From a7feea5f8d8044e509d75f382fbe8503436ecdba Mon Sep 17 00:00:00 2001
From: Jack Yeh <jack.yeh@gofreight.com>
Date: Mon, 18 May 2026 19:19:56 +0800
Subject: [PATCH] chore: adopt shared conf-renovate preset (v1.2.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Switches this repo onto the org-shared Renovate preset
`hardcoretech/conf-renovate` pinned at v1.2.1. Mirrors the
gf-admin-console pilot (#182, merged) and the svc-thor adoption (#160).

What changed vs. the prior `renovate.json`:
- File renamed `renovate.json` → `renovate.json5` so override rationale
  can live as inline comments. The old file is deleted in this commit
  (renovate.json has higher precedence than .json5 in Renovate's lookup).
- Dropped `extends: ["config:recommended"]` — preset already extends
  `config:best-practices` (a stricter superset).
- Dropped the FIS-17871 GHA-hardening packageRule — same SHA-pin +
  3-day soak policy is now provided by the preset's `security` atomic
  preset (locked). The previous local form lacked a `matchUpdateTypes`
  filter and would silently override the locked major-isolation policy.

Validation gate: adds the `renovate-config-validator` pre-commit hook to `.pre-commit-config.yaml` (existing CI runs `pre-commit run`).
---
 .pre-commit-config.yaml |  5 +++++
 renovate.json           | 17 -----------------
 renovate.json5          | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 17 deletions(-)
 delete mode 100644 renovate.json
 create mode 100644 renovate.json5

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cfa733e..af10b07 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,3 +23,8 @@ repos:
     rev: 5.12.0
     hooks:
       - id: isort
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 43.150.0
+    hooks:
+      - id: renovate-config-validator
+        args: [--strict, --no-global]
diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index 02871ff..0000000
--- a/renovate.json
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
-  "packageRules": [
-    {
-      "description": "Security hardening for GitHub Actions (FIS-17871): pin to SHA digests, delay updates 3 days",
-      "matchManagers": [
-        "github-actions"
-      ],
-      "groupName": "GitHub Actions",
-      "minimumReleaseAge": "3 days",
-      "pinDigests": true
-    }
-  ]
-}
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..95ee889
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,15 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // Baseline = `hardcoretech/conf-renovate` (see preset README for the
+  // inherited policy: SHA-pinned GHA, 3-day release-age soak, OSV alerts,
+  // per-ecosystem grouping, major-update isolation, datastore version pinning).
+  // The preset auto-bumps this pin via its own customManager (v1.1.0+).
+  extends: [
+    "github>hardcoretech/conf-renovate#v1.2.1",
+    // Don't widen semver ranges (`^1.2.3` stays `^1.2.3`). Not in the preset.
+    ":preserveSemverRanges",
+  ],
+
+  labels: ["dependencies"],
+}