ci(deploy): extend Renovate privileged-digest watch to .gitea/actions

The reload-caddy pinned alpine digest moved out of the workflow files into a composite action. Add .gitea/actions/** to the manual-review digest rule so the digest stays watched and never silently goes stale (#603). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 19:23:56 +02:00
parent 4e9b13c0e4
commit 75293c6aa8
1 changed files with 2 additions and 2 deletions
--- a/renovate.json
+++ b/renovate.json
@@ -14,8 +14,8 @@
      "automerge": false
    },
    {
-      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
-      "matchPaths": [".gitea/workflows/**"],
+      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
+      "matchPaths": [".gitea/workflows/**", ".gitea/actions/**"],
      "matchUpdateTypes": ["digest"],
      "automerge": false,
      "reviewersFromCodeOwners": false