chore: Extend shared workos/renovate-config preset

[devin-ai-integration]

Description

Adds the new org-level workos/renovate-config preset to this repo's renovate.json extends array. This is the only diff — all existing packageRules, schedule, dashboard setting, and timezone are preserved.

The preset brings in three policies that were missing locally:

• 7-day minimumReleaseAge with minimumReleaseAgeBehaviour: "timestamp-required". Every dependency update — pip, GitHub Actions, etc. — is gated for at least 7 days after release. Each version waits 7 days individually (not just the latest), so fast-releasing dependencies stay N versions behind rather than getting silently stuck.
• helpers:pinGitHubActionDigests. Any newly-added GitHub Action reference (e.g. actions/checkout@v6) is automatically rewritten to a full commit SHA with a version comment.
• internalChecksFilter: "strict". PRs aren't opened until they pass the cooldown gate (keeps the PR list quiet — pending updates show on the dependency dashboard if enabled).

The preset's automerge packageRules for github-actions are equivalent in shape to the rules already in this file. Because the preset's rules are evaluated first (they appear earlier in the merged config), and Renovate uses last-match-wins for packageRules, this repo's existing github-actions rules continue to govern the actual automerge decisions for this repo. Net behaviour for github-actions: unchanged.

The shared preset lives at https://github.com/workos/renovate-config and any future policy change is a single edit there that propagates to every consuming repo.

Refs SECENG-299.

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] No — internal CI/dependency-management tooling change only.

Link to Devin session: https://app.devin.ai/sessions/337e586a7c3e40ce8da2d048b402e6f5

[devin-ai-integration]

Original prompt from will.porter

'Implement Dependency Management for GitHub Workflow SHA pins' (SECENG-299)

User instruction: @devin lets consider ways to ease the pain of updating the sha pins. Dependabot or renovate configs may be a valid solution. Note that we will want some kind of feature such as minimumReleaseAge to prevent us from adopting workflows that are less than 7 days old. Please present options with pros and cons before implementing anything

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[linear-code]

SECENG-299 Implement Dependency Management for GitHub Workflow SHA pins

[greptile-apps]

Greptile Summary

This PR adds the org-level github>workos/renovate-config preset to the extends array in renovate.json, placing it before config:recommended so that config:recommended and local settings retain precedence. The preset introduces a 7-day minimumReleaseAge gate, helpers:pinGitHubActionDigests, and internalChecksFilter: "strict" without affecting the repo's existing schedule, timezone, dashboard setting, or github-actions automerge rules.

Confidence Score: 5/5

Safe to merge — single-line config change with no code impact and well-reasoned preset ordering.

The only change is adding a shared org preset to the extends array. Existing local settings are fully preserved and override the preset as documented. No logic, code, or security-sensitive paths are touched.

No files require special attention.

Important Files Changed

Filename	Overview
renovate.json	Adds github>workos/renovate-config org-level preset before config:recommended in the extends array; all existing local settings are preserved unchanged.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Renovate runs] --> B[Resolve extends array in order]
    B --> C["1. github>workos/renovate-config\n(lowest priority)"]
    C --> D["2. config:recommended\n(overrides #1)"]
    D --> E["3. Local renovate.json settings\n(highest priority — always wins)"]
    E --> F[Merge all packageRules into one list\nlast-match-wins on evaluation]
    F --> G["Shared preset rules evaluated first\n(earlier in merged list)"]
    F --> H["Local packageRules evaluated last\n(win for github-actions automerge)"]
    G --> I[Final Renovate behaviour]
    H --> I
    I --> J["minimumReleaseAge: 7 days\n(from shared preset)"]
    I --> K["schedule: 15th of month\n(from local config)"]
    I --> L["pinGitHubActionDigests\n(from shared preset)"]

Loading

_{Reviews (1): Last reviewed commit: "chore: Extend shared workos/renovate-con..." | Re-trigger Greptile}