chore(renovate): inline Renovate rules instead of extending an external preset

[gofreight-jackyeh]

Reason

Renovate's GitHub App token on this repo cannot read the source of the external preset we were extending, so the previous

extends: ["github>…/…#vX.Y.Z"]

resolved to nothing — Renovate silently fell back to its built-in defaults and we lost every policy the preset was supposed to bring: SHA pinning, the 3-day release-age soak, OSV alerts, PR grouping, the weekly schedule, and the PR volume caps.

The fix is to inline the rules directly in this file.

Changes

Replaced the external extends with an inlined copy of the rules that actually apply to this repo (frontend JS lib + GHA workflows):

• Volume controls: prConcurrentLimit: 4, prHourlyLimit: 4, weekly Monday schedule
• Bundled lockfile maintenance into a single PR per cycle
• internalChecksFilter: "strict"
• OSV vulnerability alerts (vulnerabilityAlerts with groupName: null so CVE PRs are never batched)
• GitHub Actions: pinDigests: true + minimumReleaseAge: "3 days"
• GHA grouping: minor/patch/digest/pin -> gha-non-major; major -> isolated PR per action
• npm grouping: minor/patch -> frontend-non-major (3-day soak); major -> isolated PR per dep

Dropped rules that have no matching files in this repo (backend Python deps, Docker, Terraform, datastore pinning) and the preset self-bump customManager (no preset pin remains).

Kept the existing :preserveSemverRanges and labels: ["dependencies"].

Test Scope

• Local validation: npx --package renovate@43 -- renovate-config-validator --strict --no-global renovate.json5 → Config validated successfully (matches the validate-renovate.yml workflow exactly).
• CI: validate-renovate.yml will rerun on this PR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f65dde99-13b1-4271-9ffb-007ce534bff0

📥 Commits

Reviewing files that changed from the base of the PR and between 0be3309 and 1562c50.

📒 Files selected for processing (1)

• renovate.json5

📜 Recent review details

🔇 Additional comments (5)

renovate.json5 (5)

1-10: LGTM!

---

12-18: LGTM!

---

20-25: LGTM!

---

27-40: LGTM!

---

42-87: LGTM!

---

📝 Walkthrough

Walkthrough

The PR inlines Renovate configuration previously inherited from hardcoretech/conf-renovate, declaring extends, global PR controls and schedules, OSV vulnerability alerting, and packageRules for lockfile, GitHub Actions, and frontend npm grouping.

Changes

Renovate Configuration Migration

Layer / File(s)	Summary
Preset migration and core extends renovate.json5	The extends configuration removes the upstream hardcoretech/conf-renovate#v1.2.1 preset and inlines config:best-practices plus :preserveSemverRanges.
Global dependency management controls renovate.json5	PR volume limits (concurrency/hourly), weekly schedule, lockfile maintenance enablement, and strict internal status-check filtering are set explicitly.
OSV / vulnerability alerting renovate.json5	OSV vulnerability alerts are enabled and security PRs are labeled with ["security"] and groupName: null to prevent batching; vulnerability PR schedule is set to ["at any time"].
Package-specific grouping and pinning rules renovate.json5	Package rules bundle lockfile maintenance into a single PR, pin GitHub Actions to SHA digests with a 3-day minimumReleaseAge, group GitHub Actions non-major updates together while isolating major updates, and group frontend npm minor/patch updates (frontend-non-major) with a 3-day minimum age while isolating major updates.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(renovate): inline Renovate rules instead of extending an external preset' directly and clearly describes the main change—replacing external preset inheritance with inlined rules.
Description check	✅ Passed	The description comprehensively explains the reason for the change, details all inlined rules, and documents validation steps. It is highly relevant to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR inlines the subset of hardcoretech/conf-renovate@v1.2.1 rules that are relevant to this public repo, replacing an extends reference to the private preset that Renovate's App token could not resolve. The resulting config is logically equivalent to what the preset was supposed to provide for a frontend-only repo.

