Adds explicit packageRules for major version bumps on both github-actions
and npm managers. Previously only minor/patch updates were configured,
requiring manual audits when major versions shipped (e.g. PRI-802 where
actions/setup-node v4→v6 had to be found and fixed by hand).
With these rules, Renovate will surface major bumps as PRs automatically.
automerge is false for both — major updates go through the normal
dual-approval workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds `pinDigests: true` to the org-wide Renovate config. Renovate will
now automatically pin all GitHub Actions references to full commit SHAs
and keep them updated via weekly PRs.
This implements the supply-chain hardening goal from PRI-731 without
requiring a one-time manual SHA substitution that would quickly become
stale. Renovate handles pin creation and ongoing updates, eliminating
the toil.
The github-actions packageRule is preserved — Renovate will still group
minor/patch action tag updates, and each group PR will include the
corresponding SHA pins.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
PR .github#32 proposed adding a new renovate.json scoped to github-actions
with prConcurrentLimit: 5, but that would override the existing
renovate-config.json and silently drop npm dependency updates.
Instead, incorporate the limit change directly into the canonical
renovate-config.json which already covers both npm and github-actions.
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.ai>
Co-authored-by: Paperclip <noreply@paperclip.ing>
All 6 plugin repos use identical Renovate configs. This org-level
preset provides a single source of truth. Plugin repos can extend
it with: "extends": ["local>privilegedescalation/.github:renovate-config"]
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hugh Hackman