Proposal to consider renovate for dependency version updates based on commit SHAsย #3018
Description
Feature request
Proposal to adopt Renovate bot across the tektoncd organization to automatically update GitHub Actions workflow references that are pinned to commit SHAs.
Context:
The tektoncd organization requires all GitHub Actions references to be pinned to commit SHAs, instead of using branch names (like @main) or version tags. This improves security, but it also creates a limitation that Dependabot cannot track or update commit SHA references that correspond to a branch commit (when no semantic version tag exists). These updates must be done manually across all repositories, or we would have to write specific automation to watch and raise PRs across all repos, which is significant overhead.
Current pattern:
uses: tektoncd/plumbing/.github/workflows/_chatops_retest.yml@48c53b4e7f1e0bb206575b80eb9fcf07b5854907 # main
Dependabot limitation:
Dependabot only supports semantic version tags (for example, @v1.2.3) or branch references (for example, @main). It cannot update commit SHAs that correspond to branch commits.
Use case
Since we prefer to reuse GitHub workflows from tektoncd/plumbing across all tektoncd repositories (pipelines, chains, operator, triggers, dashboard, etc.), these references are pinned to specific commit SHAs of main branch.
Renovate can watch for new commits in tektoncd/plumbing (on a chosen branch) and automatically open pull requests to update the pinned SHAs in the downstream repositories. We can start by using Renovate only for GitHub workflow updates from plumbing, and later decide whether to expand its use to other cases, including replacing Dependabot where it makes sense.