• Adds config:best-practices to extends and inlines volume controls (prConcurrentLimit, prHourlyLimit), a weekly Monday schedule, lockfile maintenance bundling, internalChecksFilter: strict, OSV vulnerability alerts, and npm / GHA grouping rules with a 3-day release soak — all faithfully sourced from the v1.2.1 preset tags listed in the comments.
• Intentionally drops backend, Docker, Terraform, datastore, and self-bump customManagers sections from the preset because no matching files exist in this repo.

Confidence Score: 4/5

Safe to merge; the inlined rules faithfully reproduce the private preset's intent for a frontend-only repo, and the validator confirmed the config is well-formed.

The change is a mechanical inline of a well-understood private preset into a public repo config. The only open question is whether vulnerabilityAlerts should carry schedule at-any-time so CVE PRs are not held until Monday — currently they would be delayed up to 6 days after a vulnerability is published.

Only renovate.json5 changed; the vulnerabilityAlerts block merits a second look regarding the inherited weekly schedule.

Important Files Changed

Filename	Overview
renovate.json5	Replaces the unresolvable private preset reference with inlined Renovate rules covering volume limits, scheduling, lockfile maintenance, OSV security alerts, and npm/GHA grouping. Logic is well-structured and commented; one minor: vulnerability-alert PRs inherit the global weekly schedule, so CVEs will only open on Monday mornings before 5am.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Renovate Run\nMonday before 5am] --> B{Update type?}

    B -->|lockFileMaintenance| C[Group into\nlockfile-maintenance PR]
    B -->|OSV vulnerability| D[vulnerabilityAlerts template\ngroupName: null\nunbatched CVE PR]
    B -->|GHA update| E{GHA major?}
    B -->|npm update| F{npm major?}

    E -->|No: minor/patch/digest/pin| G[Group into\ngha-non-major PR\npinDigests + 3-day soak]
    E -->|Yes: major| H[Isolated PR per action\npinDigests + 3-day soak]

    F -->|No: minor/patch| I[Group into\nfrontend-non-major PR\n3-day soak]
    F -->|Yes: major| J[Isolated PR per dep\n3-day soak]

    G --> K{internalChecksFilter strict}
    H --> K
    I --> K
    J --> K
    C --> K

    K -->|Pass| L[Open PR\nmax 4 concurrent\nmax 4/hour]
    K -->|Fail| M[Suppress PR]

    D --> L

Loading

_{Reviews (1): Last reviewed commit: "chore(renovate): inline conf-renovate ru..." | Re-trigger Greptile}

[greptile-apps]

Vulnerability-alert PRs inherit the top-level schedule: ["before 5am on monday"], so OSV-triggered CVE PRs will only be opened once a week. If a critical CVE drops on Tuesday, Renovate won't raise its PR until the following Monday morning. Adding schedule: ["at any time"] inside vulnerabilityAlerts bypasses the weekly window only for security fixes while leaving everything else on the Monday cadence.

Suggested change

	osvVulnerabilityAlerts: true,
	vulnerabilityAlerts: {
	enabled: true,
	labels: ["security"],
	// groupName:null is INTENTIONAL: security/CVE PRs must NEVER be batched
	// with manager-grouping rules so individual review isn't delayed.
	groupName: null,
	},
	osvVulnerabilityAlerts: true,
	vulnerabilityAlerts: {
	enabled: true,
	labels: ["security"],
	// groupName:null is INTENTIONAL: security/CVE PRs must NEVER be batched
	// with manager-grouping rules so individual review isn't delayed.
	groupName: null,
	// Allow vulnerability PRs to open any day, bypassing the weekly schedule.
	schedule: ["at any time"],
	},

[gofreight-jackyeh]

Accepted — added schedule: ["at any time"] to vulnerabilityAlerts in 1562c50 so CVE PRs bypass the weekly Monday window. Thanks for the catch.