Charon/.github/renovate.json

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":semanticCommits",
    ":separateMultipleMajorReleases",
    "helpers:pinGitHubActionDigests"
  ],
  "baseBranchPatterns": [
    "feature/beta-release",
    "development"
  ],
  "postUpdateOptions": ["npmDedupe"],
  "timezone": "America/New_York",
  "dependencyDashboard": true,
  "dependencyDashboardApproval": true,
  "prConcurrentLimit": 10,
  "prHourlyLimit": 0,
  "labels": [
    "dependencies"
  ],

  "ignorePaths": [
    ".docker/**"
  ],

  "rebaseWhen": "auto",

  "vulnerabilityAlerts": {
    "enabled": true,
    "dependencyDashboardApproval": false,
    "automerge": false,
    "labels": ["security", "vulnerability"]
  },

  "rangeStrategy": "bump",
  "automerge": false,
  "automergeType": "pr",
  "platformAutomerge": true,

  "customManagers": [
    {
      "customType": "regex",
      "description": "Track caddy-security plugin version in Dockerfile",
      "managerFilePatterns": [
        "/^Dockerfile$/"
      ],
      "matchStrings": [
        "ARG CADDY_SECURITY_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "github.com/greenpau/caddy-security",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
      "managerFilePatterns": [
        "/^Dockerfile$/"
      ],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
      ],
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Alpine base image digest in Dockerfile for security updates",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG ALPINE_IMAGE=alpine:(?<currentValue>[^@\\s]+)@(?<currentDigest>sha256:[a-f0-9]+)"
      ],
      "depNameTemplate": "alpine",
      "datasourceTemplate": "docker",
      "versioningTemplate": "docker"
    },
    {
      "customType": "regex",
      "description": "Track Go toolchain version ARG in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=docker\\s+depName=golang.*\\nARG GO_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "golang",
      "datasourceTemplate": "docker",
      "versioningTemplate": "docker"
    },
    {
      "customType": "regex",
      "description": "Track expr-lang version ARG in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/expr-lang/expr.*\\nARG EXPR_LANG_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "github.com/expr-lang/expr",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track golang.org/x/net version ARG in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=go\\s+depName=golang\\.org/x/net.*\\nARG XNET_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "golang.org/x/net",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Delve version in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "ARG DLV_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "github.com/go-delve/delve",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track xcaddy version in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "ARG XCADDY_VERSION=(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "github.com/caddyserver/xcaddy",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track gotestsum version in codecov workflow",
      "managerFilePatterns": [
        "/^\\.github/workflows/codecov-upload\\.yml$/"
      ],
      "matchStrings": [
        "gotestsum@v(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "gotest.tools/gotestsum",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track gotestsum version in quality checks workflow",
      "managerFilePatterns": [
        "/^\\.github/workflows/quality-checks\\.yml$/"
      ],
      "matchStrings": [
        "gotestsum@v(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "gotest.tools/gotestsum",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track govulncheck version in scripts",
      "managerFilePatterns": ["/^scripts\\/security-scan\\.sh$/"],
      "matchStrings": [
        "govulncheck@v(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "golang.org/x/vuln",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track gopls version in Go install script",
      "managerFilePatterns": ["/^scripts\\/install-go-1\\.25\\.6\\.sh$/"],
      "matchStrings": [
        "gopls@v(?<currentValue>[^\\s]+)"
      ],
      "depNameTemplate": "golang.org/x/tools",
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Go toolchain version in go.work for the dl shim",
      "managerFilePatterns": ["/^go\\.work$/"],
      "matchStrings": [
        "^go (?<currentValue>\\d+\\.\\d+\\.\\d+)$"
      ],
      "depNameTemplate": "golang/go",
      "datasourceTemplate": "golang-version",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track GO_VERSION in Actions workflows",
      "managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"],
      "matchStrings": [
        "GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
      ],
      "depNameTemplate": "golang/go",
      "datasourceTemplate": "golang-version",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Syft version in workflows and scripts",
      "managerFilePatterns": [
        "/^\\.github/workflows/nightly-build\\.yml$/",
        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
      ],
      "matchStrings": [
        "SYFT_VERSION=\\\"v(?<currentValue>[^\\\"\\s]+)\\\"",
        "set_default_env \\\"SYFT_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
      ],
      "depNameTemplate": "anchore/syft",
      "datasourceTemplate": "github-releases",
      "versioningTemplate": "semver",
      "extractVersionTemplate": "^v(?<version>.*)$"
    },
    {
      "customType": "regex",
      "description": "Track Grype version in workflows and scripts",
      "managerFilePatterns": [
        "/^\\.github/workflows/supply-chain-pr\\.yml$/",
        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
      ],
      "matchStrings": [
        "anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)",
        "set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
      ],
      "depNameTemplate": "anchore/grype",
      "datasourceTemplate": "github-releases",
      "versioningTemplate": "semver",
      "extractVersionTemplate": "^v(?<version>.*)$"
    },
    {
      "customType": "regex",
      "description": "Track go-version in skill example workflows",
      "managerFilePatterns": ["/^\\.github/skills/examples/.*\\.yml$/"],
      "matchStrings": [
        "go-version: [\"']?(?<currentValue>[\\d\\.]+)[\"']?"
      ],
      "depNameTemplate": "golang/go",
      "datasourceTemplate": "golang-version",
      "versioningTemplate": "semver"
    }
  ],

