JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: JonKazama-Hellion/security-workflows:1222381732fb6c6aaac39d26aa6a9398c70f1999
Branches Tags
JonKazama-Hellion/security-workflows:main
..
compare: JonKazama-Hellion/security-workflows:main
Branches Tags
JonKazama-Hellion/security-workflows:main

8 Commits
1222381732 .. main

Author SHA1 Message Date
JonKazama-Hellion dfe44fdf3b Merge pull request 'Update actions/checkout action to v6' (#4) from renovate/actions-checkout-6.x into main 
Reviewed-on: #4
 2026-05-12 14:43:30 +00:00
renovate-bot f5c6828302 Update actions/checkout action to v6 2026-05-12 14:43:17 +00:00
JonKazama-Hellion 54301ecdf6 Merge pull request 'Update actions/setup-python action to v6' (#5) from renovate/actions-setup-python-6.x into main 
Reviewed-on: #5
 2026-05-12 14:42:53 +00:00
renovate-bot ef287c8868 Update actions/setup-python action to v6 2026-05-12 12:34:06 +00:00
JonKazama-Hellion 6274df8e48 Merge pull request 'Configure Renovate' (#3) from renovate/configure into main 
Reviewed-on: #3
 2026-05-12 07:05:22 +00:00
renovate-bot c9c318c092 Add renovate.json 2026-05-12 06:34:48 +00:00
JonKazama-Hellion 7cbc8fcccc Merge pull request 'fix(scan): pin Trivy to v0.70.0 (avoid GitHub rate-limit)' (#2) from fix/pin-trivy-version into main 
Reviewed-on: #2
 2026-05-12 00:13:43 +00:00
renovate-bot 27a469b169 fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit 
The trivy install script otherwise queries api.github.com unauthenticated
for the latest release tag. Self-hosted runners hit rate-limit quickly
when multiple workflows run in succession, leading to empty version
resolution and install failures.

Version pinned with renovate annotation so updates flow through Renovate.
 2026-05-12 00:12:13 +00:00
2 changed files with 15 additions and 3 deletions
Expand all files Collapse all files
.gitea/workflows/security-scan.yml
+9 -3
View File
@@ -34,10 +34,10 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v6
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v5 uses: actions/setup-python@v6
with: with:
python-version: '3.x' python-version: '3.x'
@@ -49,7 +49,13 @@ jobs:
# trivy-action wrapper does nested checkouts and auth-juggling that # trivy-action wrapper does nested checkouts and auth-juggling that
# does not play well with Self-Hosted Gitea Actions, this is more # does not play well with Self-Hosted Gitea Actions, this is more
# robust and a smaller surface. # robust and a smaller surface.
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin #
# Version pinned: the install script otherwise hits api.github.com to
# resolve "latest", which is unauthenticated and burns through the
# self-hosted runner's GitHub rate-limit on each push. Pinning skips
# the API call entirely. Renovate-bot keeps the version current:
# renovate: datasource=github-releases depName=aquasecurity/trivy
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.70.0
- name: Run Semgrep SAST - name: Run Semgrep SAST
# --config=auto pulls language-appropriate rule packs from semgrep.dev # --config=auto pulls language-appropriate rule packs from semgrep.dev
renovate.json
+6
View File
@@ -0,0 +1,6 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
]
}