Configure Renovate - autoclosed

[renovate]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 Renovate will begin keeping your dependencies up-to-date only once you merge or close this Pull Request.

---

Detected Package Files

• .devcontainer/devcontainer.json (devcontainer)
• .devcontainer/dockerfile (dockerfile)
• .github/workflows/mega-linter.yml (github-actions)

Configuration Summary

Based on the default config's presets, Renovate will:

• Start dependency updates only once this onboarding PR is merged
• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Ensure that every dependency pinned by digest and sourced from GitHub.com contains a link to the commit-to-commit diff
• Correctly link to the source code for golang.org/x packages
• Link to pkg.go.dev/... for golang.org/x packages' title

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

---

What to Expect

With your current configuration, Renovate will create 5 Pull Requests:

Update ghcr.io/devcontainers/features/terraform Docker tag to v1.4.2

• Schedule: ["at any time"]
• Branch name: renovate/ghcr.io-devcontainers-features-terraform-1.x
• Merge into: main
• Upgrade ghcr.io/devcontainers/features/terraform to 1.4.2

Update actions/checkout action to v6

• Schedule: ["at any time"]
• Branch name: renovate/actions-checkout-6.x
• Merge into: main
• Upgrade actions/checkout to v6

Update actions/upload-artifact action to v6

• Schedule: ["at any time"]
• Branch name: renovate/major-github-artifact-actions
• Merge into: main
• Upgrade actions/upload-artifact to v6

Update peter-evans/create-pull-request action to v8

• Schedule: ["at any time"]
• Branch name: renovate/peter-evans-create-pull-request-8.x
• Merge into: main
• Upgrade peter-evans/create-pull-request to v8

Update stefanzweifel/git-auto-commit-action action to v7

• Schedule: ["at any time"]
• Branch name: renovate/stefanzweifel-git-auto-commit-action-7.x
• Merge into: main
• Upgrade stefanzweifel/git-auto-commit-action to v7

🚸 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prhourlylimit for details.

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ ACTION	actionlint	1		1	0	0.02s
✅ COPYPASTE	jscpd	yes		no	no	1.25s
⚠️ JSON	jsonlint	5		1	0	0.47s
✅ JSON	prettier	5	2	0	0	0.49s
⚠️ JSON	v8r	5		1	0	3.31s
⚠️ MARKDOWN	markdownlint	2	0	4	0	0.8s
✅ MARKDOWN	markdown-table-formatter	2	0	0	0	0.24s
⚠️ REPOSITORY	checkov	yes		1	no	20.71s
✅ REPOSITORY	devskim	yes		no	no	1.19s
✅ REPOSITORY	dustilock	yes		no	no	0.01s
✅ REPOSITORY	gitleaks	yes		no	no	0.15s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	33.68s
⚠️ REPOSITORY	kics	yes		3	no	1.55s
⚠️ REPOSITORY	kingfisher	yes		1	no	5.55s
✅ REPOSITORY	secretlint	yes		no	no	0.5s
✅ REPOSITORY	syft	yes		no	no	2.39s
✅ REPOSITORY	trivy	yes		no	no	9.7s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.3s
✅ REPOSITORY	trufflehog	yes		no	no	5.16s
⚠️ SPELL	cspell	13		39	0	5.24s
⚠️ SPELL	lychee	10		2	0	0.69s
✅ YAML	prettier	3	0	0	0	0.57s
✅ YAML	v8r	3		0	0	3.42s
✅ YAML	yamllint	3		0	0	0.51s

Detailed Issues

⚠️ ACTION / actionlint - 1 error

.github/workflows/mega-linter.yml:56:13: if: condition "${{ success() }} || ${{ failure() }}" is always evaluated to true because extra characters are around ${{ }} [if-cond]
   |
56 |         if: ${{ success() }} || ${{ failure() }}
   |             ^~~

⚠️ REPOSITORY / checkov - 1 error

github_actions scan results:

Passed checks: 35, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(MegaLinter)
	File: /.github/workflows/mega-linter.yml:25-26

