Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions Earthfile
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,18 @@ lint-changelog:
COPY CHANGELOG.md .
RUN changelogparser --changelog CHANGELOG.md

# lint-renovate lints the renovate configuration file.
lint-renovate:
FROM +node
# renovate: datasource=npm packageName=renovate
LET renovate_version=43.243.2
RUN \
--mount type=cache,target=/root/.npm,id=npm \
npm install -g renovate@$renovate_version

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what's in the dependency tree for renovate specifically but this sort of npm i -g is a bit dangerous with how often npm packages are getting compromised with outright malware these days.

Best to have a lockfile when working with npm so that the latest versions of all transitive dependencies are not automatically resolved.

Alternatively, we should be able to configure npm (if new enough) to not install anything that wasn't published at least 1 day ago which helps a lot given malware is generally detected and pulled by then

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate is already embedded tightly into life cycle of EarthBuild project development, and many other projects.

If it is compromised, it opens pandora box.

The idea about lock file is interesting.

WORKDIR /renovate
COPY .github/renovate.json5 .github/renovate.json5
RUN renovate-config-validator .github/renovate.json5

# debugger builds the earthly debugger and saves the artifact in build/earth_debugger
debugger:
FROM +code
Expand Down Expand Up @@ -722,6 +734,7 @@ lint-all:
BUILD +lint
BUILD +lint-scripts
BUILD +lint-changelog
BUILD +lint-renovate

# test-no-qemu runs tests without qemu virtualization by passing in dockerhub authentication and
# using secure docker hub mirror configurations
Expand Down
Loading