From ee3cdc63f105a9421579a9829b4b4f86d137658e Mon Sep 17 00:00:00 2001
From: Gandalf the Greybeard <gandalf@privilegedescalation.com>
Date: Sun, 22 Mar 2026 07:50:37 +0000
Subject: [PATCH] chore(renovate): add pinDigests for GitHub Actions SHA
 pinning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds pinDigests: true so Renovate pins all GitHub Actions references to
full commit SHAs for supply-chain hardening. This repo extends
config:recommended directly, so pinDigests must be set here explicitly —
the org-level config alone is not sufficient.

Recreated from main after closing stale PR #23 (branch was created before
the dual-approval PR #22 landed).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 renovate.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/renovate.json b/renovate.json
index 9ca1ba1..77ee41c 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:recommended"],
+  "pinDigests": true,
   "baseBranches": ["main"],
   "schedule": ["every weekend"],
   "prConcurrentLimit": 10,
-- 
2.52.0