{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended", ":semanticCommits", ":separateMultipleMajorReleases", "helpers:pinGitHubActionDigests" ], "baseBranchPatterns": [ "feature/beta-release", "development" ], "postUpdateOptions": ["npmDedupe"], "timezone": "America/New_York", "dependencyDashboard": true, "dependencyDashboardApproval": true, "prConcurrentLimit": 10, "prHourlyLimit": 0, "labels": [ "dependencies" ], "ignorePaths": [ ".docker/**" ], "rebaseWhen": "auto", "vulnerabilityAlerts": { "enabled": true, "dependencyDashboardApproval": false, "automerge": false, "labels": ["security", "vulnerability"] }, "rangeStrategy": "bump", "automerge": false, "automergeType": "pr", "platformAutomerge": true, "customManagers": [ { "customType": "regex", "description": "Track caddy-security plugin version in Dockerfile", "managerFilePatterns": [ "/^Dockerfile$/" ], "matchStrings": [ "ARG CADDY_SECURITY_VERSION=(?[^\\s]+)" ], "depNameTemplate": "github.com/greenpau/caddy-security", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes", "managerFilePatterns": [ "/^Dockerfile$/" ], "matchStrings": [ "#\\s*renovate:\\s*datasource=go\\s+depName=(?[^\\s]+)\\s*\\n\\s*go get (?[^@]+)@v(?[^\\s|]+)" ], "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track Alpine base image digest in Dockerfile for security updates", "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ "#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG ALPINE_IMAGE=alpine:(?[^@\\s]+)@(?sha256:[a-f0-9]+)" ], "depNameTemplate": "alpine", "datasourceTemplate": "docker", "versioningTemplate": "docker" }, { "customType": "regex", "description": "Track Go toolchain version ARG in Dockerfile", "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ "#\\s*renovate:\\s*datasource=docker\\s+depName=golang.*\\nARG GO_VERSION=(?[^\\s]+)" ], "depNameTemplate": "golang", "datasourceTemplate": "docker", "versioningTemplate": "docker" }, { "customType": "regex", "description": "Track expr-lang version ARG in Dockerfile", "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ "#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/expr-lang/expr.*\\nARG EXPR_LANG_VERSION=(?[^\\s]+)" ], "depNameTemplate": "github.com/expr-lang/expr", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track golang.org/x/net version ARG in Dockerfile", "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ "#\\s*renovate:\\s*datasource=go\\s+depName=golang\\.org/x/net.*\\nARG XNET_VERSION=(?[^\\s]+)" ], "depNameTemplate": "golang.org/x/net", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track Delve version in Dockerfile", "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ "ARG DLV_VERSION=(?[^\\s]+)" ], "depNameTemplate": "github.com/go-delve/delve", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track xcaddy version in Dockerfile", "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ "ARG XCADDY_VERSION=(?[^\\s]+)" ], "depNameTemplate": "github.com/caddyserver/xcaddy", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track gotestsum version in codecov workflow", "managerFilePatterns": [ "/^\\.github/workflows/codecov-upload\\.yml$/" ], "matchStrings": [ "gotestsum@v(?[^\\s]+)" ], "depNameTemplate": "gotest.tools/gotestsum", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track gotestsum version in quality checks workflow", "managerFilePatterns": [ "/^\\.github/workflows/quality-checks\\.yml$/" ], "matchStrings": [ "gotestsum@v(?[^\\s]+)" ], "depNameTemplate": "gotest.tools/gotestsum", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track govulncheck version in scripts", "managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"], "matchStrings": [ "govulncheck@v(?[^\\s]+)" ], "depNameTemplate": "golang.org/x/vuln", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track gopls version in Go install script", "managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"], "matchStrings": [ "gopls@v(?[^\\s]+)" ], "depNameTemplate": "golang.org/x/tools", "datasourceTemplate": "go", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track Go toolchain version in go.work for the dl shim", "managerFilePatterns": ["/^go\\.work$/"], "matchStrings": [ "^go (?