From b50b8a8807dbf434adc5e198684192ff27fb05b0 Mon Sep 17 00:00:00 2001
From: Jean-Paul van Ravensberg <14926452+DevSecNinja@users.noreply.github.com>
Date: Sun, 3 May 2026 16:54:39 +0200
Subject: [PATCH 1/3] Revert "fix(renovate): pin Renovate version ranges by
 default" (#74)

---
 .renovate/base.json5 | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.renovate/base.json5 b/.renovate/base.json5
index 51761d6..56b0828 100644
--- a/.renovate/base.json5
+++ b/.renovate/base.json5
@@ -6,7 +6,6 @@
   dependencyDashboardTitle: "Renovate Dashboard 🤖",
   suppressNotifications: ["prEditedNotification", "prIgnoreNotification"],
   pinDigests: true,
-  rangeStrategy: "pin",
   labels: ["dependencies"],
   osvVulnerabilityAlerts: true,
   timezone: 'Europe/Amsterdam',

From ed7a82ff30169c30f2297d7b24e173b241db354a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 3 May 2026 14:58:52 +0000
Subject: [PATCH 2/3] Initial plan


From a39897353097155e5728582fae9bb2006ce73dbe Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 3 May 2026 15:15:28 +0000
Subject: [PATCH 3/3] fix(renovate): expand github action digest pins to semver

Agent-Logs-Url: https://github.com/DevSecNinja/.github/sessions/62610657-1e77-41d4-8e25-5cdc032203f1

Co-authored-by: DevSecNinja <14926452+DevSecNinja@users.noreply.github.com>
---
 .renovate/base.json5             | 2 +-
 config-sync/files/renovate.json5 | 2 +-
 docs/architecture.md             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.renovate/base.json5 b/.renovate/base.json5
index 56b0828..06c59ba 100644
--- a/.renovate/base.json5
+++ b/.renovate/base.json5
@@ -2,10 +2,10 @@
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: [
     "config:best-practices",
+    "helpers:pinGitHubActionDigestsToSemver",
   ],
   dependencyDashboardTitle: "Renovate Dashboard 🤖",
   suppressNotifications: ["prEditedNotification", "prIgnoreNotification"],
-  pinDigests: true,
   labels: ["dependencies"],
   osvVulnerabilityAlerts: true,
   timezone: 'Europe/Amsterdam',
diff --git a/config-sync/files/renovate.json5 b/config-sync/files/renovate.json5
index 3359a7b..6645d7d 100644
--- a/config-sync/files/renovate.json5
+++ b/config-sync/files/renovate.json5
@@ -2,7 +2,7 @@
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: [
     "config:recommended",
-    "helpers:pinGitHubActionDigests",
+    "helpers:pinGitHubActionDigestsToSemver",
     ":dependencyDashboard",
     ":semanticCommits",
     "github>DevSecNinja/.github//.renovate/autoMerge.json5",
diff --git a/docs/architecture.md b/docs/architecture.md
index 08d50c3..854c64d 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -490,7 +490,7 @@ Repositories import the shared fragments in their `renovate.json5`:
 {
   extends: [
     "config:recommended",
-    "helpers:pinGitHubActionDigests",
+    "helpers:pinGitHubActionDigestsToSemver",
     ":dependencyDashboard",
     ":semanticCommits",
     "github>DevSecNinja/.github//.renovate/autoMerge.json5",