From 7ad3069235a1156c62d891559a59bec274d8d978 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Sun, 22 Mar 2026 11:13:23 +0000
Subject: [PATCH] chore(renovate): add pinDigests for GitHub Actions SHA
 pinning (#24)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds pinDigests: true so Renovate pins all GitHub Actions references to
full commit SHAs for supply-chain hardening. This repo extends
config:recommended directly, so pinDigests must be set here explicitly —
the org-level config alone is not sufficient.

Recreated from main after closing stale PR #23 (branch was created before
the dual-approval PR #22 landed).

Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 renovate.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/renovate.json b/renovate.json
index 9ca1ba1..77ee41c 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:recommended"],
+  "pinDigests": true,
   "baseBranches": ["main"],
   "schedule": ["every weekend"],
   "prConcurrentLimit": 10,