From 9d1e8be410e3a2d5ec19ba8c311527cd27b010b8 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Wed, 3 Dec 2025 15:02:08 +0000
Subject: [PATCH] chore(deps): Renovate: restrict actions/checkout updates to
 <5.0.0 and require manual review for major GH Actions upgrades

---
 .github/renovate.json | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/renovate.json b/.github/renovate.json
index cd662b7f..7a952789 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -44,6 +44,23 @@
       "matchUpdateTypes": ["minor", "patch"],
       "automerge": true
     },
+    {
+      "description": "Limit actions/checkout to stable v4.x updates and block auto-upgrade to v5/v6",
+      "matchManagers": ["github-actions"],
+      "matchPackageNames": ["actions/checkout"],
+      "allowedVersions": "<5.0.0",
+      "automerge": false,
+      "matchUpdateTypes": ["minor", "patch"],
+      "labels": ["dependencies", "github-actions", "manual-review"]
+    },
+    {
+      "description": "Do not auto-upgrade other github-actions majors without review",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["major"],
+      "automerge": false,
+      "labels": ["dependencies", "github-actions", "manual-review"],
+      "prPriority": 0
+    },
     {
       "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
       "matchManagers": ["dockerfile"],