Skip to content

chore: Configure Renovate#32

Merged
CybotTM merged 1 commit into
mainfrom
renovate/configure
Mar 1, 2026
Merged

chore: Configure Renovate#32
CybotTM merged 1 commit into
mainfrom
renovate/configure

Conversation

@renovate

@renovate renovate Bot commented Mar 1, 2026

Copy link
Copy Markdown
Contributor

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.


Detected Package Files

  • composer.json (composer)
  • .github/workflows/lint.yml (github-actions)
  • .github/workflows/release.yml (github-actions)

Configuration Summary

Based on the default config's presets, Renovate will:

  • Start dependency updates only once this onboarding PR is merged
  • Hopefully safe environment variables to allow users to configure.
  • Show all Merge Confidence badges for pull requests.
  • Enable Renovate Dependency Dashboard creation.
  • Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
  • Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
  • Group known monorepo packages together.
  • Use curated list of recommended non-monorepo package groupings.
  • Show only the Age and Confidence Merge Confidence badges for pull requests.
  • Apply crowd-sourced package replacement rules.
  • Apply crowd-sourced workarounds for known problems with packages.
  • Ensure that every dependency pinned by digest and sourced from GitHub.com contains a link to the commit-to-commit diff
  • Correctly link to the source code for golang.org/x packages
  • Link to pkg.go.dev/... for golang.org/x packages' title

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.


What to Expect

It looks like your repository dependencies are already up-to-date and no Pull Requests will be necessary right away.


❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.


This PR was generated by Mend Renovate. View the repository job log.

@CybotTM CybotTM merged commit 958b514 into main Mar 1, 2026
3 checks passed
@CybotTM CybotTM deleted the renovate/configure branch March 1, 2026 11:13
CybotTM added a commit that referenced this pull request Mar 30, 2026
…conversation resolution

Add mechanical checkpoints (GH-30, GH-31) that verify enforce_admins
and required_conversation_resolution via GitHub API, plus an LLM review
checkpoint (GH-32) for the combined audit. Without enforce_admins, admins
can bypass all branch protection rules including unresolved review threads.

Updates verify script to check these settings and security-config.md
reference to document the enforce_admins requirement.
CybotTM added a commit that referenced this pull request May 4, 2026
…allowlist

The automated-assessment runner enforces a command allowlist that rejects
command-chaining metacharacters (; && || backticks $()) and only accepts
specific base commands. Four checkpoints failed allowlist validation and
were never actually evaluated against target projects.

GH-6 and GH-23 used `test -f X || test -f Y` chains to test for any of
several files. Rewritten as `type: file_exists` with brace expansion,
which is the runner's first-class idiom for "any of these files".

GH-30 and GH-31 used multi-line YAML literal-block scalars (`target: |`)
to invoke `gh api` for branch protection audits. The runner's simple
line parser sees the literal-block indicator as the first token and
rejects with "'|' not in allowed command whitelist". Even with the
allowlist passing, these cannot be executed mechanically — they require
GitHub API auth context. Converted to `type: gh_api`, which the runner
recognises and skips with a clear evidence string. The semantically
equivalent audit is preserved in GH-32 (llm_reviews).
CybotTM added a commit that referenced this pull request May 5, 2026
- GH-7: add docs/ paths to target list and accept both upper/lowercase
  PULL_REQUEST_TEMPLATE.md in org_provides via brace expansion.
- GH-8/09: drop redundant .github/ prefix from org_provides (path is
  resolved against the {owner}/.github repo root) and accept both .yml
  and .md forms for the org-wide fallback so repos following either
  Netresearch convention pass.
- GH-32: align prompt with GH-30 demote — enforce_admins is advisory
  (info), only required_conversation_resolution remains error-level.
  Prevents repos following the org default (enforce_admins=false) from
  failing GH-32 even though GH-30 was demoted to info.

Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
CybotTM added a commit that referenced this pull request May 5, 2026
- GH-7: add docs/ paths to target list and accept both upper/lowercase
  PULL_REQUEST_TEMPLATE.md in org_provides via brace expansion.
- GH-8/09: drop redundant .github/ prefix from org_provides (path is
  resolved against the {owner}/.github repo root) and accept both .yml
  and .md forms for the org-wide fallback so repos following either
  Netresearch convention pass.
- GH-32: align prompt with GH-30 demote — enforce_admins is advisory
  (info), only required_conversation_resolution remains error-level.
  Prevents repos following the org default (enforce_admins=false) from
  failing GH-32 even though GH-30 was demoted to info.

Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant