Skip to content

feat(checkov): vendor checkov-action locally so renovate can manage the version#153

Merged
sydorovdmytro merged 3 commits into
mainfrom
vendor-checkov-action
Jun 11, 2026
Merged

feat(checkov): vendor checkov-action locally so renovate can manage the version#153
sydorovdmytro merged 3 commits into
mainfrom
vendor-checkov-action

Conversation

@sydorovdmytro

@sydorovdmytro sydorovdmytro commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Why

The upstream bridgecrewio/checkov-action publishes a very large number of git tags, which prevents Renovate from enumerating its releases — so the action never gets bumped.

What

Vendor the upstream action verbatim into .github/actions/checkov/ and pin the checkov Docker image directly (docker://ghcr.io/bridgecrewio/checkov:3.3.0). Renovate's built-in github-actions manager updates runs.image, which tracks clean semver image tags instead of the action repo's tag flood.

  • .github/actions/checkov/action.yml — upstream action copied verbatim (same inputs, outputs, args, env, behavior); added a header comment explaining the vendoring
  • .github/actions/checkov/LICENSE + NOTICE — upstream is Apache-2.0; carries attribution and the rationale for the local copy
  • README.md — new Checkov section with usage and migration notes

Notes

  • This is a Docker action with no shell logic, so it needs no Makefile target or bats suite (same as the yaml-only actions). zizmor reports no findings; the file is valid YAML.
  • Image is pinned by tag (not digest) intentionally, so Renovate can manage it the way upstream ships it.

Follow-ups (not in this PR)

  • Tag the release: git tag checkov/v1 && git push origin checkov/v1
  • Migrate callers (loft-enterprise, etc.) from bridgecrewio/checkov-action@... to loft-sh/github-actions/.github/actions/checkov@checkov/v1 — inputs are identical, only the uses: line changes.

@sydorovdmytro
feat(checkov): vendor checkov-action locally so renovate can manage t…
30717ce 
…he version

The upstream bridgecrewio/checkov-action publishes too many git tags for
Renovate to enumerate releases, so it never gets bumped. Vendor the action
verbatim (Apache-2.0) and pin the checkov Docker image directly; Renovate's
built-in github-actions manager keeps it current via the runs.image reference.

- add .github/actions/checkov (action.yml, LICENSE, NOTICE)
- document the action and migration in README
@sydorovdmytro
docs(checkov): add per-action README with auto-doc markers
a4c115f 
check-docs requires every action to ship a README.md with AUTO-DOC markers;
generate the input/output tables from action.yml.
@sydorovdmytro
docs(checkov): add explicit apache-2.0 modification notice
8c957a1 
Apache-2.0 section 4(b) requires modified files to carry a prominent notice
stating they were changed. Spell out the vendoring and that only a header
comment was added (no behavior change).
@sydorovdmytro sydorovdmytro merged commit 4885557 into main Jun 11, 2026
4 checks passed
@sydorovdmytro sydorovdmytro deleted the vendor-checkov-action branch June 11, 2026 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sydorovdmytro