ci: attempt to fix updates for trivy-action not recognized

wetransform · Mar 26, 2024 · 7fff524 · 7fff524
1 parent dc9544d
commit 7fff524
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -2,7 +2,7 @@
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: [ // default presets see https://docs.renovatebot.com/presets-default/
     "config:recommended",
-    "helpers:pinGitHubActionDigestsToSemver",
+    // "helpers:pinGitHubActionDigestsToSemver",
     "security:openssf-scorecard",
     ":disableDependencyDashboard",
     ":disableRateLimiting",
@@ -15,12 +15,14 @@
     "renovate/{{updateType}}",
   ],
   packageRules: [
+    /*
     {
       description: "Ignore frequent renovate updates",
       enabled: false,
       matchPackageNames: ["renovatebot/github-action"],
       matchUpdateTypes: ["patch"],
     },
+    */
     {
       description: "Update renovatebot/github-action minor updates on Sundays",
       matchPackageNames: ["renovatebot/github-action"],
@@ -30,9 +32,16 @@
     {
       description: "Update to action dependencies use fix commits to trigger a release",
       matchFileNames: ["action.yml"],
-      // semanticCommitType: "fix",
+      semanticCommitType: "fix",
       // extends: [":semanticCommitType(fix)"]
-      extends: [":semanticCommitTypeAll(fix)"]
+      // extends: [":semanticCommitTypeAll(fix)"]
+    },
+    {
+      matchPackageNames: ["aquasecurity/trivy-action"],
+      // package uses tags without leading v - need to override setting from helpers:pinGitHubActionDigestsToSemver
+      extractVersion: "^(?<version>\\d+\\.\\d+\\.\\d+)$",
+
+      // versioning: "loose" // "regex:^(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$"
     },
   ],
   prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}",

diff --git a/action.yml b/action.yml
@@ -52,7 +52,7 @@ runs:
 
       # https://github.com/aquasecurity/trivy-action
     - name: Scan Docker image for critical vulnerabilities
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
+      uses: aquasecurity/[email protected]
       if: "${{ inputs.junit-test-output != '' || inputs.create-test-report }}"
       with:
         image-ref: '${{ inputs.image-ref }}'
@@ -77,7 +77,7 @@ runs:
           echo "REPORT_FILENAME=$VALID_FILENAME" >> $GITHUB_ENV
 
     - name: Create vulnerability report as HTML
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
+      uses: aquasecurity/[email protected]
       with:
         image-ref: '${{ inputs.image-ref }}'
         scan-type: "${{ inputs.image-ref != '' && 'image' || 'fs' }}"
@@ -97,7 +97,7 @@ runs:
       run: |
         cp ${GITHUB_ACTION_PATH}/summary.tpl ./trivy-summary.tpl
     - name: Create summary on vulnerabilities
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
+      uses: aquasecurity/[email protected]
       with:
         image-ref: '${{ inputs.image-ref }}'
         scan-type: "${{ inputs.image-ref != '' && 'image' || 'fs' }}"