chore: git cache cleanup

.github/renovate.json

@@ -0,0 +1,224 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    ":separateMultipleMajorReleases",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "baseBranches": [
+    "feature/beta-release",
+    "development"
+
+  ],
+  "timezone": "America/New_York",
+  "dependencyDashboard": true,
+  "dependencyDashboardApproval": true,
+  "prConcurrentLimit": 10,
+  "prHourlyLimit": 0,
+  "labels": [
+    "dependencies"
+  ],
+
+  "ignorePaths": [
+    ".docker/**"
+  ],
+
+  "rebaseWhen": "auto",
+
+  "vulnerabilityAlerts": {
+    "enabled": true
+  },
+
+  "rangeStrategy": "bump",
+  "automerge": false,
+  "automergeType": "pr",
+  "platformAutomerge": true,
+
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Track caddy-security plugin version in Dockerfile",
+      "managerFilePatterns": [
+        "/^Dockerfile$/"
+      ],
+      "matchStrings": [
+        "ARG CADDY_SECURITY_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/greenpau/caddy-security",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
+      "managerFilePatterns": [
+        "/^Dockerfile$/"
+      ],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
+      ],
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Alpine base image digest in Dockerfile for security updates",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG CADDY_IMAGE=alpine:(?<currentValue>[^\\s@]+@sha256:[a-f0-9]+)"
+      ],
+      "depNameTemplate": "alpine",
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Delve version in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "ARG DLV_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/go-delve/delve",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track xcaddy version in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "ARG XCADDY_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/caddyserver/xcaddy",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track govulncheck version in scripts",
+      "managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"],
+      "matchStrings": [
+        "govulncheck@v(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang.org/x/vuln",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track gopls version in Go install script",
+      "managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"],
+      "matchStrings": [
+        "gopls@v(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang.org/x/tools",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Go toolchain version in go.work for the dl shim",
+      "managerFilePatterns": ["/^go\\.work$/"],
+      "matchStrings": [
+        "^go (?<currentValue>\\d+\\.\\d+\\.\\d+)$"
+      ],
+      "depNameTemplate": "golang/go",
+      "datasourceTemplate": "golang-version",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track GO_VERSION in Actions workflows",
+      "managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"],
+      "matchStrings": [
+        "GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
+      ],
+      "depNameTemplate": "golang/go",
+      "datasourceTemplate": "golang-version",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Syft version in workflows and scripts",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/nightly-build\\.yml$/",
+        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
+      ],
+      "matchStrings": [
+        "SYFT_VERSION=\\\"v(?<currentValue>[^\\\"\\s]+)\\\"",
+        "set_default_env \\\"SYFT_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
+      ],
+      "depNameTemplate": "anchore/syft",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Grype version in workflows and scripts",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/supply-chain-pr\\.yml$/",
+        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
+      ],
+      "matchStrings": [
+        "anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)",
+        "set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
+      ],
+      "depNameTemplate": "anchore/grype",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    }
+  ],
+
+  "packageRules": [
+    {
+      "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",
+      "matchPackagePatterns": ["*"],
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "groupName": "non-major-updates"
+    },
+        {
+      "description": "Feature branches: Auto-merge non-major updates after proven stable",
+      "matchBaseBranches": ["feature/**"],
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": false
+    },
+    {
+      "description": "Development branch: Auto-merge non-major updates after proven stable",
+      "matchBaseBranches": ["development"],
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": false,
+      "minimumReleaseAge": "14 days"
+    },
+    {
+      "description": "Preserve your custom Caddy patch labels but allow them to group into a single PR",
+      "matchManagers": ["custom.regex"],
+      "matchFileNames": ["Dockerfile"],
+      "labels": ["caddy-patch", "security"],
+      "matchPackageNames": [
+        "/expr-lang/expr/",
+        "/quic-go/quic-go/",
+        "/smallstep/certificates/"
+      ]
+    },
+    {
+      "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
+      "matchManagers": ["dockerfile"],
+      "matchPackageNames": ["caddy"],
+      "allowedVersions": "<3.0.0"
+    },
+    {
+      "description": "Safety: Keep MAJOR updates separate and require manual review",
+      "matchUpdateTypes": ["major"],
+      "automerge": false,
+      "labels": ["manual-review"]
+    }
+  ]
+}