From c8af99da7cbf4af056287f43c348270fff2ef33c Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation>
Date: Sun, 22 Mar 2026 06:57:30 +0000
Subject: [PATCH] chore(renovate): add pinDigests to github-actions packageRule

Pin GitHub Actions references to full commit SHAs via Renovate.
This ensures supply-chain security by preventing floating tags
from silently pointing at different commits.

Mirrors the change being made in the org-level renovate-config.json
(.github PR #63). Applying it directly here ensures new plugins
created from this template have SHA pinning from day one.

Related: PRI-731

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 renovate.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index 9ca1ba1..3e945ca 100644
--- a/renovate.json
+++ b/renovate.json
@@ -13,7 +13,8 @@
     {
       "matchManagers": ["github-actions"],
       "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "github-actions minor and patch"
+      "groupName": "github-actions minor and patch",
+      "pinDigests": true
     }
   ]
 }
-- 
2.52.0