From 7d5c6d67d61e3c7abecea465a19f193b19e78e1c Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.example>
Date: Sun, 22 Mar 2026 06:38:02 +0000
Subject: [PATCH] chore(renovate): enable pinDigests for GitHub Actions SHA
 pinning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds `pinDigests: true` to the org-wide Renovate config. Renovate will
now automatically pin all GitHub Actions references to full commit SHAs
and keep them updated via weekly PRs.

This implements the supply-chain hardening goal from PRI-731 without
requiring a one-time manual SHA substitution that would quickly become
stale. Renovate handles pin creation and ongoing updates, eliminating
the toil.

The github-actions packageRule is preserved — Renovate will still group
minor/patch action tag updates, and each group PR will include the
corresponding SHA pins.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 renovate-config.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/renovate-config.json b/renovate-config.json
index 19bf94c..7e4a7f1 100644
--- a/renovate-config.json
+++ b/renovate-config.json
@@ -4,6 +4,7 @@
   "baseBranches": ["main"],
   "schedule": ["every weekend"],
   "prConcurrentLimit": 5,
+  "pinDigests": true,
   "packageRules": [
     {
       "matchManagers": ["npm"],