Charon/.github/renovate.json

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":semanticCommits",
    ":separateMultipleMajorReleases",
    "helpers:pinGitHubActionDigests"
  ],
  "baseBranches": [
    "feature/beta-release",
    "development"

  ],
  "timezone": "America/New_York",
  "dependencyDashboard": true,
  "prConcurrentLimit": 10,
  "prHourlyLimit": 0,
  "labels": [
    "dependencies"
  ],

  "ignorePaths": [
    ".docker/**"
  ],

  "rebaseWhen": "auto",

  "vulnerabilityAlerts": {
    "enabled": true
  },

  "schedule": [
    "before 8am on monday"
  ],

  "rangeStrategy": "bump",
  "automerge": false,
  "automergeType": "pr",
  "platformAutomerge": true,

  "customManagers": [
    {
      "customType": "regex",
      "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
      "managerFilePatterns": [
        "/^Dockerfile$/"
      ],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
      ],
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Debian base image digest in Dockerfile for security updates",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=docker\\s+depName=debian.*\\nARG CADDY_IMAGE=debian:(?<currentValue>trixie-slim@sha256:[a-f0-9]+)"
      ],
      "depNameTemplate": "debian",
      "datasourceTemplate": "docker",
      "versioningTemplate": "docker"
    },
    {
      "customType": "regex",
      "description": "Track Delve version in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "ARG DLV_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "github.com/go-delve/delve",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track xcaddy version in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "ARG XCADDY_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "github.com/caddyserver/xcaddy",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track govulncheck version in scripts",
      "managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"],
      "matchStrings": [
        "govulncheck@v(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "golang.org/x/vuln",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track gopls version in Go install script",
      "managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"],
      "matchStrings": [
        "gopls@v(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "golang.org/x/tools",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Go toolchain version in go.work for the dl shim",
      "managerFilePatterns": ["/^go\\.work$/"],
      "matchStrings": [
        "^go (?<currentValue>\\d+\\.\\d+\\.\\d+)$"
      ],
      "depNameTemplate": "golang/go",
      "datasourceTemplate": "golang-version",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track GO_VERSION in Actions workflows",
      "fileMatch": ["^\\.github/workflows/.*\\.yml$"],
      "matchStrings": [
        "GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
      ],
      "depNameTemplate": "golang/go",
      "datasourceTemplate": "golang-version",
      "versioningTemplate": "semver"
    }
  ],

  "packageRules": [
    {
      "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one weekly PR",
      "matchPackagePatterns": ["*"],
      "matchUpdateTypes": [
        "minor",
        "patch",
        "pin",
        "digest"
      ],
      "groupName": "weekly-non-major-updates"
    },
    {
      "description": "Feature branches: Always require manual approval",
      "matchBaseBranches": ["feature/*"],
      "automerge": false
    },
    {
      "description": "Development branch: Auto-merge non-major updates after proven stable",
      "matchBaseBranches": ["development"],
      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
      "automerge": true,
      "minimumReleaseAge": "3 days"
    },
    {
      "description": "Preserve your custom Caddy patch labels but allow them to group into the weekly PR",
      "matchManagers": ["custom.regex"],
      "matchFileNames": ["Dockerfile"],
      "labels": ["caddy-patch", "security"],
      "matchPackageNames": [
        "/expr-lang/expr/",
        "/quic-go/quic-go/",
        "/smallstep/certificates/"
      ]
    },
    {
      "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
      "matchManagers": ["dockerfile"],
      "matchPackageNames": ["caddy"],
      "allowedVersions": "<3.0.0"
    },
    {
      "description": "Safety: Keep MAJOR updates separate and require manual review",
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "labels": ["manual-review"]
    }
  ]
}