privilegedescalation/org
Archived
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

chore(renovate): enable pinDigests for GitHub Actions SHA pinning

Browse Source 
Adds `pinDigests: true` to the org-wide Renovate config. Renovate will
now automatically pin all GitHub Actions references to full commit SHAs
and keep them updated via weekly PRs.

This implements the supply-chain hardening goal from PRI-731 without
requiring a one-time manual SHA substitution that would quickly become
stale. Renovate handles pin creation and ongoing updates, eliminating
the toil.

The github-actions packageRule is preserved — Renovate will still group
minor/patch action tag updates, and each group PR will include the
corresponding SHA pins.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Hugh Hackman
2026-03-22 06:38:02 +00:00
parent 899c08f7b5
commit 7d5c6d67d6
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
renovate-config.json
+1
View File
@@ -4,6 +4,7 @@
"baseBranches": ["main"], "baseBranches": ["main"],
"schedule": ["every weekend"], "schedule": ["every weekend"],
"prConcurrentLimit": 5, "prConcurrentLimit": 5,
"pinDigests": true,
"packageRules": [ "packageRules": [
{ {
"matchManagers": ["npm"], "matchManagers": ["npm"],