⚠️ SPELL / cspell - 39 errors

lia's, australians, australian's]
.github/workflows/mega-linter.yml:86:15     - Unknown word (stefanzweifel) -- uses: stefanzweifel/git-auto-commit-action
	 Suggestions: []
.gitignore:6:4       - Unknown word (tfstate)    -- # .tfstate files
	 Suggestions: [testate, testates, state, estate, Estate]
.gitignore:7:3       - Unknown word (tfstate)    -- *.tfstate
	 Suggestions: [testate, testates, state, estate, Estate]
.gitignore:8:3       - Unknown word (tfstate)    -- *.tfstate.*
	 Suggestions: [testate, testates, state, estate, Estate]
.gitignore:14:16     - Unknown word (tfvars)     -- # Exclude all .tfvars files, which are likely
	 Suggestions: [tars, tears, tsars, tzars, tatars]
.gitignore:18:3      - Unknown word (tfvars)     -- *.tfvars
	 Suggestions: [tars, tears, tsars, tzars, tatars]
.gitignore:19:3      - Unknown word (tfvars)     -- *.tfvars.json
	 Suggestions: [tars, tears, tsars, tzars, tatars]
.gitignore:38:2      - Unknown word (terraformrc) -- .terraformrc
	 Suggestions: [terraform, terraformed, Terraform]
.gitignore:40:1      - Unknown word (avmmakefile) -- avmmakefile
	 Suggestions: [makefile]
.gitignore:42:5      - Unknown word (tflint)      -- avm.tflint.hcl
	 Suggestions: [tslint, flint, Flint, tint, taint]
.gitignore:43:5      - Unknown word (tflint)      -- avm.tflint_example.hcl
	 Suggestions: [tslint, flint, Flint, tint, taint]
.gitignore:44:5      - Unknown word (tflint)      -- avm.tflint_module.hcl
	 Suggestions: [tslint, flint, Flint, tint, taint]
.gitignore:45:5      - Unknown word (tflint)      -- avm.tflint.merged.hcl
	 Suggestions: [tslint, flint, Flint, tint, taint]
.gitignore:46:5      - Unknown word (tflint)      -- avm.tflint_example.merged.hcl
	 Suggestions: [tslint, flint, Flint, tint, taint]
.pre-commit-config.yaml:20:23     - Unknown word (tflint)     -- - id: terraform_tflint
	 Suggestions: [tslint, flint, Flint, tint, taint]
.pre-commit-config.yaml:27:13     - Unknown word (tfupdate)   -- - id: tfupdate
	 Suggestions: [update, tubate, template, tinplate, toeplate]
.vscode/launch.json:6:16      - Unknown word (coreclr)    -- "type": "coreclr",
	 Suggestions: [coercer, corer, coracle, corelli, Corelli]
.vscode/launch.json:18:10     - Unknown word (ASPNETCORE) -- "ASPNETCORE_ENVIRONMENT": "Development
	 Suggestions: []
.vscode/launch.json:26:16     - Unknown word (coreclr)    -- "type": "coreclr",
	 Suggestions: [coercer, corer, coracle, corelli, Corelli]
.vscode/settings.json:3:6       - Unknown word (chatmodes)  -- "chatmodes": true
	 Suggestions: [cathodes, camoes, cathode, chamade, chamois]
.vscode/settings.json:20:11     - Unknown word (chatmode)   -- // "*.chatmode.md": "markdown",
	 Suggestions: [cathode, chamade, champed, charmed, chasmed]
.vscode/tasks.json:12:11     - Unknown word (consoleloggerparameters) -- "/consoleloggerparameters:NoSummary;ForceNoAlign
	 Suggestions: []
.vscode/tasks.json:24:11     - Unknown word (consoleloggerparameters) -- "/consoleloggerparameters:NoSummary;ForceNoAlign
	 Suggestions: []
.vscode/tasks.json:40:17     - Unknown word (codespaceiaccoding)      -- "tag": "codespaceiaccoding:dev",
	 Suggestions: []
.vscode/tasks.json:55:17     - Unknown word (codespaceiaccoding)      -- "tag": "codespaceiaccoding:latest",
	 Suggestions: []
CSpell: Files checked: 13, Issues found: 39 in 8 files.


You can skip this misspellings by defining the following .cspell.json file at the root of your repository
Of course, please correct real typos before :)

{
    "version": "0.2",
    "language": "en",
    "ignorePaths": [
        "**/node_modules/**",
        "**/vscode-extension/**",
        "**/.git/**",
        "**/.pnpm-lock.json",
        ".vscode",
        "package-lock.json",
        "megalinter-reports"
    ],
    "words": [
        "ASPNETCORE",
        "Benais",
        "Buildx",
        "australiaeast",
        "avmmakefile",
        "azurebicep",
        "azurecontainerapps",
        "azureresourcegroups",
        "chatmode",
        "chatmodes",
        "codespaceiaccoding",
        "consoleloggerparameters",
        "coreclr",
        "csdevkit",
        "dotnettools",
        "formulahendry",
        "moby",
        "newzealandnorth",
        "prulloac",
        "rchaganti",
        "stefanzweifel",
        "terraformrc",
        "tflint",
        "tfstate",
        "tfupdate",
        "tfvars"
    ]
}


You can also copy-paste megalinter-reports/.cspell.json at the root of your repository

(Truncated to last 4444 characters out of 6420)

⚠️ JSON / jsonlint - 1 error

File: .vscode/settings.json
Parse error on line 21, column 3:
...": [    100  ],  // "files.associatio...
--------------------^
Unexpected token "/"

⚠️ REPOSITORY / kics - 3 errors

MLLLLLM             MLLLLLLLLL   LLLLLLL             KLLLLLLLLLLLLLLLL       LLLLLLLLLLLLLLLLLLLLLLL 
   MMMMMMM           MMMMMMMMMML    MMMMMMMK       LMMMMMMMMMMMMMMMMMMMML   KLMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.19





Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 3
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Risk Score: 4.1
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/mega-linter.yml:44

		043:         # More info at https://megalinter.io/flavors/
		044:         uses: oxsecurity/megalinter@beta
		045:         env:


	[2]: .github/workflows/mega-linter.yml:68

		067:         if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_n
		068:         uses: peter-evans/create-pull-request@v7
		069:         with:


	[3]: .github/workflows/mega-linter.yml:86

		085:         if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.
		086:         uses: stefanzweifel/git-auto-commit-action@v6
		087:         with:



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 3
INFO: 0
TOTAL: 3

⚠️ REPOSITORY / kingfisher - 1 error

New Kingfisher release 1.76.0 available
 INFO kingfisher: Launching with 8 concurrent scan jobs. Use --num-jobs to override.
 INFO kingfisher::rule_loader: Loaded 403 rules
 INFO kingfisher::scanner::runner: Starting secret validation phase...
GITHUB APP SERVER-TO-SERVER TOKEN => [KINGFISHER.GITHUB.5]
 |Finding.......: [REDACTED:925102a9]
 |Encoding......: base64
 |Fingerprint...: 7250439872774470564
 |Confidence....: medium
 |Entropy.......: 4.51
 |Validation....: Inactive Credential
 |__Response....: {
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/users/users#get-the-authenticated-user",
  "status": "403"
}

 |Language......: Unknown
 |Line Num......: 12
 |Path..........: ./.git/config


==========================================
Scan Summary:
==========================================
 |Findings....................: 1
 |__Successful Validations....: 0
 |__Failed Validations........: 1
 |Rules Applied...............: 403
 |__Blobs Scanned.............: 84
 |Bytes Scanned...............: 226.76 KiB
 |Scan Duration...............: 172ms 41us 116ns
 |Scan Date...................: 2026-01-26 03:08:49 +00:00
 |Kingfisher Version..........: 1.73.0
 |__Latest Version............: 1.76.0
New Kingfisher release 1.76.0 available

⚠️ SPELL / lychee - 2 errors

[404] https://megalinter.io/configuration/ | Network error: Not Found
[404] https://megalinter.io/flavors/ | Network error: Not Found
📝 Summary
---------------------
🔍 Total...........13
✅ Successful......10
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........1
❓ Unknown..........0
🚫 Errors...........2

Errors in .github/workflows/mega-linter.yml
[404] https://megalinter.io/configuration/ | Network error: Not Found
[404] https://megalinter.io/flavors/ | Network error: Not Found

⚠️ MARKDOWN / markdownlint - 4 errors

.github/copilot-instructions.md:1:401 error MD013/line-length Line length [Expected: 400; Actual: 623]
.github/copilot-instructions.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "Provide comprehensive guidance..."]
.github/copilot-instructions.md:3:401 error MD013/line-length Line length [Expected: 400; Actual: 534]
.github/copilot-instructions.md:12:401 error MD013/line-length Line length [Expected: 400; Actual: 477]

⚠️ JSON / v8r - 1 error

ℹ No config file found
ℹ Pre-warming the cache
ℹ Processing .devcontainer/devcontainer.json
ℹ Found schema in https://www.schemastore.org/api/json/catalog.json ...
ℹ Validating .devcontainer/devcontainer.json against schema from https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.schema.json ...
✖ Expected property name or '}' in JSON at position 4 (line 2 column 3)

ℹ Processing .vscode/launch.json
✖ Could not find a schema to validate .vscode/launch.json

ℹ Processing .vscode/settings.json
✖ Could not find a schema to validate .vscode/settings.json

ℹ Processing .vscode/tasks.json
ℹ Found schema in https://www.schemastore.org/api/json/catalog.json ...
ℹ Validating .vscode/tasks.json against schema from https://www.schemastore.org/task.json ...
✖ .vscode/tasks.json is invalid

.vscode/tasks.json#/tasks/3/type must be equal to one of the allowed values
.vscode/tasks.json#/tasks/4/type must be equal to one of the allowed values
.vscode/tasks.json#/tasks/5/type must be equal to one of the allowed values
.vscode/tasks.json#/tasks/6/type must be equal to one of the allowed values

ℹ Processing renovate.json
ℹ Found multiple possible matches for renovate.json. Possible matches:

  Renovate (39)
  Renovate configuration file. Documentation: https://docs.renovatebot.com/configuration-options
  https://www.schemastore.org/renovate-39.json

  Renovate (40)
  Renovate configuration file. Documentation: https://docs.renovatebot.com/configuration-options
  https://www.schemastore.org/renovate-40.json

  Renovate (41)
  Renovate configuration file. Documentation: https://docs.renovatebot.com/configuration-options
  https://www.schemastore.org/renovate-41.json

✖ Found multiple possible schemas to validate renovate.json

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@beta --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DEVSKIM,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository