From 24be0b45fdaafc898c3ce9adb8dcaf76fa52f4a0 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Fri, 5 Jun 2026 07:53:50 +0200 Subject: [PATCH] renovate: termix uses github-releases datasource (restores 3-day gate) Replaces the security-flagged `minimumReleaseAge: 0` bypass with a proper datasource swap. Why: ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a release timestamp, so Renovate's default `timestamp-required` mode holds updates indefinitely. The previous fix (zeroing the gate) was flagged as a supply-chain control regression -- correctly, since it weakens the stability protection for that package. Cleaner fix: point Renovate's version lookup at the upstream GitHub Releases (Termix-SSH/Termix per the OCI source label) where timestamps ARE published. The 3-day gate then works for termix the same way it works for other packages with intact timestamps. Renovate still updates the same image -- the manager extracts ghcr.io/lukegus/termix from termix.yaml and writes the new tag back; only the version-source lookup is redirected. The ghcr.io registry hosts every release-X.Y.Z tag (verified release-2.3.2 present), so the writeback target stays valid. Major bumps (1.x -> 2.x) continue to queue for dashboard approval via the global major rule. Co-Authored-By: Claude Opus 4.7 (1M context) --- admin-system/renovate.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index e395b5c..49f099c 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -91,10 +91,11 @@ data: "automerge": false }, { - "description": "termix: regex versioning parses the release-X.Y.Z prefix; minimumReleaseAge:0 bypasses the stability gate because ghcr.io OCI manifests for this image don't expose a release timestamp (timestamp-required mode otherwise holds it forever). Major bumps still queue for dashboard approval via the global major rule.", + "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).", "matchPackageNames": ["ghcr.io/lukegus/termix"], - "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$", - "minimumReleaseAge": "0 days" + "datasource": "github-releases", + "packageName": "Termix-SSH/Termix", + "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$" }, { "description": "wanderer: db + web update together in one PR",