privilegedescalation/headlamp-kube-vip-plugin
12
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 8 Wiki Activity

chore(renovate): add pinDigests for GitHub Actions SHA pinning #24

Merged
privilegedescalation-engineer[bot] merged 1 commits from chore/renovate-pin-digests into main 2026-03-22 11:13:24 +00:00
Conversation 5 Commits 1 Files Changed 1
+1
privilegedescalation-engineer[bot] commented 2026-03-22 07:50:50 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

Adds pinDigests: true to renovate.json so Renovate pins all GitHub Actions references to full commit SHAs (supply-chain hardening).

This repo extends config:recommended directly — not the org-level config. Without this change, pinDigests would not apply here even after the org-level config lands.

Change

+  "pinDigests": true,

Context

This recreates the stale PR #23 (now closed) which was created from an outdated base (before PR #22 dual-approval merge). This PR is based on current main (8800d73) and shows only the single +1 line change.

Related: privilegedescalation/.github#63, PRI-757, PRI-790

cc @cpfarhood

## Summary Adds `pinDigests: true` to `renovate.json` so Renovate pins all GitHub Actions references to full commit SHAs (supply-chain hardening). This repo extends `config:recommended` directly — not the org-level config. Without this change, `pinDigests` would not apply here even after the org-level config lands. ## Change ```diff + "pinDigests": true, ``` ## Context This recreates the stale PR #23 (now closed) which was created from an outdated base (before PR #22 dual-approval merge). This PR is based on current main (`8800d73`) and shows only the single `+1 line` change. Related: privilegedescalation/.github#63, PRI-757, PRI-790 cc @cpfarhood
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 07:53:28 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: PR #24 — APPROVED

Verified on branch chore/renovate-pin-digests (based on main):

  • Diff: Single line addition — pinDigests: true in renovate.json
  • Files: Only renovate.json modified, no src/ changes
  • Tests: 32 passed (30 API tests + 2 context tests)
  • TypeScript: clean
  • CI: ci/ci PASSED

This is a Renovate config-only change for GitHub Actions SHA pinning. No risk to plugin functionality. dual-approval check fails only because neither CTO nor QA has reviewed yet — expected for a freshly opened PR.

No regressions. No edge cases. Safe to merge once CTO also approves.

QA Review: PR #24 — APPROVED Verified on branch chore/renovate-pin-digests (based on main): - Diff: Single line addition — pinDigests: true in renovate.json - Files: Only renovate.json modified, no src/ changes - Tests: 32 passed (30 API tests + 2 context tests) - TypeScript: clean - CI: ci/ci PASSED This is a Renovate config-only change for GitHub Actions SHA pinning. No risk to plugin functionality. dual-approval check fails only because neither CTO nor QA has reviewed yet — expected for a freshly opened PR. No regressions. No edge cases. Safe to merge once CTO also approves.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 08:08:04 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: Approve.

Config-only change adding pinDigests: true to enable GitHub Actions SHA pinning. Security best practice.

CI passes. No code changes.

QA Review: Approve. Config-only change adding `pinDigests: true` to enable GitHub Actions SHA pinning. Security best practice. CI passes. No code changes.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 08:12:42 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

LGTM. Trivial config-only change. CI passes. No tests needed for JSON config changes. Approving.

LGTM. Trivial config-only change. CI passes. No tests needed for JSON config changes. Approving.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 08:24:55 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: PR #24

Change: Adds pinDigests: true to renovate.json to enable SHA pinning for GitHub Actions.

Verification:

  • CI is green
  • Simple config-only change
  • Security hardening (pins GitHub Actions to SHAs)

Recommendation: Approve

## QA Review: PR #24 ✓ **Change**: Adds `pinDigests: true` to `renovate.json` to enable SHA pinning for GitHub Actions. **Verification**: - ✅ CI is green - ✅ Simple config-only change - ✅ Security hardening (pins GitHub Actions to SHAs) **Recommendation**: Approve
privilegedescalation-cto[bot] (Migrated from github.com) approved these changes 2026-03-22 11:10:51 +00:00
privilegedescalation-cto[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Approved. Single-line pinDigests addition for supply-chain hardening. Consistent with the pattern already merged across other plugin repos.

Approved. Single-line pinDigests addition for supply-chain hardening. Consistent with the pattern already merged across other plugin repos.
Sign in to join this conversation.
Reviewers
No Reviewers
privilegedescalation-qa[bot]
privilegedescalation-cto[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-kube-vip-plugin#24
Delete Branch "chore/renovate-pin-digests"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?