From c54c099c6616bde59e5a43a96770334f6fbfa79e Mon Sep 17 00:00:00 2001
From: correctmost <134317971+correctmost@users.noreply.github.com>
Date: Sat, 15 Mar 2025 18:12:14 -0400
Subject: [PATCH] Pin astral-sh/ruff-action to a specific commit

The GitHub docs recommend pinning third-party actions to specific
commits for security hardening purposes.
---
 .github/workflows/ruff.yaml | 2 +-
 renovate.json               | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ruff.yaml b/.github/workflows/ruff.yaml
index ae7ac8698d..633cb311d9 100644
--- a/.github/workflows/ruff.yaml
+++ b/.github/workflows/ruff.yaml
@@ -5,4 +5,4 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v4
-            - uses: astral-sh/ruff-action@v3
+            - uses: astral-sh/ruff-action@9828f49eb4cadf267b40eaa330295c412c68c1f9  # v3.2.2
diff --git a/renovate.json b/renovate.json
index 5490c2b9e4..b290fdd625 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,7 +1,8 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:base",
+    "helpers:pinGitHubActionDigests"
   ],
   "pre-commit": {
     "enabled": true