Jamie Magee
Jamie Magee
This pull request adds the JSON schema for `cgmanifest.json`. ## FAQ ### Why? A JSON schema helps you to ensure that your `cgmanifest.json` file is valid. JSON schema validation is...
Now that the updater container images are signed as part of https://github.com/dependabot/dependabot-core/issues/9546, we need to verify those signatures when using those container images. This change allows us to verify that...
Once https://github.com/dependabot/dependabot-core/issues/9546 is completed for production images, we should verify the container image signatures. This can be done with [`cosign`][1]. See sigstore's documentation on signature verification for information[^1], though we...
Yes, we could query the registry client and compare the digest of the local manifest and the remote manifest. But that is more complicated than just letting Docker do that...
If we're using a mutable tag, like `latest`, we should always try and pull the container image regardless of whether or not it's available locally. https://github.com/dependabot/cli/blob/35deb52c81b16ce706ec8601b85c589b7d483503/internal/infra/run.go#L470-L473
When trying to build `1.8.5` I get the following error: ``` Solution file error MSB4051: Project {9D32A24F-7FF0-4632-B663-5AD2D64A6C87} is referencing a project with GUID {732A9A56-32B4-4149-B3A5-F2A4F48293D3}, but a project with this GUID...
### Code improvement description Currently, we define static versions of each programming language or package manager that Dependabot uses at runtime. For example, [`npm`][1], [`rust`][2], [`python`][3], etc. Unfortunately, this means...
Required for https://github.com/renovatebot/renovate/issues/16923 Links: - https://gitlab.archlinux.org/pacman/pacman/blob/master/scripts/makepkg.sh.in - https://gitlab.archlinux.org/pacman/pacman-contrib/-/blob/master/src/updpkgsums.sh.in - https://gitlab.archlinux.org/pacman/pacman - https://gitlab.archlinux.org/pacman/pacman-contrib
We use a lot of short container references like `ubuntu:20.04` or `containerbase/base`. But these can sometimes be confusing, especially as we are also pushing images to the GitHub container registry...