From 677a241fef15f9152ec4d748d627931285267c10 Mon Sep 17 00:00:00 2001
From: Morten Andersen <ma@monta.app>
Date: Tue, 28 Apr 2026 09:47:17 +0200
Subject: [PATCH] fix: Configure renovate to pin external github actions to
 avoid supply chain attacks

---
 renovate.json | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index 4a0dbd49..c23016cf 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,7 +1,18 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended"],
+  "extends": [
+    "config:recommended",
+    "helpers:pinGitHubActionDigests"
+  ],
   "semanticCommits": "enabled",
   "prConcurrentLimit": 2,
-  "rebaseWhen": "conflicted"
+  "rebaseWhen": "conflicted",
+  "packageRules": [
+    {
+      "description": "Do not pin internal monta-app GitHub Actions — these intentionally track @main",
+      "matchManagers": ["github-actions"],
+      "matchPackagePatterns": ["^monta-app/"],
+      "pinDigests": false
+    }
+  ]
 }