Instruct Renovate to pin GitHub Actions based on SHA (#12189)

## Summary

The intent here is that all actions should be pinned to an immutable SHA
(but that Renovate should annotate each SHA with the corresponding
SemVer version).
This commit is contained in:
Charlie Marsh 2025-03-15 10:24:33 -07:00 committed by GitHub
parent dab1ea2272
commit 4d989b3630
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -22,6 +22,17 @@
enabled: true,
},
packageRules: [
// Pin GitHub Actions to immutable SHAs.
{
matchDepTypes: ["action"],
pinDigests: true,
},
// Annotate GitHub Actions SHAs with a SemVer version.
{
extends: ["helpers:pinGitHubActionDigests"],
extractVersion: "^(?<version>v?\\d+\\.\\d+\\.\\d+)$",
versioning: "regex:^v?(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$",
},
{
// Disable updates of `zip-rs`; intentionally pinned for now due to ownership change
// See: https://github.com/astral-sh/uv/issues/3642