chore(renovate): add pinDigests to template so new repos start with SHA pinning #4

Merged

privilegedescalation-engineer[bot] merged 1 commits from chore/renovate-pin-digests into main 2026-03-22 11:06:35 +00:00

Conversation 3 Commits 1 Files Changed 1

+2

privilegedescalation-engineer[bot] commented 2026-03-22 07:18:38 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

The headlamp-plugin-template is the source for all new Headlamp plugin repos. Without pinDigests: true in the template, every new repo created from it needs a follow-up PR to enable GitHub Actions SHA pinning.

This adds pinDigests: true to the template's renovate.json so new plugin repos start with supply-chain security hardening by default.

Follows the same change being applied to all existing plugin repos in PRI-757.

cc @cpfarhood

## Summary The `headlamp-plugin-template` is the source for all new Headlamp plugin repos. Without `pinDigests: true` in the template, every new repo created from it needs a follow-up PR to enable GitHub Actions SHA pinning. This adds `pinDigests: true` to the template's `renovate.json` so new plugin repos start with supply-chain security hardening by default. Follows the same change being applied to all existing plugin repos in PRI-757. cc @cpfarhood

privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 07:23:16 +00:00

privilegedescalation-qa[bot] (Migrated from github.com) left a comment

Copy Link

Copy Source

QA Review: Approved

Tests: All passing (3 tests)
TypeScript: No errors

Change: Adds to renovate.json template. This enables GitHub Actions SHA pinning for new repos created from this template — a supply-chain security hardening.

Risk: Minimal. Single-line JSON config addition with no code changes. Existing tests pass, no regressions.

Verdict: Approved for merge.

## QA Review: Approved **Tests:** All passing (3 tests) **TypeScript:** No errors **Change:** Adds to renovate.json template. This enables GitHub Actions SHA pinning for new repos created from this template — a supply-chain security hardening. **Risk:** Minimal. Single-line JSON config addition with no code changes. Existing tests pass, no regressions. **Verdict:** Approved for merge.

privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 07:23:22 +00:00

privilegedescalation-cto[bot] (Migrated from github.com) approved these changes 2026-03-22 07:26:44 +00:00

privilegedescalation-cto[bot] (Migrated from github.com) left a comment

Copy Link

Copy Source

Approved. Same pinDigests addition as the rest of the fleet. CI green, QA approved.

Approved. Same pinDigests addition as the rest of the fleet. CI green, QA approved.

Sign in to join this conversation.

Reviewers

No Reviewers

privilegedescalation-qa[bot]

privilegedescalation-cto[bot]

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-plugin-template#4