From 8474a59f87bf6b19b7165c2db9691482761441fc Mon Sep 17 00:00:00 2001
From: Gareth Healy <garethahealy@gmail.com>
Date: Mon, 11 Dec 2023 19:42:56 +0000
Subject: [PATCH] updated tekton versions to be renovated

---
 .github/workflows/tekton-task-images-conftest-pr.yaml |  7 ++++++-
 .../tekton-task-images-conftest-publish.yaml          |  8 +++++++-
 .github/workflows/tekton-task-images-helm-pr.yaml     |  5 +++++
 .../workflows/tekton-task-images-helm-publish.yaml    |  6 ++++++
 SECURITY.md                                           |  9 +++++++++
 renovate.json                                         | 11 +++++++++++
 tekton-task-images/conftest/VERSION                   |  3 ++-
 tekton-task-images/helm/Dockerfile                    |  1 +
 tekton-task-images/helm/VERSION                       |  3 ++-
 9 files changed, 49 insertions(+), 4 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/tekton-task-images-conftest-pr.yaml b/.github/workflows/tekton-task-images-conftest-pr.yaml
index 9fa6db372..a207e1cd1 100644
--- a/.github/workflows/tekton-task-images-conftest-pr.yaml
+++ b/.github/workflows/tekton-task-images-conftest-pr.yaml
@@ -4,6 +4,10 @@ on:
     paths:
       - tekton-task-images/conftest/**
       - .github/workflows/tekton-task-images-conftest-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:
@@ -15,7 +19,7 @@ jobs:
 
       - name: Convert VERSION to version.json
         run: |
-          version=$(cat ${{ env.context }}/VERSION | cut -d"=" -f2)
+          version=$(sed -n '2p' ${{ env.context }}/VERSION | cut -d"=" -f2)
           jq -c --null-input --arg version "v$version" '{ "version": $version }' > ${{ env.context }}/version.json
 
       - name: Check and verify version.json
@@ -33,6 +37,7 @@ jobs:
           image: ${{ env.image_name }}
           oci: true
           tags: ${{ steps.check_version.outputs.IMAGE_TAGS }}
+
       - name: Test image
         run: |
           echo "Running: podman run ${image_name}:${{ steps.check_version.outputs.VERSION }} conftest version"
diff --git a/.github/workflows/tekton-task-images-conftest-publish.yaml b/.github/workflows/tekton-task-images-conftest-publish.yaml
index e590ee039..a9288957e 100644
--- a/.github/workflows/tekton-task-images-conftest-publish.yaml
+++ b/.github/workflows/tekton-task-images-conftest-publish.yaml
@@ -4,6 +4,10 @@ on:
     paths:
       - tekton-task-images/conftest/VERSION
       - .github/workflows/tekton-task-images-conftest-publish.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:
@@ -11,12 +15,14 @@ jobs:
       image_name: tekton-task-conftest
       REGISTRY: ${{ secrets.REGISTRY_URI }}
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Convert VERSION to version.json
         run: |
-          version=$(cat ${{ env.context }}/VERSION | cut -d"=" -f2)
+          version=$(sed -n '2p' ${{ env.context }}/VERSION | cut -d"=" -f2)
           jq -c --null-input --arg version "v$version" '{ "version": $version }' > ${{ env.context }}/version.json
 
       - name: Get image tags
diff --git a/.github/workflows/tekton-task-images-helm-pr.yaml b/.github/workflows/tekton-task-images-helm-pr.yaml
index 53d5e2db2..a2111fb20 100644
--- a/.github/workflows/tekton-task-images-helm-pr.yaml
+++ b/.github/workflows/tekton-task-images-helm-pr.yaml
@@ -4,6 +4,10 @@ on:
     paths:
       - tekton-task-images/helm/**
       - .github/workflows/tekton-task-images-helm-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:
@@ -33,6 +37,7 @@ jobs:
           image: ${{ env.image_name }}
           oci: true
           tags: ${{ steps.check_version.outputs.IMAGE_TAGS }}
+
       - name: Test image contains the version of the binary
         run: |
           echo "Running: podman run ${image_name}:${{ steps.check_version.outputs.VERSION }} helm version"
diff --git a/.github/workflows/tekton-task-images-helm-publish.yaml b/.github/workflows/tekton-task-images-helm-publish.yaml
index 901065d8d..1ffc5ae12 100644
--- a/.github/workflows/tekton-task-images-helm-publish.yaml
+++ b/.github/workflows/tekton-task-images-helm-publish.yaml
@@ -4,6 +4,10 @@ on:
     paths:
       - tekton-task-images/helm/VERSION
       - .github/workflows/tekton-task-images-helm-publish.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:
@@ -11,6 +15,8 @@ jobs:
       image_name: tekton-task-helm
       REGISTRY: ${{ secrets.REGISTRY_URI }}
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..cd856d7f5
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest version is supported.
+
+## Reporting a Vulnerability
+
+For any issues or concerns, please contact: [@container-cop-core](https://github.com/orgs/redhat-cop/teams/container-cop-core)
\ No newline at end of file
diff --git a/renovate.json b/renovate.json
index f9e330f34..b87305877 100644
--- a/renovate.json
+++ b/renovate.json
@@ -26,5 +26,16 @@
     "**/tower-ocp-custom/**",
     "**/ubi7-gitlab-runner/**",
     "**/zalenium/**"
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": [
+        "^.+\\/VERSION$"
+      ],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?\\s+[A-Za-z0-9_]+?_VERSION=(?<currentValue>.+?)?\\s"
+      ]
+    }
   ]
 }
diff --git a/tekton-task-images/conftest/VERSION b/tekton-task-images/conftest/VERSION
index 2d62f320e..da042cbae 100644
--- a/tekton-task-images/conftest/VERSION
+++ b/tekton-task-images/conftest/VERSION
@@ -1 +1,2 @@
-CONFTEST_VERSION=0.41.0
\ No newline at end of file
+# renovate: datasource=github-releases depName=open-policy-agent/conftest
+CONFTEST_VERSION=0.41.0
diff --git a/tekton-task-images/helm/Dockerfile b/tekton-task-images/helm/Dockerfile
index 4b39ce4a9..146590c6e 100644
--- a/tekton-task-images/helm/Dockerfile
+++ b/tekton-task-images/helm/Dockerfile
@@ -2,6 +2,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3-1361.1699548032@sha256:c777
 
 USER root
 
+# renovate: datasource=github-releases depName=mikefarah/yq
 ARG YQ_VERSION=4.23.1
 
 RUN microdnf install -y --nodocs openssl tar git findutils gzip && \
diff --git a/tekton-task-images/helm/VERSION b/tekton-task-images/helm/VERSION
index fd1a47c77..24ce87f9e 100644
--- a/tekton-task-images/helm/VERSION
+++ b/tekton-task-images/helm/VERSION
@@ -1 +1,2 @@
-HELM_VERSION=3.11.2
\ No newline at end of file
+# renovate: datasource=github-releases depName=helm/helm
+HELM_VERSION=3.11.2