  "github-actions": {
    "managerFilePatterns": [
      "/^\\.github/skills/examples/.*\\.ya?ml$/"
    ]
  },

  "packageRules": [
    {
      "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",
      "matchUpdateTypes": [
        "minor",
        "patch",
        "pin",
        "digest"
      ],
      "groupName": "non-major-updates",
      "matchPackageNames": [
        "*"
      ]
    },
        {
      "description": "Feature branches: Auto-merge non-major updates after proven stable",
      "matchBaseBranches": ["feature/**"],
      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
      "automerge": false
    },
    {
      "description": "Development branch: Auto-merge non-major updates after proven stable",
      "matchBaseBranches": ["development"],
      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
      "automerge": false,
      "minimumReleaseAge": "14 days"
    },
    {
      "description": "Preserve your custom Caddy patch labels but allow them to group into a single PR",
      "matchManagers": ["custom.regex"],
      "matchFileNames": ["Dockerfile"],
      "labels": ["caddy-patch", "security"],
      "matchPackageNames": [
        "/expr-lang/expr/",
        "/quic-go/quic-go/",
        "/smallstep/certificates/"
      ]
    },
    {
      "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
      "matchManagers": ["dockerfile"],
      "matchPackageNames": ["caddy"],
      "allowedVersions": "<3.0.0"
    },
    {
      "description": "Go: keep pgx within v4 (CrowdSec requires pgx/v4 module path)",
      "matchDatasources": ["go"],
      "matchPackageNames": ["github.com/jackc/pgx/v4"],
      "allowedVersions": "<5.0.0"
    },
    {
      "description": "Go: keep go-jose/v3 within v3 (v4 is a different Go module path)",
      "matchDatasources": ["go"],
      "matchPackageNames": ["github.com/go-jose/go-jose/v3"],
      "allowedVersions": "<4.0.0"
    },
    {
      "description": "Go: keep go-jose/v4 within v4 (v5 would be a different Go module path)",
      "matchDatasources": ["go"],
      "matchPackageNames": ["github.com/go-jose/go-jose/v4"],
      "allowedVersions": "<5.0.0"
    },
    {
      "description": "Safety: Keep MAJOR updates separate and require manual review",
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "labels": ["manual-review"]
    },
    {
      "description": "Fix Renovate lookup for geoip2-golang v2 module path",
      "matchDatasources": ["go"],
      "matchPackageNames": ["github.com/oschwald/geoip2-golang/v2"],
      "sourceUrl": "https://github.com/oschwald/geoip2-golang"
    }
  ]
}