chore(deps): update github/codeql-action digest to 7211b7c

Merge pull request 'chore(deps): update actions/checkout action to v6' (#6 ) from renovate/actions-checkout-6.x into master
Reviewed-on: #6
2026-05-22 12:32:56 +00:00 · 2026-05-12 05:56:33 +00:00 · 2026-05-12 05:56:33 +00:00 · 2026-05-12 05:56:07 +00:00 · 2026-05-12 05:56:07 +00:00 · 2026-05-12 05:55:11 +00:00
5 changed files with 76 additions and 8 deletions
@@ -0,0 +1,13 @@
 name: Security
 on:
  push:
    branches: [main, master]
  pull_request:
  schedule:
    - cron: '0 6 * * 1'
  workflow_dispatch:
 jobs:
  scan:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Projektstruktur prüfen
        run: |
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Extract version from tag
        id: version
@@ -53,7 +53,7 @@ jobs:
          cat checksums-sha256.txt
      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
        with:
          name: "Hellion NewTab ${{ steps.version.outputs.tag }}"
          body: |
@@ -20,15 +20,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
        with:
          languages: javascript
      - name: Run CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
  dependency-review:
    name: Dependency Review
@@ -36,7 +36,7 @@ jobs:
    if: github.event_name == 'pull_request'
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
@@ -0,0 +1,55 @@
  {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
      "config:recommended",
      ":dependencyDashboard",
      ":semanticCommits",
      ":timezone(Europe/Berlin)",
      "schedule:weekly"
    ],
    "labels": ["dependencies", "renovate"],
    "assignees": ["JonKazama-Hellion"],
    "prHourlyLimit": 10,
    "prConcurrentLimit": 20,
    "rebaseWhen": "behind-base-branch",
    "packageRules": [
      {
        "description": "Group all minor and patch updates per ecosystem in one PR",
        "matchUpdateTypes": ["minor", "patch"],
        "groupName": "minor and patch updates ({{manager}})"
      },
      {
        "description": "Major updates always get their own PR with breaking-change label",
        "matchUpdateTypes": ["major"],
        "labels": ["dependencies", "major-update", "breaking-change"],
        "addLabels": ["needs-review"]
      },
      {
        "description": "TypeScript type definitions stay grouped with each other",
        "groupName": "type definitions",
        "matchPackageNames": [
          "@types/{/,}**"
        ]
      },
      {
        "description": "Dev dependencies in their own group",
        "matchDepTypes": ["devDependencies"],
        "groupName": "dev dependencies"
      },
      {
        "description": "Pin GitHub Action versions by SHA for supply-chain hygiene",
        "matchManagers": ["github-actions"],
        "pinDigests": true
      }
    ],
    "vulnerabilityAlerts": {
      "labels": ["security", "vulnerability"],
      "schedule": ["at any time"]
    },
    "lockFileMaintenance": {
      "enabled": true,
      "schedule": ["before 6am on monday"],
      "commitMessageAction": "Refresh"
    },
    "osvVulnerabilityAlerts": true
  }
Author	SHA1	Message	Date
renovate-bot	e5f0bf3fed	chore(deps): update github/codeql-action digest to 7211b7c Security / scan (pull_request) Successful in 19s Details	2026-05-22 12:32:56 +00:00
JonKazama-Hellion	25e916c3be	Merge pull request 'chore(deps): update actions/checkout action to v6' (#6 ) from renovate/actions-checkout-6.x into master Security / scan (push) Successful in 18s Details Reviewed-on: #6	2026-05-12 05:56:33 +00:00
renovate-bot	1d7680330d	chore(deps): update actions/checkout action to v6	2026-05-12 05:56:33 +00:00
JonKazama-Hellion	9323fb69e8	Merge pull request 'chore(deps): update github/codeql-action action to v4' (#8 ) from renovate/github-codeql-action-4.x into master Security / scan (push) Successful in 17s Details Reviewed-on: #8	2026-05-12 05:56:07 +00:00
renovate-bot	07cf13efcd	chore(deps): update github/codeql-action action to v4	2026-05-12 05:56:07 +00:00
JonKazama-Hellion	4c3eec7631	Merge pull request 'chore(deps): update softprops/action-gh-release action to v3' (#9 ) from renovate/softprops-action-gh-release-3.x into master Security / scan (push) Successful in 21s Details Reviewed-on: #9	2026-05-12 05:55:11 +00:00
renovate-bot	71225308d3	chore(deps): update softprops/action-gh-release action to v3 Security / scan (pull_request) Failing after 2s Details	2026-05-12 00:34:29 +00:00
JonKazama-Hellion	a5958d47a4	Merge pull request 'chore(renovate): fix schema warning (prPriority)' (#10 ) from chore/renovate-config-schema-fix into master Security / scan (push) Failing after 6s Details Reviewed-on: #10	2026-05-12 00:14:52 +00:00
renovate-bot	99c61cf7e3	chore(renovate): fix schema (prPriority placement) Security / scan (pull_request) Successful in 15s Details Moves prPriority out of vulnerabilityAlerts (only allowed in packageRules per schema). Fixes the recurring 'Found renovate config warnings' issue.	2026-05-11 22:17:59 +00:00
JonKazama-Hellion	32f4c92f1b	Merge pull request 'chore(deps): update actions/dependency-review-action action to v5' (#7 ) from renovate/actions-dependency-review-action-5.x into master Security / scan (push) Failing after 11s Details Reviewed-on: #7	2026-05-10 20:37:28 +00:00
renovate-bot	4c7a33a6fa	chore(deps): update actions/dependency-review-action action to v5	2026-05-10 20:37:28 +00:00
JonKazama-Hellion	9eb0bc1c3e	Merge pull request 'chore(deps): pin dependencies' (#5 ) from renovate/pin-dependencies into master Security / scan (push) Successful in 17s Details Reviewed-on: #5	2026-05-10 20:36:46 +00:00
renovate-bot	0fb0eec7df	chore(deps): pin dependencies Security / scan (pull_request) Successful in 28s Details	2026-05-10 12:33:03 +00:00
JonKazama-Hellion	0d4708bf11	chore(config): migrate Renovate config (#3 ) Security / scan (push) Successful in 27s Details Auto-merge: Renovate config migration (matchPackagePrefixes -> matchPackageNames).	2026-05-09 15:46:45 +00:00
renovate-bot	f2b070e201	chore(config): migrate config renovate.json Security / scan (pull_request) Successful in 24s Details	2026-05-09 15:41:56 +00:00
JonKazama-Hellion	8176f91d4c	Merge pull request 'chore: Configure Renovate' (#1 ) from renovate/configure into master Security / scan (push) Successful in 17s Details Reviewed-on: #1	2026-05-09 10:32:11 +00:00
JonKazama-Hellion	d68bb35e7a	renovate.json aktualisiert Signed-off-by: Jon Kazama <kontakt@hellion-media.de>	2026-05-09 10:32:11 +00:00
renovate-bot	10c70f8bf9	Add renovate.json	2026-05-09 10:32:11 +00:00
JonKazama-Hellion	28b9061756	chore: add reusable security scan workflow Security / scan (push) Failing after 11s Details Calls JonKazama-Hellion/security-workflows for Semgrep SAST + Trivy filesystem vulnerability scan. Runs on push to main/master, on every PR, and weekly Monday 06:00 UTC.	2026-05-09 11:28:10 +02:00