From 0f8178d3a4bc12b8307dbfb31daae7d9ab82a7d3 Mon Sep 17 00:00:00 2001 From: Shunsuke Suzuki Date: Fri, 6 Jan 2023 07:50:50 +0900 Subject: [PATCH] ci: stop slsa-github-generator pinning because slsa-github-generator doesn't support pinning > Invalid ref: 68bad40844440577b33778c9f29077a3388838e9. Expected ref of the form refs/tags/vX.Y.Z --- .github/workflows/release.yaml | 4 +++- renovate.json5 | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5ec2f6aee..25e2ec54c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -64,7 +64,9 @@ jobs: actions: read # Needed for detection of GitHub Actions environment. id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@68bad40844440577b33778c9f29077a3388838e9 # v1.4.0 + # slsa-framework/slsa-github-generator doesn't support pinning version + # > Invalid ref: 68bad40844440577b33778c9f29077a3388838e9. Expected ref of the form refs/tags/vX.Y.Z + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" # Upload provenance to a new release diff --git a/renovate.json5 b/renovate.json5 index 2a9673888..2be593786 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -8,6 +8,23 @@ "github>aquaproj/aqua-renovate-config:file#1.5.0(aqua/.*\\.ya?ml)", ], ignorePaths: [], + packageRules: [ + { + matchUpdateTypes: ["digest"], + enabled: false, + }, + { + // slsa-framework/slsa-github-generator doesn't support pinning version + // > Invalid ref: 68bad40844440577b33778c9f29077a3388838e9. Expected ref of the form refs/tags/vX.Y.Z + matchDepTypes: [ + "action", + ], + matchPackageNames: [ + "slsa-framework/slsa-github-generator", + ], + pinDigests: false, + } + ] regexManagers: [ { fileMatch: [".*\\.go"],