From bedd26c36f68f6a3501f69bc2da7b7ae4c83f14b Mon Sep 17 00:00:00 2001
From: "will.porter" <will.porter@workos.com>
Date: Mon, 4 May 2026 18:40:52 +0000
Subject: [PATCH] chore: Extend shared workos/renovate-config preset

Adds the org-level workos/renovate-config preset to the extends array.
This brings in three policies that were missing locally:

- 7-day minimumReleaseAge with timestamp-required behaviour, gating
  every dependency update for at least 7 days after release.
- helpers:pinGitHubActionDigests, so any newly-added GitHub Action
  reference is automatically rewritten to a full commit SHA with a
  version comment.
- internalChecksFilter: strict, so PRs aren't opened until they pass
  the cooldown gate (keeps the PR list quiet).

All existing packageRules continue to apply unchanged (the github-
actions automerge behaviour is preserved by the existing rules
ordered after the preset's).

Refs SECENG-299.
---
 renovate.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/renovate.json b/renovate.json
index b979c359..69bd5ab4 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
+    "github>workos/renovate-config",
     "config:recommended"
   ],
   "dependencyDashboard": false,