Pin workflows and add minimum release age (#1854)

.github/workflows/pin-check.yaml

@@ -0,0 +1,16 @@
+name: Pin Check
+on:
+  workflow_dispatch:
+  pull_request: { paths: [.github/**] }
+permissions:
+    contents: read
+jobs:
+  pin-check:
+    name: Pin Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Pin Check
+        uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
+        with: { skip_push: true }

.github/workflows/release.yaml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v5
-      - uses: pnpm/action-setup@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
       - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24 # NPM v11.5.1 or later is required for OIDC, which ships with node v24
           cache: 'pnpm'
@@ -30,7 +30,7 @@ jobs:
         run: pnpm install
       - name: Create Release Pull Request or Publish to npm
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
         with:
           publish: pnpm ci:publish
         env:

.github/workflows/size-limit.yaml

@@ -10,16 +10,16 @@ jobs:
     env:
       CI_JOB_NUMBER: 1
     steps:
-      - uses: actions/checkout@v5
-      - uses: pnpm/action-setup@v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
       - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
           cache: 'pnpm'
       - name: Install dependencies
         run: pnpm install
-      - uses: andresz1/size-limit-action@v1.8.0
+      - uses: andresz1/size-limit-action@94bc357df29c36c8f8d50ea497c3e225c3c95d1d # v1.8.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           script: npx size-limit --json

.github/workflows/test.yaml

@@ -9,10 +9,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
-    - uses: pnpm/action-setup@v4
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+    - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
     - name: Use Node.js 24
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
       with:
         node-version: 24
         cache: 'pnpm'

renovate.json

@@ -2,6 +2,7 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:base"],
   "schedule": "before 6am on the first day of the month",
+  "minimumReleaseAge": "2 weeks",
   "packageRules": [
     {
       "matchDepTypes": ["devDependencies"],
@@ -12,7 +13,8 @@
       "matchSourceUrlPrefixes": ["https://github.com/livekit/"],
       "rangeStrategy": "replace",
       "groupName": "LiveKit dependencies",
-      "automerge": true
+      "automerge": true,
+      "minimumReleaseAge": null
     },
     {
       "matchPackageNames": ["typescript"],