feat: added vulnerabilityAlerts, fixed semantic-release message, adde…

…d more text to the doc BREAKING-CHANGE: changed minimumReleaseAge to 3 days
anolilab · Dec 3, 2023 · 8c5bb7e · 8c5bb7e
1 parent 787ddcb
commit 8c5bb7e
Show file tree

Hide file tree

Showing 6 changed files with 873 additions and 1,079 deletions.
diff --git a/.github/semantic.yml b/.github/semantic.yml
@@ -2,18 +2,17 @@
 
 titleOnly: true
 types:
+    - "build"
+    - "chore"
+    - "ci"
+    - "deps"
+    - "docs"
     - "feat"
     - "fix"
-    - "docs"
-    - "dx"
-    - "refactor"
     - "perf"
+    - "refactor"
+    - "revert"
+    - "security"
+    - "style"
     - "test"
-    - "workflow"
-    - "build"
-    - "ci"
-    - "chore"
-    - "types"
-    - "wip"
-    - "release"
-    - "deps"
+    - "translation"
diff --git a/README.md b/README.md
@@ -43,14 +43,66 @@ Go to https://github.com/apps/renovate, ask a GitHub admin of the organisation i
 - Support GitHub-Actions updates with hash version
 - Support Docker ecosystem
 - Defined package groups like TypeScript, Prettier, Linters, Vitest
-- Prevent supply-chain attack by `"minimumReleaseAge": 7 days`
+- Prevent supply-chain attack by `"minimumReleaseAge": 3 days`
 
 ## References
 
 - [Renovate Docs](https://renovatebot.com/docs/)
 - [Configuration Options \| Renovate Docs](https://renovatebot.com/docs/configuration-options/)
 - [Default Presets \| Renovate Docs](https://renovatebot.com/docs/presets-default/)
 
+## Useful links
+
+* [How Renovate find/create/update PRs](https://docs.renovatebot.com/key-concepts/pull-requests/)  
+  TL;DR: Renovatebot checks branch names and PR titles. If PR is not found to match the branch - Renovatebot will create a new PR.  
+  To recreate a closed PR, rename the closed PR.
+
+### Renovate App and presets configuration
+
+* [Managing config for many repositories](https://docs.renovatebot.com/key-concepts/presets/#managing-config-for-many-repositories)
+* [Shareable Config Presets](https://docs.renovatebot.com/config-presets/#shareable-config-presets)
+  * [Organization level presets](https://docs.renovatebot.com/config-presets/#organization-level-presets) -  `myorg/renovate-config/default.json` magic name
+  * [GitHub-hosted Presets](https://docs.renovatebot.com/config-presets/#github-hosted-presets)
+  * [Contributing to presets](https://docs.renovatebot.com/config-presets/#contributing-to-presets)
+  * [Preset Versioning](https://docs.renovatebot.com/config-presets/#github)
+
+* [Managers: Supported, configuration, disabling, etc.](https://docs.renovatebot.com/modules/manager/)
+
+* [Renovate App on GitHub Secrets Encryption](https://docs.renovatebot.com/getting-started/private-packages/#mend-renovate-hosted-app-encryption)
+
+* [Known limitations](https://docs.renovatebot.com/known-limitations/)  
+  Example: GitHub hosted app Mend checks each active repository roughly every three hours, if no activity has been seen before then (merged PRs, etc).
+
+  * [No rebasing if you have made edits](https://docs.renovatebot.com/updating-rebasing/#no-rebasing-if-you-have-made-edits) (conflicting with pre-commit auto-fixes)
+
+* [onboardingConfigFileName](https://docs.renovatebot.com/self-hosted-configuration/#onboardingconfigfilename) (self-hosted only).  
+  Useful to change onboarding Renovate config file location.
+
+* [Docker Registries authentication](https://docs.renovatebot.com/docker/#registry-authentication)
+
+### Repos configuration
+
+* [Configuration location](https://docs.renovatebot.com/getting-started/installing-onboarding/#configuration-location)
+
+* [Overriding global configs](https://docs.renovatebot.com/key-concepts/automerge/#overriding-global-automerge)
+
+* [Scheduling syntax](https://docs.renovatebot.com/key-concepts/scheduling/#scheduling-syntax)
+  * [Schedule Presets](https://docs.renovatebot.com/presets-schedule/)
+
+* [Changing the Semantic Commit type](https://docs.renovatebot.com/semantic-commits/#changing-the-semantic-commit-type)
+* [How to edit branch names, commit messages, PR titles, and PR content](https://docs.renovatebot.com/configuration-templates/)
+* [Docker Digest pinning and Updating](https://docs.renovatebot.com/docker/#digest-pinning)
+* [Separate `patch` and `minor` releases of dependencies into separate PRs](https://docs.renovatebot.com/presets-default/#separatepatchreleases).  
+  More details [here](https://docs.renovatebot.com/faq/#separate-patch-releases-from-minor-releases)
+* [Group all packages starting with `abc` together in one PR](https://docs.renovatebot.com/faq/#group-all-packages-starting-with-abc-together-in-one-pr)
+* [:pinVersions](https://docs.renovatebot.com/presets-default/#pinversions) - maintain a single version only and not SemVer ranges
+* [:rebaseStalePrs](https://docs.renovatebot.com/presets-default/#rebasestaleprs) - Rebase existing PRs any time the base branch has been updated.
+* [Update package/GHA references in Markdown files](https://github.com/renovatebot/.github/blob/d9b3c1914f4bf9dbecc6456610ca89530260572f/default.json#L121-L140)
+
+## Troubleshooting
+
+* [Troubleshooting docs](https://docs.renovatebot.com/troubleshooting/)
+* [Renovate dashboard](https://developer.mend.io)
 
 Contributing
 ------------

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,42 @@
+<!-- Lightly modified version of https://github.com/github/.github/blob/master/SECURITY.md -->
+## Security
+
+I'm taking the security of my software products and services seriously, including all of the open source code repositories
+managed by [me](https://github.com/prisis).
+
+## Reporting Security Issues
+
+If you believe you have found a security vulnerability in any (Anolilab|Visulima)-owned repository, please report it to us through coordinated
+disclosure.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, please send an email to d.bannert[@]anolilab.de.
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+  * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Safe Harbor Policy:
+
+**When conducting vulnerability research according to this policy, we consider this research to be:**
+
+- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or
+support legal action against you for accidental, good faith violations of this policy;
+- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of
+technology controls;
+- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those
+restrictions on a limited basis for work done under this policy; and
+- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
+- You are expected, as always, to comply with all applicable laws.
+
+_If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire
+via d.bannert[@]anolilab.de before going any further._
diff --git a/default.json b/default.json
@@ -1,28 +1,39 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": ["config:recommended", ":timezone(Europe/Berlin)", ":separateMultipleMajorReleases"],
-    "schedule": [
-        "after 10:30 before 18:00 every weekday except after 13:00 before 14:00"
+    "extends": [
+        "config:recommended",
+        ":dependencyDashboard",
+        ":separateMultipleMajorReleases",
+        ":timezone(Europe/Berlin)",
+        "schedule:earlyMondays",
+        ":semanticCommits",
+        ":prNotPending",
+        ":rebaseStalePrs"
     ],
+    "schedule": ["after 10:30 before 18:00 every weekday except after 13:00 before 14:00"],
+    "rollbackPrs": true,
+    "vulnerabilityAlerts": {
+        "description": "Be sure that the Dependency graph and Dependabot alerts are enabled for the repo. Details: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts",
+        "enabled": true,
+        "addLabels": ["security"]
+    },
     "packageRules": [
         {
             "matchDepTypes": ["action"],
             "pinDigests": false,
             "semanticCommits": "enabled"
         },
         {
-          "matchPackagePatterns": [
-            "^@types/"
-          ],
-          "automerge": true,
-          "major": {
-            "automerge": false
-          }
+            "matchPackagePatterns": ["^@types/"],
+            "automerge": true,
+            "major": {
+                "automerge": false
+            }
         }
     ],
     "npm": {
         "labels": ["c: dependencies"],
-        "extends": [":noUnscheduledUpdates", ":separatePatchReleases", "npm:unpublishSafe", ":prNotPending", "helpers:disableTypesNodeMajor"],
+        "extends": [":noUnscheduledUpdates", ":separatePatchReleases", "npm:unpublishSafe", "helpers:disableTypesNodeMajor"],
         "rangeStrategy": "bump",
         "automergeType": "branch",
         "major": {
