1 tag for SHA pin updates",
  "matchManagers": ["github-actions"],
  "matchPackagePatterns": [
    "ByronWilliamsCPA/.github",
    "williaby/.github"
  ],
  "versioning": "semver-coerced",
  "followTag": "v1",
  "pinDigests": true,
  "automerge": false
}

🤖 Generated with Claude Code

williaby added a commit that referenced this pull request May 28, 2026
@williaby @claude
fix(security): resolve PYSEC-2026-161 (starlette) and suppress PYSEC-…
6677ab6 
…2026-139 (torch) (#44)

* fix(security): resolve PYSEC-2026-161 (starlette) and suppress PYSEC-2026-139 (torch)

Unblocks CI on PRs #39, #40, and #41. Both pip-audit and osv-scanner
were flagging the same two CVEs, cascading into Code Quality, OSV
Scanner, Security Gate, and CI Gate failures on every open PR.

- Bump fastapi>=0.133.0 in [audio] extras and regenerate uv.lock;
  fastapi 0.136.3 + starlette 1.1.0 resolve PYSEC-2026-161.
- Add PYSEC-2026-139 (torch/CVE-2026-4538) to osv-scanner.toml and
  [tool.pip-audit] ignore-vuln; no upstream fix exists. Torch is an
  optional [ml] extra absent from the production container.
- Document PYSEC-2026-139 in docs/known-vulnerabilities.md per project
  CVE policy; reassess-by 2026-07-26.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: correct torch CVE suppression justification and compensating controls

The PYSEC-2026-139 / CVE-2026-4538 suppression in three files contained
two false claims:

1. "torch is never imported by the deployed service" - vad.py:16 has an
   unconditional top-level `import torch`, refuting the grep verification.
2. "not installed in the production container (which installs only the audio
   extra)" - the Dockerfile runs `uv sync --frozen --no-dev` with no --extra
   flags; no optional extras are installed at all.

The compensating control (torch absent from production) remains valid.
Update all three files to state the accurate mechanism: the Dockerfile
installs no optional extras, so neither [ml] (direct) nor [audio]
(transitive via silero-vad) entries for torch reach the runtime image.
Remove the false grep verification claim from compensating controls.

Also corrects:
- Package field: adds the silero-vad transitive path in [audio] extra
- Patched version row: shortened to fit 120-char Markdown line limit
- pyproject.toml fastapi comment: "starlette<1.0.0" -> "starlette 0.x";
  "starlette 1.x" -> "starlette>=1.1.0" (1.1.0 is the specific fix version)
- osv-scanner.toml: replaces -- double-dash with comma (writing rule PC-011)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(changelog): add PYSEC-2026-161 and CVE-2026-4538 security entries

Per CLAUDE.md CVE Citation Policy: any CHANGELOG entry that fixes a
security vulnerability must include the CVE ID if one has been assigned.

- PYSEC-2026-161 (starlette < 1.1.0): resolved by fastapi>=0.133.0
- CVE-2026-4538 / PYSEC-2026-139 (torch 2.9.1, AV:L HIGH): deferred
  with reassess-by 2026-07-26; no upstream fix available

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
@williaby @claude
chore(deps): add Renovate rule for org workflow SHA pin updates
ff66b28 
CI-056 compliance: adds followTag rule for ByronWilliamsCPA/.github
packages so Renovate keeps SHA pins current after each release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@williaby williaby force-pushed the chore/add-renovate-org-workflow-rule branch from 84d37df to ff66b28 Compare May 28, 2026 04:11
@williaby williaby enabled auto-merge (squash) May 28, 2026 04:18
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 28, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@williaby williaby merged commit 1f592a6 into main May 28, 2026
32 checks passed
@williaby williaby deleted the chore/add-renovate-org-workflow-rule branch May 28, 2026 04:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williaby