From 66419c5e9720c7e1aff2676342d2626227700c5d Mon Sep 17 00:00:00 2001 From: nameless-mc Date: Wed, 21 Jan 2026 15:26:46 +0900 Subject: [PATCH 1/4] chore: add renovate settings --- renovate.json5 | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 renovate.json5 diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 0000000..77ca34d --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,24 @@ +{ + extends: ["github>cybozu/renovate-config", ":prConcurrentLimitNone"], + packageRules: [ + { + description: "Automerge Docker digest updates", + matchDatasources: ["docker"], + matchUpdateTypes: ["digest"], + automerge: true, + }, + { + description: "Automerge devDependencies minor and patch updates", + matchDepTypes: ["devDependencies"], + matchUpdateTypes: ["minor", "patch"], + automerge: true, + }, + { + description: "Automerge pnpm minor and patch updates", + matchPackageNames: ["pnpm"], + minimumReleaseAge: "14 days", + matchUpdateTypes: ["minor", "patch"], + automerge: true, + }, + ] +} \ No newline at end of file From 936b66a43f0f8a5e83fa5adda096b8d495f7fed1 Mon Sep 17 00:00:00 2001 From: nameless-mc Date: Wed, 21 Jan 2026 15:48:57 +0900 Subject: [PATCH 2/4] chore: add renovate custom manager for trivy --- .github/workflows/reusable-yamory-scan.yaml | 12 +++--- renovate.json5 | 41 ++++++++++++++------- 2 files changed, 35 insertions(+), 18 deletions(-) diff --git a/.github/workflows/reusable-yamory-scan.yaml b/.github/workflows/reusable-yamory-scan.yaml index ae0df55..b4f1b59 100644 --- a/.github/workflows/reusable-yamory-scan.yaml +++ b/.github/workflows/reusable-yamory-scan.yaml @@ -33,13 +33,15 @@ jobs: - name: Setup trivy env: - TRIVY_VERSION: 0.68.2 - TRIVY_CHECKSUM: 68b3c0350490456f56fbf8ea604663c79af73f628f4c3bb0fd76bfcc26fafea6 + # renovate: datasource=github-release-attachments depName=aquasecurity/trivy + TRIVY_VERSION: v0.68.2 + TRIVY_SHA256: 68b3c0350490456f56fbf8ea604663c79af73f628f4c3bb0fd76bfcc26fafea6 run: | - wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb - echo "${TRIVY_CHECKSUM} trivy_${TRIVY_VERSION}_Linux-64bit.deb" > trivy-sha256sum.txt + TRIVY_DEB="trivy_${TRIVY_VERSION#v}_Linux-64bit.deb" + wget "https://github.com/aquasecurity/trivy/releases/download/${TRIVY_VERSION}/${TRIVY_DEB}" + echo "${TRIVY_SHA256} ${TRIVY_DEB}" > trivy-sha256sum.txt sha256sum -c trivy-sha256sum.txt - sudo dpkg -i trivy_${TRIVY_VERSION}_Linux-64bit.deb + sudo dpkg -i "${TRIVY_DEB}" - name: Login to GHCR uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 diff --git a/renovate.json5 b/renovate.json5 index 77ca34d..8cd74af 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,24 +1,39 @@ { - extends: ["github>cybozu/renovate-config", ":prConcurrentLimitNone"], + extends: ['github>cybozu/renovate-config', ':prConcurrentLimitNone'], packageRules: [ { - description: "Automerge Docker digest updates", - matchDatasources: ["docker"], - matchUpdateTypes: ["digest"], + description: 'Automerge Docker digest updates', + matchDatasources: ['docker'], + matchUpdateTypes: ['digest'], automerge: true, }, { - description: "Automerge devDependencies minor and patch updates", - matchDepTypes: ["devDependencies"], - matchUpdateTypes: ["minor", "patch"], + description: 'Automerge devDependencies minor and patch updates', + matchDepTypes: ['devDependencies'], + matchUpdateTypes: ['minor', 'patch'], automerge: true, }, { - description: "Automerge pnpm minor and patch updates", - matchPackageNames: ["pnpm"], - minimumReleaseAge: "14 days", - matchUpdateTypes: ["minor", "patch"], + description: 'Automerge pnpm minor and patch updates', + matchPackageNames: ['pnpm'], + minimumReleaseAge: '14 days', + matchUpdateTypes: ['minor', 'patch'], automerge: true, }, - ] -} \ No newline at end of file + ], + enabledManagers: [ + 'github-actions', + 'custom.regex', + ], + customManagers: [ + { + customType: 'regex', + managerFilePatterns: [ + '/.github/workflows/.+\\.yaml$/', + ], + matchStrings: [ + '# renovate: datasource=(?[a-z-]+?) depName=(?[^\\s]+?)(?: versioning=(?[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?.+?)["\']?\\s+(?:[A-Za-z0-9_]+?_SHA256\\s*:\\s*["\']?(?[a-f0-9]+?)["\']?\\s)?', + ], + }, + ], +} From 7fa53b0c6ac49d8e320d01cd5220334dbf699b15 Mon Sep 17 00:00:00 2001 From: nameless-mc Date: Wed, 21 Jan 2026 16:01:34 +0900 Subject: [PATCH 3/4] chore: add mise under renovate manager --- renovate.json5 | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json5 b/renovate.json5 index 8cd74af..176b393 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -24,6 +24,7 @@ enabledManagers: [ 'github-actions', 'custom.regex', + 'mise', ], customManagers: [ { From fe9e1b4b3dd8b06e121929ed20217b5b102ecac8 Mon Sep 17 00:00:00 2001 From: nameless-mc Date: Wed, 21 Jan 2026 17:00:58 +0900 Subject: [PATCH 4/4] chore: update renovate config --- renovate.json5 | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/renovate.json5 b/renovate.json5 index 176b393..9dac7f4 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -8,23 +8,25 @@ automerge: true, }, { - description: 'Automerge devDependencies minor and patch updates', - matchDepTypes: ['devDependencies'], + description: 'Automerge pnpm minor and patch updates', + matchPackageNames: ['pnpm'], + minimumReleaseAge: '14 days', matchUpdateTypes: ['minor', 'patch'], automerge: true, }, { - description: 'Automerge pnpm minor and patch updates', - matchPackageNames: ['pnpm'], + description: 'Automerge Node.js minor and patch updates', + matchPackageNames: ['node'], minimumReleaseAge: '14 days', matchUpdateTypes: ['minor', 'patch'], automerge: true, }, - ], - enabledManagers: [ - 'github-actions', - 'custom.regex', - 'mise', + { + description: 'Automerge trivy minor and patch updates', + matchPackageNames: ['aquasecurity/trivy'], + matchUpdateTypes: ['minor', 'patch'], + automerge: true, + }, ], customManagers: [ {