From b8829df9732deb31bb25703581dbdbf7abb25358 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Sat, 23 May 2026 06:53:24 +0200
Subject: [PATCH] fix(renovate): address unresolved review on PR #124
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #124 was merged with two unresolved gemini-code-assist threads on
the new netresearch/* packageRule. Both addressed here:

1. (medium) Description referenced a specific past commit (309fca0).
   The reviewer's point: configuration descriptions should focus on
   the policy, not the incident. Removed the historical-context
   sentence; kept the policy + trust-model contrast.

2. (medium) `enabled: false` is heavier than needed and blocks
   future security advisories on these refs. Switched to relying on
   `pinDigests: false` alone — Renovate still surfaces vulnerability
   alerts and (eventually) the @vN tag migration, but never produces
   the digest-pin PRs that violated org policy.

The previous `enabled: false` was a belt-and-suspenders choice during
incident remediation. With `pinDigests: false` set, Renovate has no
reason to open PRs against `^netresearch/` github-actions refs in the
default-update path — the original symptom (Renovate digest-pinning
@main) is closed without sacrificing security-alert reachability.

Original threads on netresearch/phpbu-docker#124 replied-to and
resolved with a link to this PR.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 renovate.json | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/renovate.json b/renovate.json
index 05c85ab..69a75a4 100644
--- a/renovate.json
+++ b/renovate.json
@@ -54,15 +54,14 @@
       "pinDigests": true
     },
     {
-      "description": "First-party Netresearch reusable workflows: never digest-pin. Org policy is @main (or @vN once tagged releases exist). Distinct from third-party actions which DO get SHA-pinned per supply-chain convention. Without this rule, Renovate's earlier digest-pinning produced commit 309fca0 (auto-merge.yml@<sha>) which violates that policy.",
+      "description": "First-party Netresearch reusable workflows: never digest-pin. Org policy is @main (or @vN once tagged releases exist). Distinct from third-party actions, which DO get SHA-pinned per supply-chain convention — different trust models.",
       "matchManagers": [
         "github-actions"
       ],
       "matchPackagePatterns": [
         "^netresearch/"
       ],
-      "pinDigests": false,
-      "enabled": false
+      "pinDigests": false
     },
     {
       "description": "Security updates - high priority",