fix: enable pinGitHubActionDigests and add trusted orgs#152
fix: enable pinGitHubActionDigests and add trusted orgs#152JacobPEvans merged 2 commits intomainfrom
Conversation
Enable automatic SHA-pinning for all GitHub Actions across the org via Renovate's pinGitHubActionDigests feature. Add 5 new trusted orgs (aquasecurity, terraform-linters, lycheeverse, streetsidesoftware, oven-sh) for faster auto-merge of security updates. Add custom regex manager for npx version pins in workflow YAML files. Addresses CVE-2026-33634 (Trivy tag-poisoning) prevention and Q1 2026 AI supply chain attack hardening. (claude)
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request updates the Renovate configuration to improve both security and automation efficiency. By enforcing digest pinning for GitHub Actions and expanding the list of trusted publishers, the changes ensure a more secure and streamlined dependency management process across the organization's repositories. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. To keep our workflows safe and sound, With SHA-pinned digests, we are bound. New trusted orgs now join the fray, To speed our updates on their way. Footnotes
|
There was a problem hiding this comment.
Pull request overview
Enables stronger Renovate supply-chain hardening by SHA-pinning GitHub Actions, expands the “trusted orgs” allowlist for broader auto-merge coverage, and introduces a regex manager to update npx-pinned versions in GitHub Actions workflows.
Changes:
- Enable
pinGitHubActionDigeststo convert GitHub Actions tag references to SHA digests. - Add
aquasecurity,terraform-linters,lycheeverse,streetsidesoftware,oven-shto the trusted org auto-merge allowlist. - Add a custom regex manager to detect and update annotated
npxversion pins in workflow YAML.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address Copilot review feedback: - Add \b word boundary around npx to prevent matching pnpx - Replace .* with [\s\S]*? to support run: | multi-line blocks (claude)
Summary
pinGitHubActionDigests: Renovate will now automatically convert all GitHub Actions tag references to SHA-pinned digests org-wide, preventing tag-poisoning attacks (addresses CVE-2026-33634)aquasecurity,terraform-linters,lycheeverse,streetsidesoftware,oven-sh— enables faster auto-merge for security/lint tooling updates from these verified publishersnpxversion pins in GitHub Actions workflow YAML files annotated with renovate commentsTest plan
pinGitHubActionDigestssetting and begins opening SHA-pin PRs across org reposnpxcalls in existing workflow files (dry-run Renovate locally or wait for next scheduled run)🤖 Generated with Claude Code