chore(renovate): validate config#613
Conversation
➖ Are we earthbuild yet?No change in "earthly" occurrences 📈 Overall Progress
Keep up the great work migrating from Earthly to Earthbuild! 🚀 💡 Tips for finding more occurrencesRun locally to see detailed breakdown: ./.github/scripts/count-earthly.shNote that the goal is not to reach 0. |
There was a problem hiding this comment.
Code Review
This pull request introduces a new lint-renovate target in the Earthfile to validate the Renovate configuration file (.github/renovate.json5) using renovate-config-validator. It also integrates this new target into the lint-all build target. I have no feedback to provide as there are no review comments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| LET renovate_version=43.243.2 | ||
| RUN \ | ||
| --mount type=cache,target=/root/.npm,id=npm \ | ||
| npm install -g renovate@$renovate_version |
There was a problem hiding this comment.
Not sure what's in the dependency tree for renovate specifically but this sort of npm i -g is a bit dangerous with how often npm packages are getting compromised with outright malware these days.
Best to have a lockfile when working with npm so that the latest versions of all transitive dependencies are not automatically resolved.
Alternatively, we should be able to configure npm (if new enough) to not install anything that wasn't published at least 1 day ago which helps a lot given malware is generally detected and pulled by then
There was a problem hiding this comment.
Renovate is already embedded tightly into life cycle of EarthBuild project development, and many other projects.
If it is compromised, it opens pandora box.
The idea about lock file is interesting.
No description provided.