From e9caa3a1f748f04989f040d3b839ac6a7e23eca9 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 23:15:05 +0200
Subject: [PATCH] chore(renovate): require manual review for privileged CI
 image digest bumps

Adds a packageRule matching .gitea/workflows/** digest updates with
automerge: false. Digest bumps for images running --privileged --pid=host
have root-equivalent host access and must not be auto-merged.

Addresses Nora's review concern on #537.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 renovate.json | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/renovate.json b/renovate.json
index bcb6238b..e4f29762 100644
--- a/renovate.json
+++ b/renovate.json
@@ -5,6 +5,13 @@
       "matchPackagePatterns": ["^@tiptap/"],
       "groupName": "tiptap",
       "automerge": false
+    },
+    {
+      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
+      "matchPaths": [".gitea/workflows/**"],
+      "matchUpdateTypes": ["digest"],
+      "automerge": false,
+      "reviewersFromCodeOwners": false
     }
   ]
 }