adding renovatebot to maintain deps#1531
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit fd256c2. Configure here.
| if ! [[ "$MINIMUM_RELEASE_AGE" =~ ^[0-9]+$ ]]; then | ||
| echo "Invalid minimumReleaseAge: must be a non-negative integer" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Zero age gate bypass
Medium Severity
The protocol-galileo gate only runs when minimum_release_age is exactly the string 0, but the override step accepts any all-digit value. Inputs such as 00 skip the membership check yet still set RENOVATE_MINIMUM_RELEASE_AGE, undermining the stated rule that only 0 requires protocol-galileo.
Reviewed by Cursor Bugbot for commit fd256c2. Configure here.
| }); | ||
| if (data.state !== 'active') { | ||
| core.setFailed(`${context.actor} must be an active member of protocol-galileo to set minimumReleaseAge to 0`); | ||
| } |
There was a problem hiding this comment.
Team check token insufficient
Medium Severity
The protocol-galileo membership step calls teams.getMembershipForUserInOrg via actions/github-script with the default GITHUB_TOKEN, while workflow permissions are only contents: read. That token typically cannot read org team membership, so the guard for minimum_release_age 0 may fail for everyone or behave unpredictably.
Reviewed by Cursor Bugbot for commit fd256c2. Configure here.
bgravenorst
left a comment
bgravenorst
left a comment
There was a problem hiding this comment.
Couple of Bot comments which may (or may not) be valid. Otherwise, lgtm.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
2 participants
Note
Medium Risk
Introduces automation that can open dependency PRs using GitHub App secrets in a security environment; misconfiguration or bypass of the team gate for immediate updates could increase supply-chain exposure.
Overview
Introduces automated dependency maintenance via Renovate: a new scheduled GitHub Actions workflow and a root
renovate.jsonpolicy.The
.github/workflows/renovatebot.ymlworkflow runs on the 14th and 28th of each month (and viaworkflow_dispatch), uses thesecurityenvironment, and invokesConsenSys/github-actions/renovatebotwith GitHub App credentials. Manual runs can overrideminimumReleaseAge; setting it to 0 is gated on active protocol-galileo team membership, and non-empty overrides are validated as non-negative integers before being passed asRENOVATE_MINIMUM_RELEASE_AGE.renovate.jsonenables github-actions and npm only, turns off the dependency dashboard, pins GitHub Actions to SHA digests (7-day minimum release age, grouped), allows immediate updates for ConsenSys/github-actions, and groups npm updates with a 7-day release age.Reviewed by Cursor Bugbot for commit fd256c2. Bugbot is set up for automated code reviews on this repo. Configure here.