\\d+\\.\\d+\\.\\d+)$" ], "depNameTemplate": "golang/go", "datasourceTemplate": "golang-version", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track GO_VERSION in Actions workflows", "managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"], "matchStrings": [ "GO_VERSION: ['\"]?(?[\\d\\.]+)['\"]?" ], "depNameTemplate": "golang/go", "datasourceTemplate": "golang-version", "versioningTemplate": "semver" }, { "customType": "regex", "description": "Track Syft version in workflows and scripts", "managerFilePatterns": [ "/^\\.github/workflows/nightly-build\\.yml$/", "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/" ], "matchStrings": [ "SYFT_VERSION=\\\"v(?[^\\\"\\s]+)\\\"", "set_default_env \\\"SYFT_VERSION\\\" \\\"v(?[^\\\"]+)\\\"" ], "depNameTemplate": "anchore/syft", "datasourceTemplate": "github-releases", "versioningTemplate": "semver", "extractVersionTemplate": "^v(?.*)$" }, { "customType": "regex", "description": "Track Grype version in workflows and scripts", "managerFilePatterns": [ "/^\\.github/workflows/supply-chain-pr\\.yml$/", "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/" ], "matchStrings": [ "anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?[0-9]+\\.[0-9]+\\.[0-9]+)", "set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?[^\\\"]+)\\\"" ], "depNameTemplate": "anchore/grype", "datasourceTemplate": "github-releases", "versioningTemplate": "semver", "extractVersionTemplate": "^v(?.*)$" }, { "customType": "regex", "description": "Track go-version in skill example workflows", "managerFilePatterns": ["/^\\.github/skills/examples/.*\\.yml$/"], "matchStrings": [ "go-version: [\"']?(?[\\d\\.]+)[\"']?" ], "depNameTemplate": "golang/go", "datasourceTemplate": "golang-version", "versioningTemplate": "semver" } ], "github-actions": { "managerFilePatterns": [ "/^\\.github/skills/examples/.*\\.ya?ml$/" ] }, "packageRules": [ { "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR", "matchUpdateTypes": [ "minor", "patch", "pin", "digest" ], "groupName": "non-major-updates", "matchPackageNames": [ "*" ] }, { "description": "Feature branches: Auto-merge non-major updates after proven stable", "matchBaseBranches": ["feature/**"], "matchUpdateTypes": ["minor", "patch", "pin", "digest"], "automerge": false }, { "description": "Development branch: Auto-merge non-major updates after proven stable", "matchBaseBranches": ["development"], "matchUpdateTypes": ["minor", "patch", "pin", "digest"], "automerge": false, "minimumReleaseAge": "14 days" }, { "description": "Preserve your custom Caddy patch labels but allow them to group into a single PR", "matchManagers": ["custom.regex"], "matchFileNames": ["Dockerfile"], "labels": ["caddy-patch", "security"], "matchPackageNames": [ "/expr-lang/expr/", "/quic-go/quic-go/", "/smallstep/certificates/" ] }, { "description": "Docker: keep Caddy within v2 (no automatic jump to v3)", "matchManagers": ["dockerfile"], "matchPackageNames": ["caddy"], "allowedVersions": "<3.0.0" }, { "description": "Go: keep pgx within v4 (CrowdSec requires pgx/v4 module path)", "matchDatasources": ["go"], "matchPackageNames": ["github.com/jackc/pgx/v4"], "allowedVersions": "<5.0.0" }, { "description": "Go: keep go-jose/v3 within v3 (v4 is a different Go module path)", "matchDatasources": ["go"], "matchPackageNames": ["github.com/go-jose/go-jose/v3"], "allowedVersions": "<4.0.0" }, { "description": "Go: keep go-jose/v4 within v4 (v5 would be a different Go module path)", "matchDatasources": ["go"], "matchPackageNames": ["github.com/go-jose/go-jose/v4"], "allowedVersions": "<5.0.0" }, { "description": "Safety: Keep MAJOR updates separate and require manual review", "matchUpdateTypes": ["major"], "automerge": false, "labels": ["manual-review"] }, { "description": "Fix Renovate lookup for geoip2-golang v2 module path", "matchDatasources": ["go"], "matchPackageNames": ["github.com/oschwald/geoip2-golang/v2"], "sourceUrl": "https://github.com/oschwald/geoip2-golang" }, { "description": "Fix Renovate lookup for google/uuid", "matchDatasources": ["go"], "matchPackageNames": ["github.com/google/uuid"], "sourceUrl": "https://github.com/google/uuid" } ] }