{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended", ":semanticCommits", ":separateMultipleMajorReleases", "helpers:pinGitHubActionDigests" ], "baseBranchPatterns": [ "development" ], "timezone": "UTC", "dependencyDashboard": true, "prConcurrentLimit": 10, "prHourlyLimit": 5, "labels": [ "dependencies" ], "rebaseWhen": "conflicted", "vulnerabilityAlerts": { "enabled": true }, "schedule": [ "before 4am on Monday" ], "rangeStrategy": "bump", "automerge": true, "automergeType": "pr", "platformAutomerge": true, "customManagers": [ { "customType": "regex", "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes", "managerFilePatterns": [ "/^Dockerfile$/" ], "matchStrings": [ "#\\s*renovate:\\s*datasource=go\\s+depName=(?[^\\s]+)\\s*\\n\\s*go get (?[^@]+)@v(?[^\\s|]+)" ], "datasourceTemplate": "go", "versioningTemplate": "semver" } ], "packageRules": [ { "description": "Automerge digest updates (action pins, Docker SHAs)", "matchUpdateTypes": [ "digest", "pin" ], "automerge": true }, { "description": "Caddy transitive dependency patches in Dockerfile", "matchManagers": [ "custom.regex" ], "matchFileNames": [ "Dockerfile" ], "labels": [ "dependencies", "caddy-patch", "security" ], "automerge": true, "matchPackageNames": [ "/expr-lang/expr/", "/quic-go/quic-go/", "/smallstep/certificates/" ] }, { "description": "Automerge safe patch updates", "matchUpdateTypes": [ "patch" ], "automerge": true }, { "description": "Frontend npm: automerge minor for devDependencies", "matchManagers": [ "npm" ], "matchDepTypes": [ "devDependencies" ], "matchUpdateTypes": [ "minor", "patch" ], "automerge": true, "labels": [ "dependencies", "npm" ] }, { "description": "Backend Go modules", "matchManagers": [ "gomod" ], "labels": [ "dependencies", "go" ], "matchUpdateTypes": [ "minor", "patch" ], "automerge": true }, { "description": "GitHub Actions updates", "matchManagers": [ "github-actions" ], "labels": [ "dependencies", "github-actions" ], "matchUpdateTypes": [ "minor", "patch" ], "automerge": true }, { "description": "actions/checkout", "matchManagers": [ "github-actions" ], "matchPackageNames": [ "actions/checkout" ], "automerge": false, "matchUpdateTypes": [ "minor", "patch" ], "labels": [ "dependencies", "github-actions", "manual-review" ] }, { "description": "Do not auto-upgrade other github-actions majors without review", "matchManagers": [ "github-actions" ], "matchUpdateTypes": [ "major" ], "automerge": false, "labels": [ "dependencies", "github-actions", "manual-review" ], "prPriority": 0 }, { "description": "Docker: keep Caddy within v2 (no automatic jump to v3)", "matchManagers": [ "dockerfile" ], "matchPackageNames": [ "caddy" ], "allowedVersions": "<3.0.0", "labels": [ "dependencies", "docker" ], "automerge": true, "extractVersion": "^(?\\d+\\.\\d+\\.\\d+)", "versioning": "semver" }, { "description": "Group non-breaking npm minor/patch", "matchManagers": [ "npm" ], "matchUpdateTypes": [ "minor", "patch" ], "groupName": "npm minor/patch", "prPriority": -1 }, { "description": "Group docker base minor/patch", "matchManagers": [ "dockerfile" ], "matchUpdateTypes": [ "minor", "patch" ], "groupName": "docker base updates", "prPriority": -1 } ] }