diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 1df1eacac20..afc7b0d2fce 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -37,6 +37,13 @@ enabled: false, }, + // Re-enable vulnerability/security updates for active release branches + { + matchBaseBranches: ["release-2.5", "release-2.4", "release-2.3"], + isVulnerabilityAlert: true, + enabled: true, + }, + // Disable indirect go dependencies updates, resource: https://github.com/renovatebot/renovate/discussions/35225#discussioncomment-13666269 { matchManagers: ["gomod"], @@ -44,6 +51,14 @@ enabled: false, }, + // Re-enable vulnerability/security updates for indirect go dependencies + { + matchManagers: ["gomod"], + matchDepTypes: ["indirect"], + isVulnerabilityAlert: true, + enabled: true, + }, + { matchManagers: ["gomod"], matchBaseBranches: ["main"], diff --git a/go.mod b/go.mod index 5cef4043ed1..c89aa34a903 100644 --- a/go.mod +++ b/go.mod @@ -91,7 +91,7 @@ require ( cel.dev/expr v0.25.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/ClickHouse/ch-go v0.66.0 // indirect - github.com/MakeNowJust/heredoc v1.0.0 // indirect + github.com/MakeNowJust/heredoc/v2 v2.0.0 // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/VividCortex/ewma v1.2.0 // indirect diff --git a/hack/update-renovate-baseBranches.sh b/hack/update-renovate-baseBranches.sh index 12f7aba8c2d..5401e980330 100755 --- a/hack/update-renovate-baseBranches.sh +++ b/hack/update-renovate-baseBranches.sh @@ -31,8 +31,8 @@ echo "Updating renovate configuration with versions: $VERSION1, $VERSION2, $VERS sed -i.bak "s/baseBranches: \[\"main\", \"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/baseBranches: [\"main\", \"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/" "$RENOVATE_CONFIG" -# Update first matchBaseBranches occurrence that disables regular updates for active release branches -sed -i.bak2 "0,/matchBaseBranches: \[\"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/{s/matchBaseBranches: \[\"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/matchBaseBranches: [\"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/}" "$RENOVATE_CONFIG" +# Update all matchBaseBranches occurrences that list the active release branches +sed -i.bak2 "s/matchBaseBranches: \[\"release-[^\"]*\", \"release-[^\"]*\", \"release-[^\"]*\"\],/matchBaseBranches: [\"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/g" "$RENOVATE_CONFIG" rm -f "$RENOVATE_CONFIG.bak" "$RENOVATE_CONFIG.bak2"