From cef9b4714e4ee5543c9309edb10a794f630d67df Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Sat, 18 Jun 2022 12:42:20 -0500
Subject: [PATCH] chore: renovate bot setting to pin actions to a full length
 commit SHA (#2613)

- https://docs.renovatebot.com/modules/manager/github-actions/#additional-information
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

>Pin actions to a full length commit SHA

>Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
> Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository,
> as they would need to generate a SHA-1 collision for a valid Git object payload.

- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
- https://github.com/renovatebot/.github/blob/b0c3aa85ef2bb242580f20b02b380ca532b4ce17/default.json#L13

(cherry picked from commit d785a563fc728f6d8db8eebf93d4ef0104602fae)
---
 renovate.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index 5c7f55402d..b833a3b1d1 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,7 @@
 {
   "extends": [
-    "config:base"
+    "config:base",
+    "helpers:pinGitHubActionDigests"
   ],
   "baseBranches": ["release/4.1.x", "release/4.2.x", "release/5.0.x"],
   "dependencyDashboard": true,