fix(renovate): exclude first-party netresearch/* + add PR Quality Gates#124
Merged
Merged
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Renovate configuration to prevent digest-pinning for first-party Netresearch GitHub Actions, aligning with organizational policy. Feedback suggests refining the rule description to remove historical context and removing the "enabled": false flag to ensure security monitoring and future tag updates remain active.
The renovate.json's "Group GitHub Actions" rule had `pinDigests: true` applied to ALL github-actions managers, which included `uses: netresearch/.github/.github/workflows/*@main` refs. Renovate faithfully turned `@main` into `@<sha>` four times (commits 9fa7178, 4f38a92, aeb49e5, 309fca0) — each a violation of the org policy that first-party Netresearch reusable workflows must use `@main` (or `@vN` once tagged releases exist), never SHA-pinned. Two changes here: 1. .github/workflows/auto-merge.yml: revert the `uses: netresearch/.github@22155f1...` back to `@main`. This is the same reusable; same behaviour. 2. renovate.json: add a packageRule that disables Renovate entirely for github-actions deps matching `^netresearch/`. The `enabled: false` setting means Renovate ignores them — no digest pins, no PRs, no further drift. The earlier wide "Group GitHub Actions" rule still pins third-party SHAs as before (per supply-chain policy). Memory: feedback_no_sha_pin_own_reusables — third-party actions (actions/checkout, docker/build-push-action) DO get SHA-pinned; first-party reusables don't. Different trust models. Discovered while migrating phpbu-docker to the reusable container workflows (PR #123). Sub-agent flagged this as an independent observation rather than bundling it into the migration PR. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
This repo was missing the standard Netresearch PR-quality + auto-approve workflow that other org repos use (netresearch/ofelia, netresearch/ldap-selfservice-password-changer, the t3x-* TYPO3 extensions, etc.). Adding the canonical caller pattern. The reusable provides: - PR size labeling (warns over 500 lines changed, alerts over 1000) - Auto-approve for maintainer PRs whose author_association is one of OWNER / MEMBER / COLLABORATOR. Satisfies the "1 approval" gate from this repo's branch protection for routine maintainer work without bypassing the Copilot review (which runs separately via the org-level Copilot ruleset, NOT via this workflow). Caller config matches the pattern used in netresearch/ofelia verbatim (modulo SPDX header) — no caller-side knobs needed. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM
force-pushed
the
fix/renovate-digest-pin-for-netresearch-reusables
branch
from
92881e4 to
c1d02e0
Compare
CybotTM
changed the title
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated approval for maintainer PR
All automated quality gates passed. See SECURITY_CONTROLS.md for compensating controls.
3 tasks
CybotTM
added a commit
to netresearch/snipe-it-docker-compose-stack
that referenced
this pull request
May 22, 2026
…#14) ## Summary Closes the same org-policy gap that was just fixed in netresearch/phpbu-docker#124: this repo was missing the canonical `pr-quality.yml` caller that every other Netresearch container/library repo uses (netresearch/ofelia, netresearch/phpbu-docker, netresearch/ldap-selfservice-password-changer, the t3x-* TYPO3 extensions). ## What the reusable does - **PR size labeling** — warns over 500 lines changed, alerts over 1000 - **Auto-approve for maintainer PRs** — `author_association ∈ {OWNER, MEMBER, COLLABORATOR}` gets a programmatic approval. Useful both for branch-protection "1 approval" gates and the Copilot ruleset's "1 approval" requirement. Copilot's review bot still runs separately via the org-level Copilot ruleset (not via this workflow), so it doesn't bypass that gate. ## Caller config Matches the netresearch/ofelia and netresearch/phpbu-docker callers verbatim (modulo SPDX header). No caller-side knobs needed. ## Test plan - [x] `actionlint` clean - [ ] CI green on this branch - [ ] After merge: confirm a future maintainer PR gets auto-approved on push ## Note re SonarCloud Adds one `@main` reusable ref → may surface a new `githubactions:S7637` LOW hotspot. The project's Quality Profile rule deactivation (done during PR #11) should already cover this. If not, mark SAFE per the org pattern.
3 tasks
CybotTM
added a commit
that referenced
this pull request
May 23, 2026
## Why PR #124 was merged with 2 unresolved gemini-code-assist threads on the netresearch/* packageRule. Both addressed here. ## What changed | Reviewer point | Fix | |---|---| | Description referenced past commit 309fca0 — config should focus on policy, not history | Removed the incident-history sentence; kept the policy statement + trust-model contrast | | `enabled: false` is over-restrictive and blocks future security alerts on these refs | Dropped to `pinDigests: false` alone — Renovate still surfaces vulnerability alerts and (eventually) `@vN` tag migration, but never produces digest-pin PRs that violated org policy | ## Test plan - [x] `renovate.json` valid JSON - [ ] CI green - [x] Original PR #124 threads replied-to + resolved via GraphQL with a link here ## Related Part of a session-wide audit triggered by the user: 3 of 11 merged PRs (this one, snipe-it-docker-compose-stack#15, snipe-it-docker-compose-stack#16) had been merged with unresolved bot-reviewer threads. New memory rule \`feedback_never_merge_with_unresolved_threads\` now requires the GraphQL unresolved-threads query before every `gh pr merge`. Equivalent follow-up PR for the snipe-it threads (which included a HIGH-severity token-leak) is netresearch/snipe-it-docker-compose-stack#17.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related fixes for org-policy compliance, bundled because both are about phpbu-docker conforming to Netresearch standards on its CI infrastructure:
1. Renovate digest-pin exclusion for first-party reusables
Renovate has been digest-pinning
uses: netresearch/.github/.github/workflows/*@mainrefs in this repo for months — four commits in the recent log do this (9fa7178, 4f38a92, aeb49e5, 309fca0). Each violates org policy: first-party Netresearch reusable workflows are called with@main(never SHA-pinned). Third-party actions (actions/checkout,docker/build-push-action, etc.) DO get SHA-pinned per supply-chain policy — different trust models..github/workflows/auto-merge.yml— reverted the digest-pinnedauto-merge-deps.yml@22155f1...back to@main. Same reusable, same behavior.renovate.json— added a packageRule that disables Renovate for github-actions deps matching^netresearch/.enabled: falsemeans no PRs, no digest pins, no drift. The wide "Group GitHub Actions" rule still SHA-pins third-party actions exactly as before.2. Add canonical PR Quality Gates caller
This repo was missing the standard
pr-quality.ymlcaller that other Netresearch org repos use (netresearch/ofelia, ldap-selfservice-password-changer, the t3x-* TYPO3 extensions). The org reusable provides:author_associationis OWNER/MEMBER/COLLABORATOR — satisfies the "1 approval" branch protection gate for routine maintainer work without bypassing the Copilot review (which runs separately via the Copilot ruleset)Caller config matches netresearch/ofelia verbatim.
Test plan
renovate.jsonvalid JSONactionlintclean onpr-quality.ymlRelated
@main, never SHA-pinned (different trust model from third-party actions)