feat: Add helper to pin GitHub Action digests

[aladdin-add]

Prerequisites checklist

• [ x] I have read the contributing guidelines.

What is the purpose of this pull request?

This pull request makes a minor update to the Renovate configuration by adding a helper to pin GitHub Action digests, which improves security and reliability for automated dependency updates.

• Renovate configuration: Added the helpers:pinGitHubActionDigests preset to ensure that GitHub Actions are referenced by their specific digest, reducing the risk of supply chain attacks. (.github/renovate/base.json5)

What changes did you make? (Give an overview)

refs: https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigeststosemver

Related Issues

eslint/eslint#20310

Is there anything you'd like reviewers to focus on?

[Copilot]

Pull request overview

This PR enhances security for GitHub Actions by adding the helpers:pinGitHubActionDigests preset to the Renovate base configuration. This change will ensure that GitHub Actions are referenced by their specific commit digests in addition to version tags, providing protection against tag manipulation and supply chain attacks.

• Adds helpers:pinGitHubActionDigests preset to the Renovate extends array

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aladdin-add]

🎗️ A generated PR: aladdin-add/eslint-css#8

[lumirlumir]

Following the discussion in eslint/eslint#20310, it seems the preferred approach is to apply pinning actions only to third-party libraries:

Could we consider a balanced approach? Maybe we only enforce commit pins for third-party or less-trusted actions, while allowing tags for well-maintained official actions (like setup-node). This would reduce maintenance burden without compromising security where it matters most.

I'm also of the mind that this is excellent advice for third-party actions, but not necessary for GitHub-owned actions, where I'd prefer to know what version we're using.

But looking at the Renovate issue for the forked repository, it seems that all workflows under actions/ are being pinned to specific versions:

aladdin-add/eslint-css#1

Could we limit updates to third-party libraries only? Personally, pinning all actions with the actions/ prefix feels overwhelming — what do you think?

[aladdin-add]

Could we limit updates to third-party libraries only? Personally, pinning all actions with the actions/ prefix feels overwhelming — what do you think?

I could update it if there were a simple way. But since Renovate supports it well without requiring manual hash updates, it doesn't seem that important anymore. 😄

[lumirlumir]

I could update it if there were a simple way. But since Renovate supports it well without requiring manual hash updates, it doesn't seem that important anymore. 😄

If there's no easier way to exclude Actions with the actions/ prefix, I think that could be a good option 👍

However, I'm not entirely sure this is the approach the team wants to take, so another opinion would be helpful. @eslint/eslint-team

[lumirlumir]

FYI, I've found a simple way to exclude Actions with the actions/ prefix.

The third approach suggested in this comment will work — I tested it in my forked repository: https://github.com/lumirlumir/fork-css/issues/7

1. Before using "helpers:pinGitHubActionDigests":

// .github/renovate/base.json5

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: [
    "config:recommended",
    ":approveMajorUpdates",
    ":semanticCommitScopeDisabled",
  ],
  ignorePresets: [":semanticPrefixFixDepsChoreOthers"],
  labels: ["dependencies", "triage:no"],

  // Wait well over npm's three day window for any new package as a precaution against malicious publishes
  // https://docs.npmjs.com/policies/unpublish/#packages-published-less-than-72-hours-ago
  minimumReleaseAge: "7 days",

  packageRules: [
    {
      description: "Use the deps:actions label for github-action manager updates (this means Renovate's github-action manager).",
      addLabels: ["deps:actions"],
      matchManagers: ["github-actions"],
    },
    {
      description: "Use the deps:npm label for npm manager packages (this means Renovate's npm manager).",
      addLabels: ["deps:npm"],
      matchManagers: ["npm"],
    },
  ],
}

2. After applying the following setup (current change):

// .github/renovate/base.json5

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: [
    "config:recommended",
    ":approveMajorUpdates",
    ":semanticCommitScopeDisabled",
+   "helpers:pinGitHubActionDigests",
  ],
  ignorePresets: [":semanticPrefixFixDepsChoreOthers"],
  labels: ["dependencies", "triage:no"],

  // Wait well over npm's three day window for any new package as a precaution against malicious publishes
  // https://docs.npmjs.com/policies/unpublish/#packages-published-less-than-72-hours-ago
  minimumReleaseAge: "7 days",

  packageRules: [
    {
      description: "Use the deps:actions label for github-action manager updates (this means Renovate's github-action manager).",
      addLabels: ["deps:actions"],
      matchManagers: ["github-actions"],
    },
    {
      description: "Use the deps:npm label for npm manager packages (this means Renovate's npm manager).",
      addLabels: ["deps:npm"],
      matchManagers: ["npm"],
    },
  ],
}

3. After applying the following setup (Excluding Actions with the actions/ prefix):

// .github/renovate/base.json5

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: [
    "config:recommended",
    ":approveMajorUpdates",
    ":semanticCommitScopeDisabled",
  ],
  ignorePresets: [":semanticPrefixFixDepsChoreOthers"],
  labels: ["dependencies", "triage:no"],

  // Wait well over npm's three day window for any new package as a precaution against malicious publishes
  // https://docs.npmjs.com/policies/unpublish/#packages-published-less-than-72-hours-ago
  minimumReleaseAge: "7 days",

  packageRules: [
    {
      description: "Use the deps:actions label for github-action manager updates (this means Renovate's github-action manager).",
      addLabels: ["deps:actions"],
      matchManagers: ["github-actions"],
    },
+   {
+     extends: ["helpers:pinGitHubActionDigests"],
+     description: "Description",
+     addLabels: ["deps:actions"],
+     matchManagers: ["github-actions"],
+     matchPackageNames: ["!actions/**"]
+   },
    {
      description: "Use the deps:npm label for npm manager packages (this means Renovate's npm manager).",
      addLabels: ["deps:npm"],
      matchManagers: ["npm"],
    },
  ],
}

[nzakas]

Yeah, let's keep the first-party GitHub actions with version numbers and pin to commits for others.

[aladdin-add]

it's working great, thanks! @lumirlumir

[lumirlumir]

LGTM, thanks!

Would like @nzakas to verify before merging.

[aladdin-add]

I'm merging it now - nicholas may be on vacation and unavailable to review.