From e4ca49047c946c551cd614366ae469f5ad266a0a Mon Sep 17 00:00:00 2001
From: Kevin Murphy <kevin.murphy@everlaw.com>
Date: Fri, 1 Aug 2025 07:54:45 -0700
Subject: [PATCH 1/2] renovate: Update GitHub Actions via semver tags *with*
 SHAs

There are two primary ways to have Renovate keep thirdparty GitHub
Actions up-to-date:

1. pin to a semantic version (`uses: foo/bar@v1.2.3`), or
2. pin to a commit hash (`uses: foo/bar@abcdef012345`)

Approach (1) is much more understandable at-a-glance and more compatible
with Renovate's "show the changelog" feature.  Also, it avoids depending
directly on the bleeding edge of the `master` branch of these actions.

On the other hand, (2) is much better for security and reproducibility,
since repo authors are free to overwrite tags whenever they wish.

I noticed that https://github.com/astral-sh/uv was using a hybrid
approach where they were using a syntax like

3. pin to both (`uses: foo/bar@abcdef012345 # v1.2.3`)

which seems to be the best of both worlds.  So this patch is just
copypasta from
https://github.com/astral-sh/uv/blob/574aa1ef110ef08293512eb200bd6881bb738179/.github/renovate.json5#L25-L35
---
 .github/renovate.json5 | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 1081577..ffebcb2 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -5,5 +5,18 @@
     "schedule:weekly"
   ],
   "timezone": "America/Los_Angeles",
-  "includePaths": [".github/**"]
+  "includePaths": [".github/**"],
+  "packageRules": [
+    // Pin GitHub Actions to immutable SHAs.
+    {
+      matchDepTypes: ["action"],
+      pinDigests: true,
+    },
+    // Annotate GitHub Actions SHAs with a SemVer version.
+    {
+      extends: ["helpers:pinGitHubActionDigests"],
+      extractVersion: "^(?<version>v?\\d+\\.\\d+\\.\\d+)$",
+      versioning: "regex:^v?(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$",
+    },
+  ],
 }

From f018889d76e0874fba40367eba5b1d00f9ad9e9a Mon Sep 17 00:00:00 2001
From: Kevin Murphy <kevin.murphy@everlaw.com>
Date: Fri, 1 Aug 2025 07:59:57 -0700
Subject: [PATCH 2/2] ci: Set `actions/checkout` to latest tagged version

The previous ref (8edcb1b...) was actually pointing to the HEAD of
this repo which is a little ahead of the tag, though the only diff
is to `README.md` and `CODEOWNERS` https://github.com/actions/checkout/compare/v4.2.2..8edcb1bdb4e267140fa742c62e395cd74f332709
---
 .github/workflows/build_wheel.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_wheel.yml b/.github/workflows/build_wheel.yml
index 3348482..3981aa5 100644
--- a/.github/workflows/build_wheel.yml
+++ b/.github/workflows/build_wheel.yml
@@ -10,7 +10,7 @@ jobs:
           - 3.12.6
     runs-on: [self-hosted, libpff]
     steps:
-    - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Download test data
       run: |
         if test -x "synctestdata.sh"; then ./synctestdata.sh; fi