scripts/new-post.mjs writes schema-valid posts from flags or a JSON event (the IaC publish seam). Gitea Actions workflow: ci check, audit-ci gate, build, dist scan, CycloneDX SBOM, buildah build+push, and a least-privilege digest-bump PR to home-ops (never auto-merged). Renovate + audit allowlist.
This commit is contained in:
@@ -0,0 +1,23 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": [
|
||||
"config:recommended",
|
||||
":semanticCommits",
|
||||
"docker:pinDigests"
|
||||
],
|
||||
"labels": ["dependencies"],
|
||||
"lockFileMaintenance": { "enabled": true },
|
||||
"packageRules": [
|
||||
{
|
||||
"description": "Batch non-major npm updates",
|
||||
"matchManagers": ["npm"],
|
||||
"matchUpdateTypes": ["minor", "patch"],
|
||||
"groupName": "npm (non-major)"
|
||||
},
|
||||
{
|
||||
"description": "Keep base images (node, nginx) current and digest-pinned",
|
||||
"matchManagers": ["dockerfile"],
|
||||
"groupName": "container base images"
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user