feat: Add allowedUnsafeExecution to the global configuration #39573

mglazer · 2025-11-26T19:01:19Z

Changes

Skeleton implementation for #39458 which adds the initial types necessary to enable guarding which automatic executions can run as part of an artifact upgrade.

Context

Please select one of the following:

This closes an existing Issue, Closes: Add global self-hosting configuration, allowedUnsafeExecutions #39458
This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.

No — I did not use AI for this contribution.
Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
Yes — substantive assistance (AI-generated non‑trivial portions of code, tests, or documentation).
Yes — other (please describe):

Documentation (please check one with an [x])

I have updated the documentation, or
No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

Code inspection only, or
Newly added/modified unit tests, or
No unit tests, but ran on a real repository, or
Both unit tests + ran on a real repository

Could not run this as this doesn't actually change any functionality yet.

lib/config/types.ts

jamietanna

We'll also need to set this as a configuration option - i.e.

renovate/lib/config/options/index.ts

Lines 3085 to 3096 in a23f6b3

    
           { 
        
             name: 'gitNoVerify', 
        
             description: 
        
               'Which Git commands will be run with the `--no-verify` option.', 
        
             type: 'array', 
        
             subType: 'string', 
        
             allowString: true, 
        
             allowedValues: ['commit', 'push'], 
        
             default: ['commit', 'push'], 
        
             stage: 'global', 
        
             globalOnly: true, 
        
           },

jamietanna · 2025-11-26T19:55:43Z

Couple of tweaks but on the right lines!

jamietanna · 2025-11-26T20:02:34Z

As a new global self-hosted configuration item, the build will also fail because we need to capture it in docs/usage/self-hosted-configuration.md

mglazer · 2025-11-26T20:09:29Z

thanks for the review @jamietanna I can get the rest done now that we're aligned on the implementation.

One question for you though: this change is not going to be backwards compatible, ie: as soon as it's released it'll break the gradlew commands that were previously running. Is that fine? Or should it always assume that the gradlewExecution command is there by default?

jamietanna · 2025-11-26T20:26:35Z

I'll take more of a look tomorrow :)

In terms of the overall implementation, I'm thinking that (IMO)

We add the new command (and don't yet wire it in anywhere)
We can then get your go:generate PR in (without it in the allowlist) so admins can start using that
We then start to retrofit the various commands, as we can

anything that's been implicitly allowed up until now would be added to the allowlist, and then in the future we'll remove them

jamietanna · 2025-11-26T20:38:16Z

Oh also, please remove the fixes ... from the commit message - we close them as part of the PR itself :)

lib/modules/manager/gradle/artifacts.ts

lib/config/types.ts

docs/usage/self-hosted-configuration.md

lib/config/options/index.ts

jamietanna · 2025-11-27T17:53:44Z

Now #39456 is merged, we can link to that from these docs, too

mglazer · 2025-11-29T15:51:18Z

Thanks for your review. Appreciate your patience as I learn your contribution expectations.

docs/usage/self-hosted-configuration.md

jamietanna · 2025-12-01T13:16:29Z

Sorry :D Should be fixed now

As part of renovatebot#39458, we want to introduce a new self-hosetd configuration item, to restrict what commands can be run as part of artifact upgrades.

jamietanna · 2025-12-01T13:35:00Z

And finally fixed 😅

github-actions · 2025-12-01T13:58:46Z

🎉 This PR is included in version 42.29.0 🎉

The release is available on:

GitHub release
42.29.0

Your semantic-release bot 📦🚀

jamietanna · 2025-12-01T17:21:19Z

@mglazer apologies, this won't quite work yet! As I found while looking at something else, you'll need to add this into lib/config/global.ts's OPTIONS array for it to work correctly - are you happy to do so, or want me to?

mglazer · 2025-12-01T19:56:38Z

ya...I found that out pretty quickly when I was testing. Updated my other PR for that, but happy to split it up into an isolated PR if you'd prefer that.

jamietanna · 2025-12-02T10:57:00Z

ya...I found that out pretty quickly when I was testing. Updated my other PR for that, but happy to split it up into an isolated PR if you'd prefer that.

Yeah if you wouldn't mind as a separate PR (with a fix PR title) then we can get that released separately (if anyone was trying to use it)

I'm working out what we need to do to make this something we can't forget to do via #39669

Missed when doing: renovatebot#39573

mglazer · 2025-12-02T13:37:00Z

#39700

fix: Add `allowedUnsafeExecutions` to GlobalConfig OPTIONS Missed when doing: #39573

mglazer mentioned this pull request Nov 26, 2025

Add global self-hosting configuration, allowedUnsafeExecutions #39458

Closed

jamietanna reviewed Nov 26, 2025

View reviewed changes

lib/config/types.ts Outdated Show resolved Hide resolved

jamietanna requested changes Nov 26, 2025

View reviewed changes

arsesito approved these changes Nov 27, 2025

View reviewed changes