From 75293c6aa8b3437d532f73b26878444a4617c48d Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 2 Jun 2026 19:23:56 +0200
Subject: [PATCH] ci(deploy): extend Renovate privileged-digest watch to
 .gitea/actions

The reload-caddy pinned alpine digest moved out of the workflow files into a
composite action. Add .gitea/actions/** to the manual-review digest rule so the
digest stays watched and never silently goes stale (#603).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 renovate.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index c95f708e..2b4af645 100644
--- a/renovate.json
+++ b/renovate.json
@@ -14,8 +14,8 @@
       "automerge": false
     },
     {
-      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
-      "matchPaths": [".gitea/workflows/**"],
+      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
+      "matchPaths": [".gitea/workflows/**", ".gitea/actions/**"],
       "matchUpdateTypes": ["digest"],
       "automerge": false,
       "reviewersFromCodeOwners": false