@@ -33,7 +44,7 @@
         "minor": {
             "automerge": true,
             "groupName": "Minor updates",
-            "minimumReleaseAge": "7 days",
+            "minimumReleaseAge": "3 days",
             "prCreation": "status-success",
             "semanticCommitType": "feat"
         },
@@ -64,23 +75,23 @@
             },
             {
                 "groupName": "textlint",
-                "matchPackageNames": ["^textlint$", "^textlint-scripts", "^textlint-tester", "^@textlint/"]
+                "matchPackageNames": ["^textlint$", "^textlint-scripts", "^textlint-tester", "^@textlint/.*"]
             },
             {
                 "groupName": "secretlint",
-                "matchPackageNames": ["^secretlint", "^@secretlint/"]
+                "matchPackageNames": ["^secretlint", "^@secretlint/.*"]
             },
             {
                 "groupName": "ESLint",
-                "matchPackagePatterns": ["^eslint", "^@typescript-eslint/", "^eslint-plugin-"]
+                "matchPackagePatterns": ["^eslint", "^@typescript-eslint/.*", "^eslint-plugin-.*"]
             },
             {
                 "groupName": "stylelint",
                 "matchPackageNames": ["stylelint", "stylelint-.*", "postcss", "@ronilaukkarinen/stylelint-a11y"]
             },
             {
                 "groupName": "textlint",
-                "matchPackageNames": ["textlint", "textlint-.*", "@textlint*"]
+                "matchPackageNames": ["textlint", "textlint-.*", "@textlint/.*"]
             },
             {
                 "groupName": "prettier",
@@ -97,18 +108,20 @@
         }
     },
     "github-actions": {
-        "extends": [":noUnscheduledUpdates", ":prNotPending", "helpers:pinGitHubActionDigests"],
+        "extends": [":noUnscheduledUpdates", "helpers:pinGitHubActionDigests"],
         "rangeStrategy": "bump",
         "automergeType": "branch",
         "automerge": true,
-        "semanticCommitType": "workflow"
+        "semanticCommitType": "ci"
     },
     "dockerfile": {
+        "extends": ["docker:pinDigests"],
         "enabled": true,
         "automerge": true,
         "semanticCommitType": "chore"
     },
     "docker-compose": {
+        "extends": ["docker:pinDigests"],
         "enabled": true,
         "automerge": true,
         "semanticCommitType": "chore"

diff --git a/package.json b/package.json
@@ -58,20 +58,20 @@
         "@anolilab/prettier-config": "^5.0.13",
         "@anolilab/semantic-release-preset": "^8.0.2",
         "@anolilab/textlint-config": "^8.0.15",
-        "@commitlint/cli": "^18.2.0",
-        "@commitlint/config-conventional": "^18.1.0",
+        "@commitlint/cli": "^18.4.3",
+        "@commitlint/config-conventional": "^18.4.3",
         "@secretlint/secretlint-rule-preset-recommend": "^8.0.0",
         "husky": "^8.0.3",
         "is-ci": "^3.0.1",
-        "lint-staged": "^15.0.2",
-        "prettier": "^3.0.3",
-        "renovate": "^37.5.4",
+        "lint-staged": "^15.2.0",
+        "prettier": "^3.1.0",
+        "renovate": "^37.81.4",
         "secretlint": "8.0.0",
-        "semantic-release": "^22.0.7",
+        "semantic-release": "^22.0.8",
         "sort-package-json": "^2.6.0",
-        "textlint": "^13.3.3"
+        "textlint": "^13.4.1"
     },
-    "packageManager": "pnpm@8.10.5",
+    "packageManager": "pnpm@8.11.0",
     "engines": {
         "node": ">=20"
     },