Getting Renovate to provide a changelog for digest updates to packages (on GitHub.com)
When using Renovate to update digests of packages on GitHub, you'll notice that you'll see a PR with a header like:
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-go | action | digest | 0aaccfd -> d35c59a |
This is already useful, but can be a little awkward as you probably want to go and check in on what's changed between those commits, both for general curiosity to find out what's changed, but also in case there may be anything malicious being injected.
As part of Renovate 39.246.0, this is now possible to do by crafting a templated changelogUrl, which allows us to write config such as:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"description": "Ensure any digest-pinned, GitHub-sourced, dependencies creates a link to the diff between the two commits",
"matchSourceUrls": [
"https://github.com/**/*"
],
"matchUpdateTypes": [
"digest"
],
"changelogUrl": "{{sourceUrl}}/compare/{{currentDigest}}..{{newDigest}}"
}
]
}
(Note that we're using the minimatch style glob matching, which means that we need to use **/* to match against the full URL)
With this in place, we then see a PR header such as:
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-go (changelog) | action | digest | 0aaccfd -> d35c59a |
(Notice the new "changelog" note)
You can see this in effect in this PR.
This could also be extended to support other source code forges, as long as you know how to get a comparison between commits!
