diggsweden · brorlarsnicklas · Oct 21, 2025 · Oct 19, 2025 · Oct 19, 2025 · Oct 20, 2025
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+---
+name: OpenSSF Scorecard Analysis
+on:
+  schedule:
+    # Saturdays at 02:20 UTC
+    - cron: "20 2 * * 6"
+    # Wednesdays at 02:20 UTC
+    - cron: "20 2 * * 3"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  scorecard-analysis:
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
+    with:
+      publish-results: true
diff --git a/.github/workflows/openssfscorecard.yml b/.github/workflows/openssfscorecard.yml
diff --git a/.github/workflows/pullrequest-workflow.yml b/.github/workflows/pullrequest-workflow.yml
@@ -18,7 +18,7 @@ permissions:
 
 jobs:
   pr-checks:
-    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@v2
+    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     secrets: inherit  # Pass org-level secrets (NPM token if private packages)
     permissions:
       contents: read         # Clone repository and read source code

diff --git a/.github/workflows/release-dev-workflow.yml b/.github/workflows/release-dev-workflow.yml
@@ -31,7 +31,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    uses: diggsweden/reusable-ci/.github/workflows/release-dev-orchestrator.yml@v2
+    uses: diggsweden/reusable-ci/.github/workflows/release-dev-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     with:
       project-type: npm
       package-scope: "@diggsweden"

diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml
@@ -24,7 +24,7 @@ permissions:
 
 jobs:
   release:
-    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@v2
+    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     permissions:
       contents: write         # Create GitHub releases, push changelog commits
       packages: write         # Publish to GitHub Packages

diff --git a/renovate.json b/renovate.json
@@ -1,29 +1,13 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "osvVulnerabilityAlerts": true,
-  "dependencyDashboardOSVVulnerabilitySummary": "all",
   "extends": [
-    "config:best-practices",
-    "workarounds:all",
-    "security:openssf-scorecard",
-    ":configMigration",
-    ":dependencyDashboard",
-    ":gitSignOff",
-    ":maintainLockFilesWeekly",
-    ":automergePatch",
-    ":semanticCommits",
-    "security:minimumReleaseAgeNpm",
-    ":rebaseStalePrs",
-    ":semanticCommitTypeAll(chore)",
-    "mergeConfidence:all-badges"
+    "local>diggsweden/.github:renovate-base",
+    ":maintainLockFilesWeekly"
+  ],
+  "enabledManagers": [
+    "github-actions",
+    "npm"
   ],
-  "commitMessageLowerCase": "auto",
-  "minimumReleaseAge": "7 days",
-  "labels": ["dependencies"],
-  "vulnerabilityAlerts": {
-    "labels": ["security", "dependencies"]
-  },
-  "timezone": "Europe/Stockholm",
   "platformAutomerge": false,
   "automergeSchedule": ["0 9-21 * * 6"],
   "packageRules": [
@@ -32,17 +16,6 @@
       "matchUpdateTypes": ["patch"],
       "automerge": true
     },
-    {
-      "matchManagers": ["github-actions"],
-      "addLabels": ["actions"],
-      "pinDigests": true,
-      "groupName": "github actions"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchPackageNames": ["slsa-framework/slsa-github-generator"],
-      "pinDigests": false
-    },
     {
       "description": "Node.js dependencies - Major updates",
       "matchManagers": ["npm"],