RUST-141 Disable pin/rollback updates for SonarSource GitHub Actions

[saberduck]

• Adds a `packageRule` to disable `pin` and `rollback` update types for `SonarSource/*` GitHub Actions
• Prevents Renovate from recreating PRs that replace `@v3` tags with exact versions
• Pattern from SonarSource/renovate-config#122

[sonar-review-alpha]

Summary

This PR adds a packageRule to Renovate that disables pin and rollback updates for SonarSource GitHub Actions (matching both SonarSource/* and sonarsource/*). This prevents Renovate from automatically replacing semantic version tags like @v3 with exact pinned versions, which would otherwise create unnecessary PRs. The change also updates the extends configuration to use the languages-team branch of the shared renovate-config instead of the local reference.

The rationale is that keeping SonarSource actions on stable major version tags (e.g., @v3) is preferable to pinned exact versions, allowing automatic receipt of patch and minor updates while maintaining flexibility.

What reviewers should know

Key file to review: renovate.json — the new packageRule (lines 102–117) is added alongside existing rules that group and manage GitHub Actions updates.

What reviewers should focus on:

• The new packageRule matches both SonarSource/* and sonarsource/* to handle case variations
• The enabled: false disables only pin and rollback types; other update types (patch, minor, major) remain enabled
• The extends config change from local> to github>SonarSource/renovate-config:languages-team is a separate alignment; verify this branch exists in the shared renovate-config repo if unfamiliar

Non-obvious detail: This rule sits after an earlier rule that groups "all Sonar GitHub Actions," so ordering matters — the more specific rule (disabling pin/rollback) takes precedence for SonarSource packages.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

RUST-141

[sebastien-marichal]

LGTM!
I don't think we have the config on sonar-skunk
Saw the PR on FPS and sonar-skunk

[sonar-review-alpha]

Single question before approving: does the languages-team preset in SonarSource/renovate-config already include the pin/rollback disable rule added in the previous commit? If so, the local packageRules entry at lines 102–116 is redundant and can be removed — no harm having it twice, but it will silently drift if the centralized rule ever changes scope.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed for 'sonar-rust'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube