{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":semanticCommits",
    ":separateMultipleMajorReleases",
    "helpers:pinGitHubActionDigests"
  ],
  "baseBranches": ["development"],
  "timezone": "UTC",
  "dependencyDashboard": true,
  "prConcurrentLimit": 10,
  "prHourlyLimit": 5,
  "labels": ["dependencies"],
  "rebaseWhen": "conflicted",
  "vulnerabilityAlerts": { "enabled": true },
  "schedule": ["every weekday"],
  "rangeStrategy": "bump",
  "customManagers": [
    {
      "customType": "regex",
      "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
      "fileMatch": ["^Dockerfile$"],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
      ],
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    }
  ],
  "packageRules": [
    {
      "description": "Caddy transitive dependency patches in Dockerfile",
      "matchManagers": ["regex"],
      "matchFileNames": ["Dockerfile"],
      "matchPackagePatterns": ["expr-lang/expr", "quic-go/quic-go", "smallstep/certificates"],
      "labels": ["dependencies", "caddy-patch", "security"],
      "automerge": true
    },
    {
      "description": "Automerge safe patch updates",
      "matchUpdateTypes": ["patch"],
      "automerge": true
    },
    {
      "description": "Frontend npm: automerge minor for devDependencies",
      "matchManagers": ["npm"],
      "matchDepTypes": ["devDependencies"],
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true,
      "labels": ["dependencies", "npm"]
    },
    {
      "description": "Backend Go modules",
      "matchManagers": ["gomod"],
      "labels": ["dependencies", "go"],
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": false
    },
    {
      "description": "GitHub Actions updates",
      "matchManagers": ["github-actions"],
      "labels": ["dependencies", "github-actions"],
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    },
    {
      "description": "actions/checkout",
      "matchManagers": ["github-actions"],
      "matchPackageNames": ["actions/checkout"],
      "automerge": false,
      "matchUpdateTypes": ["minor", "patch"],
      "labels": ["dependencies", "github-actions", "manual-review"]
    },
    {
      "description": "Do not auto-upgrade other github-actions majors without review",
      "matchManagers": ["github-actions"],
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "labels": ["dependencies", "github-actions", "manual-review"],
      "prPriority": 0
    },
    {
      "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
      "matchManagers": ["dockerfile"],
      "matchPackageNames": ["caddy"],
      "allowedVersions": "<3.0.0",
      "labels": ["dependencies", "docker"],
      "automerge": true,
      "extractVersion": "^(?<version>\\d+\\.\\d+\\.\\d+)",
      "versioning": "semver"
    },
    {
      "description": "Group non-breaking npm minor/patch",
      "matchManagers": ["npm"],
      "matchUpdateTypes": ["minor", "patch"],
      "groupName": "npm minor/patch",
      "prPriority": -1
    },
    {
      "description": "Group docker base minor/patch",
      "matchManagers": ["dockerfile"],
      "matchUpdateTypes": ["minor", "patch"],
      "groupName": "docker base updates",
      "prPriority": -1
    }
  ]
}