Welcome to [Renovate](https://github.com/renovatebot/renovate)! This is an onboarding MR to help you understand and configure settings before regular Merge Requests begin.

 To activate Renovate, merge this Merge Request. To disable Renovate, simply close this Merge Request unmerged.



---
### Detected Package Files

 * `docker-compose.yml` (docker-compose)
 * `Dockerfile` (dockerfile)
 * `.gitlab-ci.yml` (gitlabci-include)
 * `src/go.mod` (gomod)

### Configuration Summary

Based on the default config's presets, Renovate will:

  - Start dependency updates only once this onboarding MR is merged
  - Update `_VERSION` variables in Dockerfiles.

 Do you want to change how Renovate upgrades your dependencies? Add your custom config to `renovate.json` in this branch. Renovate will update the Merge Request description the next time it runs.

---

### What to Expect

With your current configuration, Renovate will create 3 Merge Requests:

<details>
<summary>deps: update module github.com/spf13/cobra to v1.8.1</summary>

  - Schedule: ["at any time"]
  - Branch name: `renovate/github.com-spf13-cobra-1.x`
  - Merge into: `master`
  - Upgrade [github.com/spf13/cobra](https://github.com/spf13/cobra) to `v1.8.1`


</details>

<details>
<summary>deps: update module gitlab.alpinelinux.org/alpine/go to v0.10.1</summary>

  - Schedule: ["at any time"]
  - Branch name: `renovate/gitlab.alpinelinux.org-alpine-go-0.x`
  - Merge into: `master`
  - Upgrade [gitlab.alpinelinux.org/alpine/go](https://gitlab.alpinelinux.org/alpine/go) to `v0.10.1`


</details>

<details>
<summary>deps: update module gopkg.in/yaml.v2 to v3</summary>

  - Schedule: ["at any time"]
  - Branch name: `renovate/gopkg.in-yaml.v2-3.x`
  - Merge into: `master`
  - Upgrade [gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) to `v3.0.1`


</details>



 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for `prhourlylimit` for details.


---

 Got questions? Check out Renovate's [Docs](https://docs.renovatebot.com/), particularly the Getting Started section.
If you need any further assistance then you can also [request help here](https://github.com/renovatebot/renovate/discussions).


---

&nbsp;

<!--renovate-config-hash:ff64aa778899e483ef52ec365e2151d7450b6f16b3a36300dfca1766da8654ea-->

See merge request !10

The format of the secfixes entrie was defined by the secfixes package
from aports-go, which changed in 0.6.0.

Instead of letting the upstream package determine the format, keep the
format entirely local so that it's not affected by upstream changes.

See merge request !8

The format of the secfixes entrie was defined by the secfixes package
from aports-go, which changed in 0.6.0.

Instead of letting the upstream package determine the format, keep the
format entirely local so that it's not affected by upstream changes.

Various updates

See merge request !7

Doesn't make sense to include into the license, it's just explains how
to use the license.

- ALPINE-NNNNN
- TS-NNNN-NNN
- ZSA-NNNN-NN
- VSVNNNNNN

This is no longer necessary, the compose specification is versionless.

They are not used anymore.

To make it easier to find, provide the line number in the file where the
issue occurred.

generate_secdb: prune on fetch

See merge request !6

without pruning, refs could be removed and a fetch in the future would
print spurious warnings about them not being present. there should be no
harm in cleaning them up via prune first.

To match the new CLI structure, adjust the invocation to match it.

This will report invalid secfix entries, either because the version is
incorrect, or the vulnerability identifier is incorrect.

cobra is more flexible than the default flags package, and you can use
it to easily implement subcommands.

The goal of nq was to make sure only one instance of the update script
was running. The problem is that nq does not write the log output to
stdout, but rather to dedicated files. This makes it harder to see the
output with docker(-compose) logs.

Use `flock`, which is meant for these scenarios and provides the output
of the script to stdout.

This makes it possible to monitor that the secdb is still updated.

The licence is installed to `/var/www/html`. When html does not exist yet,
the file will actually end up as `html` in the `/var/www` directory, due
to the missing '/' at the end.

See merge request alpine/infra/docker/secdb!5

we determined the secdb will be licensed under CC-BY-SA licensing
terms last week in #alpine-security IRC.

This implementation does not suffer from the issue that lua has, where it
cannot distinguish from an empty list and an empty array, without having to
resort to post processing to fix issues.

See merge request alpine/infra/docker/secdb!4

Things like traefik, and the webnetwork are production settings. Put
those settings in a separate file that can be symlinked to
`docker-compose.override.yml` on the production host.

Build the go secdb application and adopt generate_secdb.sh to run it.

Lua has just a single structure, namely a table, which is used for both
lists and maps. This poses a problem when a list is empty, because it's
not able to distinguish between the 2, and will default to a map.

This implementation:

* Defines the exact structure
* Writes out json and yaml at the same time
* Fetches release, instead of statically defining it in-line

And because it's statically built, has no dependencies except musl.

See: alpine/infra/docker/secdb#2

Add 3.13 support

See merge request alpine/infra/docker/secdb!3