Enable GitHub Actions SHA pinning via Renovate

[bufferings]

Summary

Enable automatic SHA pinning for GitHub Actions via Renovate.

Changes

Add helpers:pinGitHubActionDigests preset to Renovate configuration.

This will:

• Pin GitHub Actions to commit SHAs for improved security
• Automatically create PRs when new versions are available

Summary by CodeRabbit

• Chores
  • Updated Renovate configuration to automatically pin GitHub Action digests, enhancing security and ensuring consistent, reproducible builds across deployments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4109ff6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

The renovate.json configuration file was updated to include the "helpers:pinGitHubActionDigests" preset in the extends array, enabling automatic pinning of GitHub Action digests alongside the existing "config:recommended" preset.

Changes

Cohort / File(s)	Summary
Configuration renovate.json	Added "helpers:pinGitHubActionDigests" to the extends array to enable pinning of GitHub Action digests

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Set up changelog generation and Renovate #167: Also modifies the Renovate configuration file (renovate.json) to update preset settings in the extends array.

Poem

🐰 A rabbit hops through version lands,
Where Actions flow through gentle hands,
With digests pinned so safe and sound,
Renovate's helpers come around! ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Enable GitHub Actions SHA pinning via Renovate' clearly and accurately describes the main change: adding the helpers:pinGitHubActionDigests preset to enable automatic pinning of GitHub Actions to commit SHAs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 40d19e2 and 4109ff6.

📒 Files selected for processing (1)

• renovate.json

🔇 Additional comments (1)

renovate.json (1)

3-3: Good security improvement.

Pinning GitHub Actions to commit SHAs is a best practice that prevents supply chain attacks and ensures reproducible CI runs. The helpers:pinGitHubActionDigests preset automatically handles this for all Actions in your workflows and is fully compatible with config:recommended.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR enhances security by enabling automatic SHA pinning for GitHub Actions through Renovate configuration.

• Adds the helpers:pinGitHubActionDigests preset to automatically pin GitHub Actions to commit SHAs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.