From 4bc8c6e40f162cb2cbcf829d6a967225b1d1bb6a Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Wed, 8 Oct 2025 18:54:50 +0200
Subject: [PATCH] feat: pin digest of GitHub action updates (#2)

We always want to pin GitHub actions to a digest, to avoid attack vectors where existing tags are being re-used and their implementation replaced with malicious code.
As described in [renovate's documentation](https://docs.renovatebot.com/modules/manager/github-actions/#digest-pinning-and-updating), adding the "helpers:pinGitHubActionDigests" to the extends automatically forces renovate to always pin digests.

Reviewed-on: https://gitea.t000-n.de/t.behrendt/renovate-configs/pulls/2
Reviewed-by: branch-buddy <branch-buddy@t00n.de>
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
---
 action.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/action.json b/action.json
index 6eb904f..1e80602 100644
--- a/action.json
+++ b/action.json
@@ -1,5 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["helpers:pinGitHubActionDigests"],
   "packageRules": [
     {
       "matchManagers": ["github-actions"],