fix(renovate): address unresolved review on PR #124#125
Merged
Conversation
PR #124 was merged with two unresolved gemini-code-assist threads on the new netresearch/* packageRule. Both addressed here: 1. (medium) Description referenced a specific past commit (309fca0). The reviewer's point: configuration descriptions should focus on the policy, not the incident. Removed the historical-context sentence; kept the policy + trust-model contrast. 2. (medium) `enabled: false` is heavier than needed and blocks future security advisories on these refs. Switched to relying on `pinDigests: false` alone — Renovate still surfaces vulnerability alerts and (eventually) the @vn tag migration, but never produces the digest-pin PRs that violated org policy. The previous `enabled: false` was a belt-and-suspenders choice during incident remediation. With `pinDigests: false` set, Renovate has no reason to open PRs against `^netresearch/` github-actions refs in the default-update path — the original symptom (Renovate digest-pinning @main) is closed without sacrificing security-alert reachability. Original threads on #124 replied-to and resolved with a link to this PR. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated approval for maintainer PR
All automated quality gates passed. See SECURITY_CONTROLS.md for compensating controls.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the renovate.json configuration to enable a rule that prevents digest pinning for first-party Netresearch reusable workflows by removing the "enabled": false property. It also refines the description of this rule to better reflect organizational policy. I have no feedback to provide as there were no review comments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
PR #124 was merged with 2 unresolved gemini-code-assist threads on the netresearch/* packageRule. Both addressed here.
What changed
enabled: falseis over-restrictive and blocks future security alerts on these refspinDigests: falsealone — Renovate still surfaces vulnerability alerts and (eventually)@vNtag migration, but never produces digest-pin PRs that violated org policyTest plan
renovate.jsonvalid JSONRelated
Part of a session-wide audit triggered by the user: 3 of 11 merged PRs (this one, snipe-it-docker-compose-stack#15, snipe-it-docker-compose-stack#16) had been merged with unresolved bot-reviewer threads. New memory rule `feedback_never_merge_with_unresolved_threads` now requires the GraphQL unresolved-threads query before every
gh pr merge. Equivalent follow-up PR for the snipe-it threads (which included a HIGH-severity token-leak) is netresearch/snipe-it-docker-compose-stack#17.