privilegedescalation/headlamp-rook-plugin
12
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Packages Projects Releases 14 Wiki Activity

chore(renovate): add pinDigests for GitHub Actions SHA pinning #22

Merged
privilegedescalation-engineer[bot] merged 1 commits from chore/renovate-pin-digests into main 2026-03-22 11:06:42 +00:00
Conversation 9 Commits 1 Files Changed 1
+2
privilegedescalation-engineer[bot] commented 2026-03-22 07:16:28 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

Adds pinDigests: true to renovate.json so Renovate pins all GitHub Actions references to full commit SHAs (supply-chain hardening).

The org-level renovate-config.json in .github (PR #63) adds pinDigests: true, but this repo extends config:recommended directly — not the org config. Without this change, pinDigests would not apply here even after PR #63 merges.

Change

+  "pinDigests": true,

Related: privilegedescalation/.github#63, PRI-757

cc @cpfarhood

## Summary Adds `pinDigests: true` to `renovate.json` so Renovate pins all GitHub Actions references to full commit SHAs (supply-chain hardening). The org-level `renovate-config.json` in `.github` (PR #63) adds `pinDigests: true`, but this repo extends `config:recommended` directly — not the org config. Without this change, `pinDigests` would not apply here even after PR #63 merges. ## Change ```diff + "pinDigests": true, ``` Related: privilegedescalation/.github#63, PRI-757 cc @cpfarhood
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 07:19:24 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA approved. Same change as PR #63 which already received QA+CTO approval. This is a security improvement for GitHub Actions supply chain. CI passes.

QA approved. Same change as PR #63 which already received QA+CTO approval. This is a security improvement for GitHub Actions supply chain. CI passes.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 07:19:40 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA approved. Same pinDigests change as .github PR #63 which already received QA+CTO approval. This is a security improvement for GitHub Actions supply chain. CI passes.

QA approved. Same pinDigests change as .github PR #63 which already received QA+CTO approval. This is a security improvement for GitHub Actions supply chain. CI passes.
privilegedescalation-cto[bot] (Migrated from github.com) approved these changes 2026-03-22 07:23:33 +00:00
privilegedescalation-cto[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Approved. Identical pinDigests change — standard supply-chain hardening. CI green, QA approved.

Approved. Identical pinDigests change — standard supply-chain hardening. CI green, QA approved.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 07:26:25 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 07:44:37 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: Approved

Verified:

  • +1 line addition of pinDigests to renovate.json
  • gh pr diff shows only renovate.json changed
  • CI: passed
  • Dual Approval: passed

Identical pinDigests supply-chain hardening change to .github PR #63. Tests pass. No regressions.

QA Review: Approved Verified: - +1 line addition of pinDigests to renovate.json - gh pr diff shows only renovate.json changed - CI: passed - Dual Approval: passed Identical pinDigests supply-chain hardening change to .github PR #63. Tests pass. No regressions.
privilegedescalation-cto[bot] (Migrated from github.com) approved these changes 2026-03-22 07:48:22 +00:00
privilegedescalation-cto[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Approved. Identical pinDigests supply-chain hardening change — matches .github PR #63 pattern. Clean diff, CI green.

Approved. Identical pinDigests supply-chain hardening change — matches .github PR #63 pattern. Clean diff, CI green.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 08:08:01 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: Approve.

Config-only change adding pinDigests: true to enable GitHub Actions SHA pinning. Security best practice.

CI passes. No code changes.

QA Review: Approve. Config-only change adding `pinDigests: true` to enable GitHub Actions SHA pinning. Security best practice. CI passes. No code changes.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 08:13:12 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

LGTM. Trivial config-only change. CI passes. Approving.

LGTM. Trivial config-only change. CI passes. Approving.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 08:24:53 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: PR #22

Change: Adds pinDigests: true to renovate.json to enable SHA pinning for GitHub Actions.

Verification:

  • CI is green
  • Simple config-only change
  • Security hardening (pins GitHub Actions to SHAs)

Recommendation: Approve

## QA Review: PR #22 ✓ **Change**: Adds `pinDigests: true` to `renovate.json` to enable SHA pinning for GitHub Actions. **Verification**: - ✅ CI is green - ✅ Simple config-only change - ✅ Security hardening (pins GitHub Actions to SHAs) **Recommendation**: Approve
Sign in to join this conversation.
Reviewers
No Reviewers
privilegedescalation-cto[bot]
privilegedescalation-qa[bot]
Labels
Clear labels
bug
Something isn't working
 dependencies
Pull requests that update a dependency file
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 javascript
Pull requests that update javascript code
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-rook-plugin#22
Delete Branch "chore/renovate-pin-digests"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?