Align SHA digest with their pinned version comment, hopefully also lets Renovate auto update the comments.

DevSecNinja · DevSecNinja · commit 17e8bb3a170d · 2026-02-26T20:12:04.000+01:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -63,7 +63,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -92,6 +92,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           persist-credentials: false
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
         # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
         with:
           comment-summary-in-pr: always
diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml
@@ -68,7 +68,7 @@ jobs:
           output: "trivy-results.sarif"
 
       - name: Upload Trivy results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         if: always()
         with:
           sarif_file: "trivy-results.sarif"
diff --git a/renovate.json b/renovate.json
@@ -14,7 +14,8 @@
   "prHourlyLimit": 2,
   "github-actions": {
     "enabled": true,
-    "pinDigests": true
+    "pinDigests": true,
+    "rangeStrategy": "pin"
   },
   "pre-commit": {
     "enabled": true
@@ -124,12 +125,14 @@
       "automerge": true
     },
     {
-      "description": "Group GitHub Actions updates",
+      "description": "GitHub Actions with proper digest pinning and version comments",
       "matchManagers": [
         "github-actions"
       ],
       "groupName": "GitHub Actions",
-      "automerge": true
+      "automerge": true,
+      "pinDigests": true,
+      "separateMinorPatch": false
     }
   ],
   "vulnerabilityAlerts": {
