mirror of
https://github.com/openclaw/openclaw.git
synced 2026-02-19 18:39:20 -05:00
8ae2d5110f
* fix(docker): pin base images to SHA256 digests for supply chain security Pin all 9 Dockerfiles to immutable SHA256 digests to prevent supply chain attacks where a compromised upstream image could be silently pulled into production builds. Also add Docker ecosystem to Dependabot configuration for automated digest updates. Images pinned: - node:22-bookworm@sha256:cd7bcd2e7a1e6f72052feb023c7f6b722205d3fcab7bbcbd2d1bfdab10b1e935 - node:22-bookworm-slim@sha256:3cfe526ec8dd62013b8843e8e5d4877e297b886e5aace4a59fec25dc20736e45 - debian:bookworm-slim@sha256:98f4b71de414932439ac6ac690d7060df1f27161073c5036a7553723881bffbe - ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b Fixes #7731 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * test(docker): add digest pinning regression coverage --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
127 lines
2.5 KiB
YAML
127 lines
2.5 KiB
YAML
# Dependabot configuration
|
|
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
|
|
|
|
version: 2
|
|
|
|
registries:
|
|
npm-npmjs:
|
|
type: npm-registry
|
|
url: https://registry.npmjs.org
|
|
replaces-base: true
|
|
|
|
updates:
|
|
# npm dependencies (root)
|
|
- package-ecosystem: npm
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
production:
|
|
dependency-type: production
|
|
update-types:
|
|
- minor
|
|
- patch
|
|
development:
|
|
dependency-type: development
|
|
update-types:
|
|
- minor
|
|
- patch
|
|
open-pull-requests-limit: 10
|
|
registries:
|
|
- npm-npmjs
|
|
|
|
# GitHub Actions
|
|
- package-ecosystem: github-actions
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
actions:
|
|
patterns:
|
|
- "*"
|
|
update-types:
|
|
- minor
|
|
- patch
|
|
open-pull-requests-limit: 5
|
|
|
|
# Swift Package Manager - macOS app
|
|
- package-ecosystem: swift
|
|
directory: /apps/macos
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
swift-deps:
|
|
patterns:
|
|
- "*"
|
|
update-types:
|
|
- minor
|
|
- patch
|
|
open-pull-requests-limit: 5
|
|
|
|
# Swift Package Manager - shared MoltbotKit
|
|
- package-ecosystem: swift
|
|
directory: /apps/shared/MoltbotKit
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
swift-deps:
|
|
patterns:
|
|
- "*"
|
|
update-types:
|
|
- minor
|
|
- patch
|
|
open-pull-requests-limit: 5
|
|
|
|
# Swift Package Manager - Swabble
|
|
- package-ecosystem: swift
|
|
directory: /Swabble
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
swift-deps:
|
|
patterns:
|
|
- "*"
|
|
update-types:
|
|
- minor
|
|
- patch
|
|
open-pull-requests-limit: 5
|
|
|
|
# Gradle - Android app
|
|
- package-ecosystem: gradle
|
|
directory: /apps/android
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
android-deps:
|
|
patterns:
|
|
- "*"
|
|
update-types:
|
|
- minor
|
|
- patch
|
|
open-pull-requests-limit: 5
|
|
|
|
# Docker base images
|
|
- package-ecosystem: docker
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
docker-images:
|
|
patterns:
|
|
- "*"
|
|
open-pull-requests-limit: 5
|