review-renovate

# Review Renovate GitHub Actions PRs You are reviewing a Renovate bot PR that updates GitHub Actions dependencies. Your job is to verify supply chain integrity and ensure the upgrades won't break CI/CD workflows. ## Inputs You will be given a PR number or URL. Use `gh` CLI to fetch PR details and diff. ## Steps ### 1. Fetch PR metadata and diff ``` gh pr view <PR> --json title,body,files,commits,author,headRefName gh pr diff <PR> ``` Confirm the PR author is `app/renovate`. If not, flag this immediately — it may not be an automated dependency update. ### 2. Identify all action version changes From the diff, extract each changed action: - Full action name (e.g., `oven-sh/setup-bun`) - Old version tag and pinned SHA - New version tag and pinned SHA - Update type (patch, minor, major) ### 3. Verify pinned SHAs against upstream tags For every action being updated, verify **both old and new** SHAs match the claimed version tags: ``` gh api repos/{owner}/{repo}/git/ref/tags/{version} --jq '.object.sha' ``` Compare each result against the SHA in the workflow file. If any SHA does not match, **stop and report a supply chain integrity failure**. Do not approve the PR. ### 4. Review changelogs for breaking changes From the PR body (Renovate includes release notes), check each updated action for: - Removed inputs or outputs that the workflows currently use - Changed default behavior for inputs the workflows rely on - New required inputs - Major version bumps (these almost...