Pin GitHub Actions to full vX.Y.Z tags in Renovate (#23570)

* Pin GitHub Actions to full vX.Y.Z tags in Renovate

* Limit Renovate to action depType only

Renovate's github-actions manager also extracts runner versions (runs-on), action input versions (uses-with, e.g. node-version), and container/service images. Scope the action-only rule to matchDepTypes:[action] and explicitly disable every other depType so runner/input/container bumps stay manual.

* Allow Renovate to bump uses-with inputs in same group

Author: AAraKKe

renovate.json

@@ -19,16 +19,39 @@
   ],
   "packageRules": [
     {
+      "description": "Only consider full vX.Y.Z tags upstream so we never pin to a moving major-only tag (e.g. v3, v9). pinact's --check rewrites the trailing comment to the canonical full-semver tag of the SHA, so a v3 comment from Renovate would always fail validation.",
       "matchManagers": [
         "github-actions"
       ],
+      "matchDepTypes": [
+        "action"
+      ],
       "matchFileNames": [
         ".github/workflows/**",
         ".github/actions/tag-job/**"
       ],
       "matchPackageNames": [
         "!dtolnay/rust-toolchain"
       ],
+      "extractVersion": "^(?<version>v\\d+\\.\\d+\\.\\d+)$",
+      "groupName": "actions",
+      "schedule": [
+        "before 6am on Monday"
+      ],
+      "labels": [
+        "renovate/actions",
+        "qa/skip-qa"
+      ],
+      "minimumReleaseAge": "7 days"
+    },
+    {
+      "description": "Allow updates to action input versions (uses-with, e.g. node-version / python-version) without the strict full-semver matcher applied to action tags.",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchDepTypes": [
+        "uses-with"
+      ],
       "groupName": "actions",
       "schedule": [
         "before 6am on Monday"
@@ -40,11 +63,15 @@
       "minimumReleaseAge": "7 days"
     },
     {
+      "description": "Runner versions (runs-on) and container/service/docker images are bumped manually when needed.",
       "matchManagers": [
         "github-actions"
       ],
-      "matchDepNames": [
-        "python"
+      "matchDepTypes": [
+        "github-runner",
+        "docker",
+        "container",
+        "service"
       ],
       "enabled": false
     },