{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended", ":semanticCommits", ":separateMultipleMajorReleases", "helpers:pinGitHubActionDigests" ], "baseBranches": [ "development", "feature/beta-release" ], "timezone": "America/New_York", "dependencyDashboard": true, "prConcurrentLimit": 10, "prHourlyLimit": 0, "labels": [ "dependencies" ], "rebaseWhen": "auto", "vulnerabilityAlerts": { "enabled": true }, "schedule": [ "before 8am on monday" ], "rangeStrategy": "bump", "automerge": true, "automergeType": "pr", "platformAutomerge": true, "customManagers": [ { "customType": "regex", "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes", "managerFilePatterns": [ "/^Dockerfile$/" ], "matchStrings": [ "#\\s*renovate:\\s*datasource=go\\s+depName=(?[^\\s]+)\\s*\\n\\s*go get (?[^@]+)@v(?[^\\s|]+)" ], "datasourceTemplate": "go", "versioningTemplate": "semver" } ], "packageRules": [ { "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one weekly PR", "matchPackagePatterns": ["*"], "matchUpdateTypes": [ "minor", "patch", "pin", "digest" ], "groupName": "weekly-non-major-updates", "automerge": true }, { "description": "Preserve your custom Caddy patch labels but allow them to group into the weekly PR", "matchManagers": ["custom.regex"], "matchFileNames": ["Dockerfile"], "labels": ["caddy-patch", "security"], "matchPackageNames": [ "/expr-lang/expr/", "/quic-go/quic-go/", "/smallstep/certificates/" ] }, { "description": "Docker: keep Caddy within v2 (no automatic jump to v3)", "matchManagers": ["dockerfile"], "matchPackageNames": ["caddy"], "allowedVersions": "<3.0.0" }, { "description": "Safety: Keep MAJOR updates separate and require manual review", "matchUpdateTypes": ["major"], "automerge": false, "labels": ["manual-review"] } ] }