Skip to content

chore: Add Renovate config for SHA-pinned GitHub Actions#6

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
chore/seceng-299-renovate-config
Open

chore: Add Renovate config for SHA-pinned GitHub Actions#6
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
chore/seceng-299-renovate-config

Conversation

@devin-ai-integration
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot commented May 4, 2026

Summary

Adds a renovate.json that extends the shared workos/renovate-config preset, scoped to the github-actions manager only. Activates automated maintenance of the SHA-pinned GitHub Actions in this repo without changing how any other dependencies are managed.

Behavior gained:

  • Automatic SHA pinning of any newly-added GitHub Actions via helpers:pinGitHubActionDigests.
  • 7-day cooldown on all GitHub Actions updates (minimumReleaseAge: "7 days" + minimumReleaseAgeBehaviour: "timestamp-required").
  • Grouped, automerged minor/patch/digest GitHub Actions updates after CI passes.
  • Manual review for major version bumps.

enabledManagers: ["github-actions"] keeps Renovate out of any other ecosystems — adjust later if you want it broader.

The shared preset lives at https://github.com/workos/renovate-config and any policy change is a single edit there that propagates to every consuming repo.

Refs SECENG-299.

Review & Testing Checklist for Human

  • Confirm the Mend Renovate GitHub App is installed on this repo at https://developer.mend.io/github/workos. Without it, this file is inert.
  • Optional: validate the JSON with npx --yes --package renovate -- renovate-config-validator renovate.json.
  • Once Mend processes the repo, the first Renovate PR should appear with grouped GitHub Actions updates respecting the 7-day cooldown.

Notes

Part of the rollout for SECENG-299 "Implement Dependency Management for GitHub Workflow SHA pins". Companion PRs are being opened in the rest of the public SDKs and adjacent repos.

Link to Devin session: https://app.devin.ai/sessions/337e586a7c3e40ce8da2d048b402e6f5

@willporter-workos
chore: Add Renovate config for SHA-pinned GitHub Actions
de8911e 
Extends the shared workos/renovate-config preset, scoped to the
github-actions manager only. Enables:

- Automatic SHA-pinning of any newly-added GitHub Actions
- 7-day minimumReleaseAge on all GitHub Actions updates
- Grouped, automerged minor/patch/digest updates after CI
- Manual review for major version bumps

See https://github.com/workos/renovate-config for the preset.

Refs SECENG-299.
@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration Bot commented May 4, 2026

Original prompt from will.porter

'Implement Dependency Management for GitHub Workflow SHA pins' (SECENG-299)

User instruction: @devin lets consider ways to ease the pain of updating the sha pins. Dependabot or renovate configs may be a valid solution. Note that we will want some kind of feature such as minimumReleaseAge to prevent us from adopting workflows that are less than 7 days old. Please present options with pros and cons before implementing anything

@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 4, 2026

SECENG-299 Implement Dependency Management for GitHub Workflow SHA pins

@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration Bot commented May 4, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@willporter-workos