Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2026-06-01 22:50:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore: add 5-day dependency cooling period for supply-chain hardening (#7718)

Browse Source
This commit is contained in:
Hayden
2026-05-31 10:55:15 -05:00
committed by GitHub
parent e1ddc06eff
commit 3bde6df958
7 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/docs.yml vendored
View File

@@ -20,6 +20,10 @@ concurrency:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
# Install from the committed lockfile; never re-resolve (see pyproject
# [tool.uv] exclude-newer cooling window).
UV_FROZEN: "1"
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6

4
.github/workflows/locale-sync.yml vendored
View File

@@ -14,6 +14,10 @@ permissions:
jobs: jobs:
sync-locales: sync-locales:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
# Install from the committed lockfile; never re-resolve (see pyproject
# [tool.uv] exclude-newer cooling window).
UV_FROZEN: "1"
steps: steps:
- name: Generate GitHub App Token - name: Generate GitHub App Token
id: app-token id: app-token

4
.github/workflows/test-backend.yml vendored
View File

@@ -13,6 +13,10 @@ jobs:
env: env:
PRODUCTION: false PRODUCTION: false
# Install from the committed lockfile; never re-resolve. The rolling
# `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise make
# every uv command re-resolve and fail on in-window pins.
UV_FROZEN: "1"
strategy: strategy:
fail-fast: true fail-fast: true

4
Taskfile.yml
View File

@@ -7,6 +7,10 @@ env:
DEFAULT_GROUP: Home DEFAULT_GROUP: Home
DEFAULT_HOUSEHOLD: Family DEFAULT_HOUSEHOLD: Family
PRODUCTION: false PRODUCTION: false
# Install from the committed lockfile; never re-resolve. Required because the
# rolling `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise
# make every `uv run`/`uv sync` re-resolve and fail on in-window pins.
UV_FROZEN: "1"
API_PORT: 9000 API_PORT: 9000
API_DOCS: True API_DOCS: True
TOKEN_TIME: 256 # hours TOKEN_TIME: 256 # hours

5
docker/Dockerfile
View File

@@ -52,6 +52,11 @@ RUN apt-get update \
RUN pip install uv RUN pip install uv
# Install from the committed lockfile; never re-resolve. The rolling
# `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise make
# `uv export` below re-resolve and fail on in-window pins.
ENV UV_FROZEN=1
WORKDIR /mealie WORKDIR /mealie
# copy project files here to ensure they will be cached. # copy project files here to ensure they will be cached.

4
pyproject.toml
View File

@@ -178,3 +178,7 @@ max-complexity = 24 # Default is 10.
[tool.uv] [tool.uv]
add-bounds = "exact" add-bounds = "exact"
# Cooling period: ignore package releases newer than 5 days to mitigate
# supply-chain attacks (compromised releases are usually caught and yanked
# within days). Evaluated at resolve time as a rolling window.
exclude-newer = "5 days"

8
renovate.json
View File

@@ -12,6 +12,8 @@
"extends": [ "extends": [
"config:recommended" "config:recommended"
], ],
"minimumReleaseAge": "5 days",
"internalChecksFilter": "strict",
"addLabels": [ "addLabels": [
"dependencies" "dependencies"
], ],
@@ -51,8 +53,7 @@
], ],
"automerge": true, "automerge": true,
"automergeType": "pr", "automergeType": "pr",
"automergeStrategy": "squash", "automergeStrategy": "squash"
"minimumReleaseAge": "5 days"
}, },
{ {
"description": "Auto-merge Docker digest and patch updates", "description": "Auto-merge Docker digest and patch updates",
@@ -66,8 +67,7 @@
], ],
"automerge": true, "automerge": true,
"automergeType": "pr", "automergeType": "pr",
"automergeStrategy": "squash", "automergeStrategy": "squash"
"minimumReleaseAge": "5 days"
} }
] ]
} }