ruzickap · ruzickap · Jul 21, 2024 · Jul 10, 2024
@@ -1,14 +1,16 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // Keep the extends started with ":" at the end of the list to allow overriding
   extends: [
     "config:recommended",
     "docker:pinDigests",
     "helpers:pinGitHubActionDigestsToSemver",
     "security:openssf-scorecard",
     ":disableDependencyDashboard",
-    ":docker",
     ":disableRateLimiting",
+    ":docker",
     ":enableVulnerabilityAlertsWithLabel(security)",
+    ":pinSkipCi",
   ],
   "git-submodules": {
     enabled: true,

@@ -2,6 +2,7 @@
 name: docker-image
 
 on:
+  workflow_dispatch:
   pull_request:
     types: [opened, synchronize]
     paths:

@@ -2,6 +2,7 @@
 name: markdown-check
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - main

@@ -34,12 +34,12 @@ jobs:
             # Extract:   ```bash ... ```
             sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
           done
-          ls -la README.sh
           chmod a+x README.sh
 
       - name: 💡 MegaLinter
         uses: oxsecurity/megalinter@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # v7.13.0
         env:
           GITHUB_COMMENT_REPORTER: false
-          GITHUB_STATUS_REPORTER: true
+          # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403
+          GITHUB_STATUS_REPORTER: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -2,6 +2,7 @@
 name: readme-commands-check
 
 on:
+  workflow_dispatch:
   pull_request:
     types: [opened, synchronize]
     paths:

@@ -20,7 +20,7 @@ on:
       - main
       - "!renovate/*"
   schedule:
-    - cron: "0 0,2,4 * * 0"
+    - cron: "0 0-3 * * 0"
 
 env:
   # https://docs.renovatebot.com/troubleshooting/#log-debug-levels
@@ -45,6 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
+    permissions: write-all
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -53,9 +54,9 @@ jobs:
         id: app-token
         with:
           app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
-          private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
 
       - name: 💡 Self-hosted Renovate
         uses: renovatebot/github-action@259200be4d976a76196ec8985b0dddcaf1733b47 # v40.2.0
         with:
-          token: "${{ steps.app-token.outputs.token }}"
+          token: ${{ steps.app-token.outputs.token }}
@@ -2,6 +2,7 @@
 name: semantic-pull-request
 
 on:
+  workflow_dispatch:
   pull_request_target:
     types:
       - opened
@@ -15,6 +16,12 @@ jobs:
   semantic-pull-request:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        id: app-token
+        with:
+          app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
+
       - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
@@ -2,6 +2,7 @@
 name: stale
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: "9 9 * * *"
 

@@ -33,7 +33,7 @@ REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS16
 
 REPOSITORY_KICS_ARGUMENTS: --fail-on high
 
-REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL
+REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL --ignore-unfixed
 
 TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
   - GITHUB_TOKEN

@@ -317,7 +317,7 @@ and [muffet](https://github.com/raviqqe/muffet) binaries if they
 are not already installed on your system.
 
 ```bash
-export INPUT_URL="https://www.mkdocs.org"
+export INPUT_URL="https://debian.cz/info/"
 export INPUT_CMD_PARAMS="--buffer-size=8192 --ignore-fragments --one-page-only --max-connections=10 --color=always --verbose"
 ./entrypoint.sh
 ```

@@ -31,12 +31,13 @@ exclude = [
   # Ignore all URLs with '{ ... }' - BASH / Ansible variable in URL
   '%7B.*%7D',
   # Ignore all URLs which starts with 'file://'
-  'file://'
+  'file://',
 ]
 
 # Exclude these filesystem paths from getting checked
 exclude_path = [
   "CHANGELOG.md",
+  "package-lock.json",
 ]
 
 # Exclude all private IPs from checking.