From 635fee51fae10c025fca790654b9f90b728d96a2 Mon Sep 17 00:00:00 2001
From: Jack Yeh <92348114+gofreight-jackyeh@users.noreply.github.com>
Date: Wed, 29 Apr 2026 17:15:07 +0800
Subject: [PATCH 1/2] chore: configure Renovate with FIS-17871 GitHub Actions
 security rule

---
 renovate.json | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..db73a0d
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "description": "Security hardening for GitHub Actions (FIS-17871): pin to SHA digests, delay updates 3 days",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "GitHub Actions",
+      "minimumReleaseAge": "3 days"
+    }
+  ]
+}

From 2cc789ab6743a8f5f0fe9b7f5f8ec3cc33264c3d Mon Sep 17 00:00:00 2001
From: Jack Yeh <92348114+gofreight-jackyeh@users.noreply.github.com>
Date: Wed, 29 Apr 2026 18:07:38 +0800
Subject: [PATCH 2/2] chore(renovate): add pinDigests:true to FIS-17871 rule

---
 renovate.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index db73a0d..d9ebaee 100644
--- a/renovate.json
+++ b/renovate.json
@@ -10,7 +10,9 @@
         "github-actions"
       ],
       "groupName": "GitHub Actions",
-      "minimumReleaseAge": "3 days"
+      "minimumReleaseAge": "3 days",
+      "pinDigests": true
     }
   ]
 }
+