From 0f83eff7c742e6f1e608e59ef34f3c82898df810 Mon Sep 17 00:00:00 2001
From: Kevin Murphy <kevin.murphy@everlaw.com>
Date: Fri, 18 Jul 2025 08:06:14 -0700
Subject: [PATCH 1/2] renovate: Update GitHub Actions via semver tags *with*
 SHAs

There are two primary ways to have Renovate keep thirdparty GitHub
Actions up-to-date:

1. pin to a semantic version (`uses: foo/bar@v1.2.3`), or
2. pin to a commit hash (`uses: foo/bar@abcdef012345`)

Approach (1) is much more understandable at-a-glance and more compatible
with Renovate's "show the changelog" feature.  Also, it avoids depending
directly on the bleeding edge of the `master` branch of these actions.

On the other hand, (2) is much better for security and reproducibility,
since repo authors are free to overwrite tags whenever they wish.

I noticed that https://github.com/astral-sh/uv was using a hybrid
approach where they were using a syntax like

3. pin to both (`uses: foo/bar@abcdef012345 # v1.2.3`)

which seems to be the best of both worlds.  So this patch is just
copypasta from
https://github.com/astral-sh/uv/blob/574aa1ef110ef08293512eb200bd6881bb738179/.github/renovate.json5#L25-L35
---
 .github/renovate.json5 | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 10815770b..ffebcb2b0 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -5,5 +5,18 @@
     "schedule:weekly"
   ],
   "timezone": "America/Los_Angeles",
-  "includePaths": [".github/**"]
+  "includePaths": [".github/**"],
+  "packageRules": [
+    // Pin GitHub Actions to immutable SHAs.
+    {
+      matchDepTypes: ["action"],
+      pinDigests: true,
+    },
+    // Annotate GitHub Actions SHAs with a SemVer version.
+    {
+      extends: ["helpers:pinGitHubActionDigests"],
+      extractVersion: "^(?<version>v?\\d+\\.\\d+\\.\\d+)$",
+      versioning: "regex:^v?(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$",
+    },
+  ],
 }

From 806d6fdad0178c1bacb7429b0991e53d359c2da0 Mon Sep 17 00:00:00 2001
From: Kevin Murphy <kevin.murphy@everlaw.com>
Date: Fri, 18 Jul 2025 08:10:59 -0700
Subject: [PATCH 2/2] ci: Set `actions/checkout` to latest tagged version

The previous ref (8edcb1b...) was actually pointing to the HEAD of
this repo which is a little ahead of the tag, though the only diff
is to `README.md` and `CODEOWNERS` https://github.com/actions/checkout/compare/v4.2.2..8edcb1bdb4e267140fa742c62e395cd74f332709
---
 .github/workflows/build_wheel.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_wheel.yml b/.github/workflows/build_wheel.yml
index b1b0cdf69..9b5c47c18 100644
--- a/.github/workflows/build_wheel.yml
+++ b/.github/workflows/build_wheel.yml
@@ -9,7 +9,7 @@ jobs:
           - 3.12.6
     runs-on: [self-hosted, fasttext]
     steps:
-    - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Python
       run: |
         uv python install ${{ matrix.python-version }}