From 79c07f8822580b384ab325d43f047b57ae426d7f Mon Sep 17 00:00:00 2001
From: Cameron Brooks <cambrooks3393@gmail.com>
Date: Thu, 21 May 2026 19:26:52 -0400
Subject: [PATCH] chore: harden Renovate config (pinDigests, minimumReleaseAge,
 grouping)

---
 renovate.json | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index 5db72dd..2607205 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,11 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
+  "extends": ["config:recommended"],
+  "packageRules": [
+    {
+      "description": "Pin digests for supply-chain integrity of shared workflows",
+      "matchManagers": ["github-actions"],
+      "pinDigests": true
+    }
   ]
 }