1

I am using Renovate on a GitHub repository to keep dependencies up to date. I want to automerge patches and minor releases, but I want to let minor releases ripen for a few days, using the stabilityDays setting. This seemed to be working with this config:

  "minor": {
    "automerge": true,
    "stabilityDays": 3,
    "prCreation": "not-pending"
  },
  "patch": {
    "automerge": true,
    "stabilityDays": 0
  },
  "major": {
    "automerge": false
  },

I turned on security code scanning in my repo with "Scorecards" using the ossf/scorecard-action and the security scanning turned up some findings with helpful mitigation paths. One of the suggestions was to use the SHA digest values to pin Docker dependencies instead of version numbers.

For example,

        uses: actions/checkout@v3

becomes

        uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28

That feels safer, so I like that. But now the renovate PRs are not automerging like they used to and Renovate-bot leaves me this message in a PR that would have automerged when I was not using SHA digests:

 Automerge: Disabled by config. Please merge this manually once you are satisfied.

when before it would say:

 Automerge: Enabled.

How can I configure Renovate to support better security and less noise and less manual intervention, while not allowing automerging of major versions?

I think that

  "digest": {
    "automerge": true,
    "stabilityDays": 3,
    "prCreation": "not-pending"
  },

would turn on automerge for dependencies pinned by SHA digest keys, but now I think major version changes would be automerged, and I do not want that.

I have pored over the docs and other SO posts and could not winkle out a fix.

How can I have the serenity of SHA pinning and the convenience of minor and patch automerging?

Tom Willis
  • 306
  • 4
  • 10

1 Answers1

1

The answer to this question is that you can configure Renovate to follow your preferred major/minor/patch automerge logic when using SHA digest versions to pin dependencies.

The trick is the use of a comment after dependency digest version.

So, if you want to not automerge major version changes, and you want to give minor updates a three day stability period and you want to automerge patches quickly, all while pinning with digests, you could have this in your renovate.json configuration:

   "minor": {
    "automerge": true,
    "stabilityDays": 3,
    "prCreation": "not-pending"
  },
  "patch": {
    "automerge": true,
  },
  "major": {
    "automerge": false
  },
  "digest": {
    "automerge": true
  },

Then go about pinning with the tag=<version> comment command like this, where we use a digest to pin the verion of actions/checkout@v3 in a GitHub action workflow:

 - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2

The presence of the version comment with the digest pin tells Renovatebot to respect any major/minor/patch automerge logic and to keep the version in the comment up to date with the digest version.

Thanks to @viceice on the Renovatebot discussion board for pointing me to this answer. It's been working great for me.

You can see this syntax in practice at https://github.com/renovatebot/renovate/blob/a9a81275bf1fa40a4ba986601ab9fefd13fc9d41/.github/workflows/build.yml#L57

Tom Willis
  • 306
  • 4
  • 10
  • The [StepSecurity app](https://app.stepsecurity.io/) is a great tool for finding the SHA pins for your actions. – Tom Willis Mar 05 '23 at 22:44