chore: Extend shared workos/renovate-config preset

[devin-ai-integration]

Description

Adds the new org-level workos/renovate-config preset to this repo's renovate.json extends array. This is the only diff — all existing packageRules, schedule, dashboard setting, and timezone are preserved.

The preset brings in three policies that were missing locally:

• 7-day minimumReleaseAge with minimumReleaseAgeBehaviour: "timestamp-required". Every dependency update — npm, GitHub Actions, etc. — is gated for at least 7 days after release. Each version waits 7 days individually (not just the latest), so fast-releasing dependencies stay N versions behind rather than getting silently stuck.
• helpers:pinGitHubActionDigests. Any newly-added GitHub Action reference (e.g. actions/checkout@v6) is automatically rewritten to a full commit SHA with a version comment.
• internalChecksFilter: "strict". PRs aren't opened until they pass the cooldown gate (keeps the PR list quiet — pending updates show on the dependency dashboard if enabled).

The preset's automerge packageRules for github-actions are equivalent in shape to the rules already in this file. Because the preset's rules are evaluated first (they appear earlier in the merged config), and Renovate uses last-match-wins for packageRules, this repo's existing github-actions rules continue to govern the actual automerge decisions for this repo. Net behaviour for github-actions: unchanged.

The shared preset lives at https://github.com/workos/renovate-config and any future policy change is a single edit there that propagates to every consuming repo.

Refs SECENG-299.

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] No — internal CI/dependency-management tooling change only.

Link to Devin session: https://app.devin.ai/sessions/337e586a7c3e40ce8da2d048b402e6f5

[devin-ai-integration]

Original prompt from will.porter

'Implement Dependency Management for GitHub Workflow SHA pins' (SECENG-299)

User instruction: @devin lets consider ways to ease the pain of updating the sha pins. Dependabot or renovate configs may be a valid solution. Note that we will want some kind of feature such as minimumReleaseAge to prevent us from adopting workflows that are less than 7 days old. Please present options with pros and cons before implementing anything

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[linear-code]

SECENG-299 Implement Dependency Management for GitHub Workflow SHA pins

[coderabbitai]

Warning

Rate limit exceeded

@devin-ai-integration[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minute and 39 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 706e989d-18d2-42bc-923b-3e19e813af07

📥 Commits

Reviewing files that changed from the base of the PR and between c4793bc and 5c75381.

📒 Files selected for processing (1)

• renovate.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/seceng-299-extend-preset

---

_{Review rate limit: 0/5 reviews remaining, refill in 1 minute and 39 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds "github>workos/renovate-config" to the extends array in renovate.json, placing the shared org-level preset before config:recommended. The preset introduces a 7-day minimumReleaseAge, helpers:pinGitHubActionDigests, and internalChecksFilter: "strict". All existing local packageRules, schedule, timezone, and dashboard settings are preserved unchanged.

Confidence Score: 5/5

Safe to merge — single-line config change that extends a shared org preset with no functional regressions.

The change is minimal (one line added) and the PR description accurately explains the last-match-wins semantics that preserve existing local packageRules behavior. No code paths, secrets, or application logic are affected.

No files require special attention.

Important Files Changed

Filename	Overview
renovate.json	Added github>workos/renovate-config as the first entry in extends; all other settings unchanged. Preset ordering is correct — local packageRules appear last and therefore win over any conflicting preset rules.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Renovate runs"] --> B["Resolve extends in order"]
    B --> C["1. github>workos/renovate-config\n(minimumReleaseAge: 7d,\nhelpers:pinGitHubActionDigests,\ninternalChecksFilter: strict)"]
    C --> D["2. config:recommended\n(base defaults)"]
    D --> E["3. Local renovate.json\n(schedule, timezone, rebaseWhen,\npackageRules — last-match-wins)"]
    E --> F{"packageRules evaluation\n(last match wins)"}
    F --> G["github-actions minor/patch/digest/pinDigest\n→ automerge: true (local rule wins)"]
    F --> H["github-actions major\n→ automerge: false (local rule wins)"]
    F --> I["npm minor/patch\n→ automerge: true (local rule wins)"]
    F --> J["All deps gated\nby 7-day minimumReleaseAge\n(from preset)"]

Loading

_{Reviews (1): Last reviewed commit: "chore: Extend shared workos/renovate-con..." | Re-trigger Greptile}