From 4d989b363035c0ac45b69b4445aeb7e0a36d459e Mon Sep 17 00:00:00 2001
From: Charlie Marsh <charlie.r.marsh@gmail.com>
Date: Sat, 15 Mar 2025 10:24:33 -0700
Subject: [PATCH] Instruct Renovate to pin GitHub Actions based on SHA (#12189)

## Summary

The intent here is that all actions should be pinned to an immutable SHA
(but that Renovate should annotate each SHA with the corresponding
SemVer version).
---
 .github/renovate.json5 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index f26f285c2..4dff3b62e 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -22,6 +22,17 @@
     enabled: true,
   },
   packageRules: [
+    // Pin GitHub Actions to immutable SHAs.
+    {
+      matchDepTypes: ["action"],
+      pinDigests: true,
+    },
+    // Annotate GitHub Actions SHAs with a SemVer version.
+    {
+      extends: ["helpers:pinGitHubActionDigests"],
+      extractVersion: "^(?<version>v?\\d+\\.\\d+\\.\\d+)$",
+      versioning: "regex:^v?(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$",
+    },
     {
       // Disable updates of `zip-rs`; intentionally pinned for now due to ownership change
       // See: https://github.com/astral-sh/uv/issues/3642