Use two Renovate presets to pin your Docker containers to a digest, and pin your GitHub Actions

[HonkingGoose]

Intro

I help maintain the Renovate documentation, and stumbled upon a link to your repository. I got curious how you're using and configuring Renovate, so I started looking around. 😄

Current situation

You use some Renovate presets by putting them in the extends array:

skuba/.github/renovate.json5

Lines 1 to 12 in d0ebddd

	{
	extends: [
	':dependencyDashboard',
	':prHourlyLimit4',
	':rebaseStalePrs',
	':semanticCommits',
	':timezone(Australia/Melbourne)',
	':updateNotScheduled',
	'preview:buildkite',
	'preview:dockerCompose',
	'docker:disableMajor',
	],

And write the rest of the config yourself.

Pin dependencies

You can tighten your repository's dependencies by:

• Pinning Docker containers to a digest
• Pinning all GitHub Actions

The easy way to do this is by using these Renovate presets:

• docker:pinDigests
• helpers:pinGitHubActionDigests

These presets are part of a larger config:best-practices preset, which includes all the Renovate maintainers's best practices. You probably want to keep writing most of your config, like you do now.

More information

Read the Renovate docs, Upgrade best practices page to learn why the Renovate maintainers recommend you pin your Docker and GitHub Actions versions, and to learn about other recommendations.

Outro

I hope this is handy and useful for you. 😉