As we all noticed during the past weeks the software industry faced many security supply change attacks which triggers some warnings to double check our security in CI pipelines and how we use external tools. Even if we were already in a good shape, we decide to improve even more by fixing missing checksum verification and removing curl/wget calls not necessary.
Now, I'm opening this issue to keep track of additional enhancement on this topic. As we discussed in other communication channels we could make use of dependency cool down and wait a little bit before update our dependencies. For that, we need to configure renovate bot to consider the cool down period.
Taking this opportunity, I would also like to propose another improvement. Now that we enforce checksum verification everywhere, it would be great if we could use renovate to also bump these values. While I was changing CI, I found references to some Renovate configuration that could be used to instruct it on how to bump the checksum hashes:
This is an example from what Rancher does in some Makefile files:
# renovate: datasource=github-release-attachments depName=derailed/k9s
K9S_VERSION := v0.50.18
# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.18
K9S_SUM_arm64 := d3dcc051d6be26ee911c00f583412802ebe203a189e51bc079332cb410c83b38
# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.18
K9S_SUM_amd64 := 0b697ed4aa80997f7de4deeed6f1fba73df191b28bf691b1f28d2f45fa2a9e9b
These directives must be configured in the Renovate bot configuration file:
https://github.com/rancher/renovate-config/blob/7e19821b778e50fdf5387811866df6bed209bf7c/default.json#L295-L309
Acceptance criteria
- Configure dependency cool down period in Renovate bot
- Investigate if we can use the Renovate bot directives in our CI files to update the checksum hashes. If so, add the directives and required configuration to make them work.
As we all noticed during the past weeks the software industry faced many security supply change attacks which triggers some warnings to double check our security in CI pipelines and how we use external tools. Even if we were already in a good shape, we decide to improve even more by fixing missing checksum verification and removing
curl/wgetcalls not necessary.Now, I'm opening this issue to keep track of additional enhancement on this topic. As we discussed in other communication channels we could make use of dependency cool down and wait a little bit before update our dependencies. For that, we need to configure renovate bot to consider the cool down period.
Taking this opportunity, I would also like to propose another improvement. Now that we enforce checksum verification everywhere, it would be great if we could use renovate to also bump these values. While I was changing CI, I found references to some Renovate configuration that could be used to instruct it on how to bump the checksum hashes:
This is an example from what Rancher does in some Makefile files:
These directives must be configured in the Renovate bot configuration file:
https://github.com/rancher/renovate-config/blob/7e19821b778e50fdf5387811866df6bed209bf7c/default.json#L295-L309
Acceptance criteria