From 3c03e858430f8b71c5dd08399d2b9ab3b7295522 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Fri, 22 May 2026 08:17:52 +0200
Subject: [PATCH 1/2] fix(renovate): exclude first-party netresearch/* from
 digest pinning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The renovate.json's "Group GitHub Actions" rule had `pinDigests: true`
applied to ALL github-actions managers, which included
`uses: netresearch/.github/.github/workflows/*@main` refs. Renovate
faithfully turned `@main` into `@<sha>` four times (commits 9fa7178,
4f38a92, aeb49e5, 309fca0) — each a violation of the org policy that
first-party Netresearch reusable workflows must use `@main` (or `@vN`
once tagged releases exist), never SHA-pinned.

Two changes here:

1. .github/workflows/auto-merge.yml: revert the
   `uses: netresearch/.github/.../auto-merge-deps.yml@22155f1...`
   back to `@main`. This is the same reusable; same behaviour.

2. renovate.json: add a packageRule that disables Renovate entirely
   for github-actions deps matching `^netresearch/`. The `enabled:
   false` setting means Renovate ignores them — no digest pins, no
   PRs, no further drift. The earlier wide "Group GitHub Actions"
   rule still pins third-party SHAs as before (per supply-chain
   policy).

Memory: feedback_no_sha_pin_own_reusables — third-party actions
(actions/checkout, docker/build-push-action) DO get SHA-pinned;
first-party reusables don't. Different trust models.

Discovered while migrating phpbu-docker to the reusable container
workflows (PR #123). Sub-agent flagged this as an independent
observation rather than bundling it into the migration PR.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 .github/workflows/auto-merge.yml |  2 +-
 renovate.json                    | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index 24e819e..67c535e 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -11,7 +11,7 @@ permissions: {}
 
 jobs:
   auto-merge:
-    uses: netresearch/.github/.github/workflows/auto-merge-deps.yml@22155f1bdaf6b0b19a6efb1c40e6778722c62cff # main
+    uses: netresearch/.github/.github/workflows/auto-merge-deps.yml@main
     with:
       safe-updates-only: true
       merge-strategy: rebase
diff --git a/renovate.json b/renovate.json
index 19ea465..05c85ab 100644
--- a/renovate.json
+++ b/renovate.json
@@ -53,6 +53,17 @@
       "groupName": "GitHub Actions",
       "pinDigests": true
     },
+    {
+      "description": "First-party Netresearch reusable workflows: never digest-pin. Org policy is @main (or @vN once tagged releases exist). Distinct from third-party actions which DO get SHA-pinned per supply-chain convention. Without this rule, Renovate's earlier digest-pinning produced commit 309fca0 (auto-merge.yml@<sha>) which violates that policy.",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchPackagePatterns": [
+        "^netresearch/"
+      ],
+      "pinDigests": false,
+      "enabled": false
+    },
     {
       "description": "Security updates - high priority",
       "matchCategories": [

From c1d02e0f8ce04daf2724b92c6932b8512cdd8473 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Fri, 22 May 2026 17:47:22 +0200
Subject: [PATCH 2/2] ci(pr-quality): add caller for the org-wide PR Quality
 Gates reusable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This repo was missing the standard Netresearch PR-quality + auto-approve
workflow that other org repos use (netresearch/ofelia,
netresearch/ldap-selfservice-password-changer, the t3x-* TYPO3
extensions, etc.). Adding the canonical caller pattern.

The reusable provides:
- PR size labeling (warns over 500 lines changed, alerts over 1000)
- Auto-approve for maintainer PRs whose author_association is one of
  OWNER / MEMBER / COLLABORATOR. Satisfies the "1 approval" gate from
  this repo's branch protection for routine maintainer work without
  bypassing the Copilot review (which runs separately via the org-level
  Copilot ruleset, NOT via this workflow).

Caller config matches the pattern used in netresearch/ofelia verbatim
(modulo SPDX header) — no caller-side knobs needed.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 .github/workflows/pr-quality.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/pr-quality.yml

diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml
new file mode 100644
index 0000000..80c2a77
--- /dev/null
+++ b/.github/workflows/pr-quality.yml
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Netresearch DTT GmbH
+#
+# PR Quality Gates — caller for the org-wide reusable workflow.
+# Provides:
+#   - PR size labeling (warn over 500 lines, alert over 1000)
+#   - Auto-approve for maintainer PRs (OWNER/MEMBER/COLLABORATOR), so the
+#     branch-protection "1 approval" gate doesn't block trivial maintainer
+#     work; Copilot review still runs separately via the Copilot ruleset.
+# Reusable: netresearch/.github/.github/workflows/pr-quality.yml
+
+name: PR Quality Gates
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions: {}
+
+jobs:
+  quality:
+    uses: netresearch/.github/.github/workflows/pr-quality.yml@main
+    with:
+      auto-approve-maintainers: true
+    permissions:
+      contents: read
+      pull-requests: write