From 3214be70886a483ec10bdf2b2dea2a913acd2772 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 02:05:41 +0000 Subject: [PATCH 1/3] Add renovate.json --- renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..5db72dd --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended" + ] +} From bf539910949ccf4cb346dcb2f6d67a2fd2c59b49 Mon Sep 17 00:00:00 2001 From: Jack Yeh <92348114+gofreight-jackyeh@users.noreply.github.com> Date: Wed, 29 Apr 2026 17:05:07 +0800 Subject: [PATCH 2/3] chore(renovate): add FIS-17871 GitHub Actions security hardening rule --- renovate.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/renovate.json b/renovate.json index 5db72dd..db73a0d 100644 --- a/renovate.json +++ b/renovate.json @@ -2,5 +2,15 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended" + ], + "packageRules": [ + { + "description": "Security hardening for GitHub Actions (FIS-17871): pin to SHA digests, delay updates 3 days", + "matchManagers": [ + "github-actions" + ], + "groupName": "GitHub Actions", + "minimumReleaseAge": "3 days" + } ] } From da35ea1e125bb53e0a98a731b19449629e5ea982 Mon Sep 17 00:00:00 2001 From: Jack Yeh <92348114+gofreight-jackyeh@users.noreply.github.com> Date: Wed, 29 Apr 2026 18:06:51 +0800 Subject: [PATCH 3/3] chore(renovate): add pinDigests:true to FIS-17871 rule --- renovate.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index db73a0d..d9ebaee 100644 --- a/renovate.json +++ b/renovate.json @@ -10,7 +10,9 @@ "github-actions" ], "groupName": "GitHub Actions", - "minimumReleaseAge": "3 days" + "minimumReleaseAge": "3 days", + "pinDigests": true } ] } +