From 10f087c110bcfe9b37d546998ff483214897738a Mon Sep 17 00:00:00 2001
From: Dominic Couture <dominic@clerk.dev>
Date: Mon, 18 May 2026 10:03:16 +0100
Subject: [PATCH] chore(repo): Pin renovate config validator version

This pins the validator version and removes the unnecessary init step to
harden against supply chain compromises. In the previous workflow we
would fetch the latest version and bypass other security mechanisms we
have around dependency management.
---
 .github/workflows/validate-renovate-config.yml | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/.github/workflows/validate-renovate-config.yml b/.github/workflows/validate-renovate-config.yml
index 794ba4339e6..66457fdf58a 100644
--- a/.github/workflows/validate-renovate-config.yml
+++ b/.github/workflows/validate-renovate-config.yml
@@ -16,14 +16,5 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v4
 
-      - name: Setup
-        id: config
-        uses: ./.github/actions/init
-        with:
-          cache-enabled: true
-          turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }}
-          turbo-team: ${{ vars.TURBO_TEAM }}
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-
       - name: Validate Renovate Config
-        run: npx --yes --package renovate@latest renovate-config-validator
+        run: npx --yes --package renovate@43.150.0 renovate-config-validator