diff --git a/lib/modules/manager/github-actions/__fixtures__/workflow_4.yml b/lib/modules/manager/github-actions/__fixtures__/workflow_4.yml index 1c3cbecb6bf4f9..809518dcf51030 100644 --- a/lib/modules/manager/github-actions/__fixtures__/workflow_4.yml +++ b/lib/modules/manager/github-actions/__fixtures__/workflow_4.yml @@ -19,3 +19,4 @@ jobs: - uses: actions/checkout@689fcce700ae7ffc576f2b029b51b2ffb66d3abd # v2.1.0 additional comment - uses: actions/checkout@689fcce700ae7ffc576f2b029b51b2ffb66d3abd # ratchet:actions/checkout@v2.1.0 - uses: actions/checkout@689fcce700ae7ffc576f2b029b51b2ffb66d3abd # ratchet:exclude + - uses: actions-runner-controller/execute-assert-arc-e2e@f1d7c52253b89f0beae60141f8465d9495cdc2cf # actions-runner-controller-0.23.5 diff --git a/lib/modules/manager/github-actions/extract.spec.ts b/lib/modules/manager/github-actions/extract.spec.ts index a660f80d9da413..f45bc1c5bca660 100644 --- a/lib/modules/manager/github-actions/extract.spec.ts +++ b/lib/modules/manager/github-actions/extract.spec.ts @@ -397,6 +397,12 @@ describe('modules/manager/github-actions/extract', () => { replaceString: 'actions/checkout@689fcce700ae7ffc576f2b029b51b2ffb66d3abd # ratchet:exclude', }, + { + currentDigest: 'f1d7c52253b89f0beae60141f8465d9495cdc2cf', + currentValue: 'actions-runner-controller-0.23.5', + replaceString: + 'actions-runner-controller/execute-assert-arc-e2e@f1d7c52253b89f0beae60141f8465d9495cdc2cf # actions-runner-controller-0.23.5', + }, ]); }); diff --git a/lib/modules/manager/github-actions/extract.ts b/lib/modules/manager/github-actions/extract.ts index edf09dbfed2d9f..ce6f18cd1c2012 100644 --- a/lib/modules/manager/github-actions/extract.ts +++ b/lib/modules/manager/github-actions/extract.ts @@ -15,7 +15,7 @@ import type { Workflow } from './types'; const dockerActionRe = regEx(/^\s+uses\s*: ['"]?docker:\/\/([^'"]+)\s*$/); const actionRe = regEx( - /^\s+-?\s+?uses\s*: (?['"]?(?https:\/\/[.\w-]+\/)?(?[\w-]+\/[.\w-]+)(?\/.*)?@(?[^\s'"]+)['"]?(?:\s+#\s*(((?:renovate\s*:\s*)?(?:pin\s+|tag\s*=\s*)?|(?:ratchet:[\w-]+\/[.\w-]+)?)@?(?v?\d+(?:\.\d+(?:\.\d+)?)?)|(?:ratchet:exclude)))?)/, + /^\s+-?\s+?uses\s*: (?['"]?(?https:\/\/[.\w-]+\/)?(?[\w-]+\/[.\w-]+)(?\/.*)?@(?[^\s'"]+)['"]?(?:\s+#\s*(((?:renovate\s*:\s*)?(?:pin\s+|tag\s*=\s*)?|(?:ratchet:[\w-]+\/[.\w-]+)?)@?(?([\w-]*-)?v?\d+(?:\.\d+(?:\.\d+)?)?)|(?:ratchet:exclude)))?)/, ); // SHA1 or SHA256, see https://github.blog/2020-10-19-git-2-29-released/ diff --git a/lib/modules/manager/github-actions/readme.md b/lib/modules/manager/github-actions/readme.md index 2a8d381391445e..57c47c22842c34 100644 --- a/lib/modules/manager/github-actions/readme.md +++ b/lib/modules/manager/github-actions/readme.md @@ -1,7 +1,7 @@ The `github-actions` manager extracts dependencies from GitHub Actions workflow and workflow template files. It can also be used for Gitea and Forgejo Actions workflows as such are compatible with GitHub Actions workflows. -If you like to use digest pinning but want to follow the action version tag, you can use the following sample: +If you like to use digest pinning but want to follow the action version tag, you can use the sample below: ```yaml name: build @@ -15,8 +15,14 @@ jobs: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 ``` -Renovate will update the commit SHA but follow the GitHub tag you specified. +Renovate will update the commit SHA according to the GitHub tag you specified. Renovate can update digests that use SHA1 and SHA256 algorithms. +The GitHub tag is in the format of `(prefix-)(v)1.0.0`, where `prefix` and `v` are optional and `1.0.0` is the version number. +Here are the examples of valid GitHub tags: +`1.0.1`, `1.0`, `1`, +`v1.0.1`, `v1.0`, `v1`, +`prefix-1.0.1`, `prefix-1.0`, `prefix-1`, +`prefix-v1.0.1`, `prefix-v1.0`, `prefix-v1`. If you want to automatically pin action digests add the `helpers:pinGitHubActionDigests` preset to the `extends` array: