Configure Renovate

[renovate]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

📚 See our Reading List for relevant documentation you may be interested in reading.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

---

Configuration Summary

Based on the default config's presets, Renovate will:

• Start dependency updates only once this onboarding PR is merged
• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Ensure that every dependency pinned by digest and sourced from Forgejo contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from Gitea contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitHub.com and Github enterprise contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitLab.com contains a link to the commit-to-commit diff
• Correctly link to the source code for golang.org/x packages
• Link to pkg.go.dev/... for golang.org/x packages' title
• Provide a link to octochangelog's improved breakdown for Renovate's changelogs

---

What to Expect

It looks like your repository dependencies are already up-to-date and no Pull Requests will be necessary right away.

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR was generated by Mend Renovate. View the repository job log.

[qtipbera]

What this PR does

This pins every GitHub Action in this repo's workflows from a mutable tag to an immutable commit SHA — e.g. actions/checkout@v4 becomes actions/checkout@<sha> # v4. Nothing about the build changes: same actions, same versions, just locked to the exact commit they point at today.

Why it matters

A tag like @v4 is mutable. Whoever controls an action's repository — the maintainer, or an attacker who compromises it — can move that tag to point at different code, and your workflow will run that code with no change to your YAML and no warning.

This isn't hypothetical. In March 2025 the widely used tj-actions/changed-files action was compromised (CVE-2025-30066): attackers retroactively repointed its version tags (v1 through v45) to a malicious commit that dumped CI/CD secrets into build logs, affecting roughly 23,000 repositories. Workflows pinned to the tags executed the malicious code. A commit-SHA pin would not have — it runs the exact commit you vetted, regardless of where the tag is later moved.

GitHub Actions execute with access to this repository and its secrets, so this is the cheapest meaningful supply-chain hardening available.

What Renovate is

Renovate is an automated dependency bot (maintained by Mend). Here it is scoped to GitHub Actions only — it does not touch application dependencies. Going forward it watches these actions and surfaces updates for review, so the pinning doesn't silently rot.

Why we don't just run pinact once

pinact is a fine one-shot tool for converting tags to SHAs, but pinning is not a one-time event:

• New workflows and actions get added over time and arrive unpinned unless someone remembers to re-run the tool — every time, in every repo.
• Pinned SHAs go stale. A frozen pin misses the action's own security and bug fixes, so something has to track and apply updates.
• Manual doesn't scale. Across many repos and many contributors, "remember to run pinact" reliably degrades into "half the workflows are unpinned and the rest are a year out of date."

Renovate makes this continuous and hands-off: it pins new actions as they appear and proposes updates so the pins stay current. The bot remembers so people don't have to.

What to expect after this merges

This PR only pins — it bumps no versions. Version updates are handled separately: they appear on this repo's Renovate Dependency Dashboard for a human to opt into, and are not auto-merged. You will not get flooded with PRs.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
Berachain	🟢 Ready	View Preview	Jun 3, 2026, 4:54 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[Copilot]

Pull request overview

Adds a Renovate configuration file to onboard and enable automated dependency update PRs in this repository using Renovate’s recommended preset.

Changes:

• Introduce renovate.json with Renovate schema reference.
• Extend from config:recommended to apply Renovate’s default recommended behaviors.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.