feat: trim ci (renovate, openssf) (#431)

janderssonse · web-flow · commit 79910390e807 · 2025-10-21T07:17:18.000+02:00
* ci(ssfscorecard): adjust scorecard settings

This PR trims the open ssf scorecard settings so
that it

A) runs twice a week only
B) is runnable from GUI anytime

A) As it is more of general health tool,
there is no need to run it every commit to main.

B) Leaves the option of being able to run it anytime

Signed-off-by: Josef Andersson &lt;josef.andersson@digg.se&gt;

* ci(renovate): use base renovate config

This PR trims and aligns the renovate config
to use the base organisation config.
It eases the maintenance of administration,
but still, it also makes sense when juggling many repositories.

100% compatible, i.e no functionality loss to current conf.

Signed-off-by: Josef Andersson &lt;josef.andersson@digg.se&gt;

* ci(reuseableci): pin sha and version

Signed-off-by: Josef Andersson &lt;josef.andersson@digg.se&gt;

---------

Signed-off-by: Josef Andersson &lt;josef.andersson@digg.se&gt;
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+---
+name: OpenSSF Scorecard Analysis
+on:
+  schedule:
+    # Saturdays at 02:20 UTC
+    - cron: "20 2 * * 6"
+    # Wednesdays at 02:20 UTC
+    - cron: "20 2 * * 3"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  scorecard-analysis:
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
+    with:
+      publish-results: true
diff --git a/.github/workflows/openssfscorecard.yml b/.github/workflows/openssfscorecard.yml
diff --git a/.github/workflows/pullrequest-workflow.yml b/.github/workflows/pullrequest-workflow.yml
@@ -18,7 +18,7 @@ permissions:
 
 jobs:
   pr-checks:
-    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@v2
+    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     secrets: inherit  # Pass org-level secrets (NPM token if private packages)
     permissions:
       contents: read         # Clone repository and read source code
diff --git a/.github/workflows/release-dev-workflow.yml b/.github/workflows/release-dev-workflow.yml
@@ -31,7 +31,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    uses: diggsweden/reusable-ci/.github/workflows/release-dev-orchestrator.yml@v2
+    uses: diggsweden/reusable-ci/.github/workflows/release-dev-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     with:
       project-type: npm
       package-scope: "@diggsweden"
diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml
@@ -24,7 +24,7 @@ permissions:
 
 jobs:
   release:
-    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@v2
+    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     permissions:
       contents: write         # Create GitHub releases, push changelog commits
       packages: write         # Publish to GitHub Packages
diff --git a/renovate.json b/renovate.json
@@ -1,29 +1,13 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "osvVulnerabilityAlerts": true,
-  "dependencyDashboardOSVVulnerabilitySummary": "all",
   "extends": [
-    "config:best-practices",
-    "workarounds:all",
-    "security:openssf-scorecard",
-    ":configMigration",
-    ":dependencyDashboard",
-    ":gitSignOff",
-    ":maintainLockFilesWeekly",
-    ":automergePatch",
-    ":semanticCommits",
-    "security:minimumReleaseAgeNpm",
-    ":rebaseStalePrs",
-    ":semanticCommitTypeAll(chore)",
-    "mergeConfidence:all-badges"
+    "local>diggsweden/.github:renovate-base",
+    ":maintainLockFilesWeekly"
+  ],
+  "enabledManagers": [
+    "github-actions",
+    "npm"
   ],
-  "commitMessageLowerCase": "auto",
-  "minimumReleaseAge": "7 days",
-  "labels": ["dependencies"],
-  "vulnerabilityAlerts": {
-    "labels": ["security", "dependencies"]
-  },
-  "timezone": "Europe/Stockholm",
   "platformAutomerge": false,
   "automergeSchedule": ["0 9-21 * * 6"],
   "packageRules": [
@@ -32,17 +16,6 @@
       "matchUpdateTypes": ["patch"],
       "automerge": true
     },
-    {
-      "matchManagers": ["github-actions"],
-      "addLabels": ["actions"],
-      "pinDigests": true,
-      "groupName": "github actions"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchPackageNames": ["slsa-framework/slsa-github-generator"],
-      "pinDigests": false
-    },
     {
       "description": "Node.js dependencies - Major updates",
       "matchManagers": ["npm"],
