Use renovate with bash-shfmt #4528
Conversation
bdovaz
requested review from
Kurt-von-Laven,
echoix and
nvuillam
as code owners
|
/build
|
🦙 MegaLinter status:
|
| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| ✅ API | spectral | 1 | 0 | 1.69s | |
| bash-exec | 6 | 1 | 0.03s | ||
| ✅ BASH | shellcheck | 6 | 0 | 0.22s | |
| ✅ BASH | shfmt | 6 | 0 | 0 | 0.87s |
| ✅ COPYPASTE | jscpd | yes | no | 2.86s | |
| ✅ DOCKERFILE | hadolint | 129 | 0 | 23.57s | |
| ✅ JSON | jsonlint | 20 | 0 | 0.21s | |
| ✅ JSON | v8r | 22 | 0 | 15.6s | |
| markdownlint | 267 | 0 | 303 | 23.56s | |
| ✅ MARKDOWN | markdown-table-formatter | 267 | 0 | 0 | 159.35s |
| bandit | 215 | 66 | 3.31s | ||
| ✅ PYTHON | black | 215 | 0 | 0 | 4.77s |
| ✅ PYTHON | flake8 | 215 | 0 | 1.93s | |
| ✅ PYTHON | isort | 215 | 0 | 0 | 1.27s |
| ✅ PYTHON | mypy | 215 | 0 | 16.99s | |
| ✅ PYTHON | pylint | 215 | 0 | 33.91s | |
| ✅ PYTHON | ruff | 215 | 0 | 0 | 0.52s |
| ✅ REPOSITORY | checkov | yes | no | 35.51s | |
| ✅ REPOSITORY | git_diff | yes | no | 0.46s | |
| grype | yes | 26 | 12.7s | ||
| ✅ REPOSITORY | secretlint | yes | no | 11.84s | |
| ✅ REPOSITORY | trivy | yes | no | 15.14s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | 0.26s | |
| trufflehog | yes | 1 | 54.09s | ||
| ✅ SPELL | cspell | 718 | 0 | 12.25s | |
| lychee | 349 | 18 | 6.99s | ||
| ✅ XML | xmllint | 3 | 0 | 0 | 0.9s |
| ✅ YAML | prettier | 160 | 0 | 0 | 4.1s |
| ✅ YAML | v8r | 102 | 0 | 30.13s | |
| ✅ YAML | yamllint | 161 | 0 | 2.97s |
See detailed report in MegaLinter reports
MegaLinter is graciously provided by
|
If we'd want, we could go even further with setting the version as: We have to note here that it is a "downgrade" for users, as they were getting some latest versions, and now we are back to a version from october. |
What I intend with this PR and others that I see that are missing is that if MegaLinter is a tool as stable as possible and this requires that the linters used are in turn stable versions, which right now there are many that use branches or tag “latest” pointing to unstable nightlies. And what I say about determinism, you can release a build with 5 minutes of difference and it can change the code of a linter without you knowing it and it is a clear vulnerability. cc @nvuillam |
|
You know you could change the renovate config in your branch and get the PRs to help you out? Look at the presets:
|
|
I tried to rerun the required check that is skipped, but it is still skipped. Why.. |
|
None of your PRs can get the required job to run, it gets skipped... It doesn't happen to me usually... |
For determinism when building Docker images, it is important that we do not use the master branch directly.
In this case, in fact, a nightly is being used instead of a stable release, which is quite dangerous.
https://hub.docker.com/r/mvdan/shfmt/tags