Charon/.github/renovate.json

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":semanticCommits",
    ":separateMultipleMajorReleases",
    "helpers:pinGitHubActionDigests"
  ],
  "baseBranches": [
    "development",
    "feature/beta-release"
  ],
  "timezone": "America/New_York",
  "dependencyDashboard": true,
  "prConcurrentLimit": 10,
  "prHourlyLimit": 0,
  "labels": [
    "dependencies"
  ],

  "rebaseWhen": "auto",

  "vulnerabilityAlerts": {
    "enabled": true
  },

  "schedule": [
    "before 8am on monday"
  ],

  "rangeStrategy": "bump",
  "automerge": true,
  "automergeType": "pr",
  "platformAutomerge": true,

  "customManagers": [
    {
      "customType": "regex",
      "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
      "managerFilePatterns": [
        "/^Dockerfile$/"
      ],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
      ],
      "datasourceTemplate": "go",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track Debian base image in Dockerfile",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
        "ARG CADDY_IMAGE=debian:(?<currentValue>[\\w.-]+)"
      ],
      "depNameTemplate": "debian",
      "datasourceTemplate": "docker"
    }
  ],

  "packageRules": [
    {
      "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one weekly PR",
      "matchPackagePatterns": ["*"],
      "matchUpdateTypes": [
        "minor",
        "patch",
        "pin",
        "digest"
      ],
      "groupName": "weekly-non-major-updates",
      "automerge": true
    },
    {
      "description": "Preserve your custom Caddy patch labels but allow them to group into the weekly PR",
      "matchManagers": ["custom.regex"],
      "matchFileNames": ["Dockerfile"],
      "labels": ["caddy-patch", "security"],
      "matchPackageNames": [
        "/expr-lang/expr/",
        "/quic-go/quic-go/",
        "/smallstep/certificates/"
      ]
    },
    {
      "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
      "matchManagers": ["dockerfile"],
      "matchPackageNames": ["caddy"],
      "allowedVersions": "<3.0.0"
    },
    {
      "description": "Safety: Keep MAJOR updates separate and require manual review",
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "labels": ["manual-review"]
    }
  ]
}