renovate.json auto-merges patch/minor updates for devDependencies and the github-actions manager without human review (minimumReleaseAge: 3 days is set).
For a widely-used action this is an aggressive supply-chain posture: an auto-merged compromised dev dependency or action tag could land on main and flow into the published v1 bundle unreviewed.
Options to weigh
- Require review for
github-actions updates (and/or pin actions to commit SHAs).
- Keep automerge for low-risk types but add provenance / lockfile-integrity checks.
- Document the accepted risk explicitly if keeping current behavior.
Decision needed on risk tolerance.
Flagged during the AI-native docs revamp; tracked in .agents/known-issues.md (item B).
renovate.jsonauto-merges patch/minor updates fordevDependenciesand thegithub-actionsmanager without human review (minimumReleaseAge: 3 daysis set).For a widely-used action this is an aggressive supply-chain posture: an auto-merged compromised dev dependency or action tag could land on
mainand flow into the publishedv1bundle unreviewed.Options to weigh
github-actionsupdates (and/or pin actions to commit SHAs).Decision needed on risk tolerance.
Flagged during the AI-native docs revamp; tracked in
.agents/known-issues.md(item B).