This workflow was used in an early stage of development of HedgeDoc 2.
It allowed the core developers to quickly check fixes, improvements or
new features to the HedgeDoc UI without the requirement to check-out
the branch locally. As not every pull request required a deployment,
this workflow was only triggered when the "ci: force deployment"
label was added. Since some time already, the frontend and backend
are so tightly coupled that the netfliy deployment doesn't make any
sense anymore and therefore hasn't been used anymore. This commit
therefore removes this leftover workflow.
@RedYetiDev contacted us privately and reported that this deployment
workflow could have been abused to invoke arbitrary commands, including
extraction of environment variables which include our tokens for the
turborepo build cache or the netlify deployment token. For this it
would have been required that somebody created a "safe" pull request,
which would have been labelled with the deployment label and then
changed afterwards since the workflow checks out the pull request
source repository, not the target. We assured that the label was only
added to pull requests from trusted members of the HedgeDoc core team.
There was never any malicious use of the workflow. Furthermore, no
released versions of HedgeDoc (1.x) could have been affected by this,
even in the worst-case scenario.
We're thankful for putting this risk at our attention!
If you too encounter something unusual regarding security in HedgeDoc
itself or our toolchain around it, don't hesitate to contact us.
Details on this are wriiten in our SECURITY.md in the root of the
repository.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Currently renovatebot only cares about the default branch, which is
currently develop. In order to keep everything up-to-date we should
configure it, to also make sure that the master branch for 1.x will be
updated.
Therefore this patch adds the `baseBranches` config option, which allows
to define an array of branches to update.
Reference:
https://docs.renovatebot.com/configuration-options/#basebranches
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit
- removes `group:nextjsMonorepo` as that is already included in `config:base` via `group:monorepos`
- disables the hourly PR creation limit
- enables the dependency dashboard
- enables automatic rebasing when the base branch updates
Signed-off-by: David Mehren <git@herrmehren.de>
renovate[bot]
Erik Michelson
Tilman Vatteroth
David Mehren
Philip Molares
Sheogorath
Tilman Vatteroth
Renovate Bot