From 3fae4bae3e9485e90837dcb0dedc300ac8e52132 Mon Sep 17 00:00:00 2001 From: Bryan Beverly Date: Mon, 15 Jun 2026 13:05:46 -0700 Subject: [PATCH] Do not SHA-pin internal trufflesecurity actions/reusable workflows helpers:pinGitHubActionDigests pins every github-actions ref, including internal trufflesecurity reusable workflows that are intentionally kept on floating refs (e.g. @main). This produced unwanted pin PRs such as trufflesecurity/truffle-release-bot#25. Add a packageRule that disables digest pinning for internal actions. It is scoped by regex (/^trufflesecurity\//) rather than a glob because Renovate names a reusable-workflow dependency after its repo (e.g. "trufflesecurity/.github"), and the leading dot in ".github" defeats glob "*" matching. This mirrors the file-scoped opt-out lesson from slack-integration-service#568 (SCAN-914), where a non-matching opt-out let the bot silently re-pin a ref that had to stay on @main. Co-authored-by: Cursor --- renovate-config.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/renovate-config.json b/renovate-config.json index 6a597bb..8a3d2d0 100644 --- a/renovate-config.json +++ b/renovate-config.json @@ -30,6 +30,12 @@ "description": "Group all GitHub Actions updates into a single PR", "matchManagers": ["github-actions"], "groupName": "github-actions" + }, + { + "description": "Keep internal trufflesecurity actions and reusable workflows on their floating ref instead of SHA-pinning them. Internal actions are org-controlled, so the supply-chain risk is internal; pinning them only adds Renovate noise on every internal release. Scoped by regex because Renovate names a reusable-workflow dependency after its repo (e.g. 'trufflesecurity/.github'), and the leading dot defeats glob '*' matching (see trufflesecurity/slack-integration-service#568 / SCAN-914).", + "matchManagers": ["github-actions"], + "matchDepNames": ["/^trufflesecurity\\//"], + "pinDigests": false } ], "env": {