From 96b73e391d0e29eaada5101b3d1c4fdb968e41a0 Mon Sep 17 00:00:00 2001
From: Alan Agius <17563226+alan-agius4@users.noreply.github.com>
Date: Tue, 7 Apr 2026 16:39:41 +0000
Subject: [PATCH] ci: allow bazelModDeps unsafe execution in renovate runner
 config

Renovate requires permission to run `bazel mod deps --lockfile_mode=update` when updating Bazel module dependencies. This commit adds `bazelModDeps` to `allowedUnsafeExecutions` in the Renovate runner configuration to prevent updates from failing with permission errors.
---
 .github/ng-renovate/runner-config.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/ng-renovate/runner-config.js b/.github/ng-renovate/runner-config.js
index b7bc7e511..11cf62133 100644
--- a/.github/ng-renovate/runner-config.js
+++ b/.github/ng-renovate/runner-config.js
@@ -9,6 +9,8 @@ module.exports = {
   // Renovate fork PRs should never be editable as Renovate would otherwise
   // not be able to delete the branches and future updates would be missed.
   forkModeDisallowMaintainerEdits: true,
+  // Needed for `bazel mod deps --lockfile_mode=update`.
+  allowedUnsafeExecutions: ['bazelModDeps'],
   onboarding: false,
   persistRepoData: true,
   allowedCommands: ['.'],