chore(renovate): refresh config with explicit grouping + soak rules

[gofreight-jackyeh]

Summary

Switch renovate.json5 to an explicit, self-contained config. Resolves the Cannot find preset's package validation error that was blocking Renovate from opening PRs on this repo.

Same effective policy as before, just expressed locally:

• SHA-pinned GitHub Actions with pinDigests: true
• 3-day minimumReleaseAge soak on Python deps + GHA
• OSV vulnerability alerts (security PRs never batched)
• Per-ecosystem grouping (backend-non-major, gha-non-major)
• Major updates isolated to one PR per dep (groupName: null)
• Lockfile-maintenance bundled into one PR per cycle
• prConcurrentLimit: 4 + prHourlyLimit: 4 + Monday-only schedule

File renamed renovate.json → renovate.json5 so override rationale can live as inline comments. Old file deleted in the same commit (renovate.json has higher Renovate lookup precedence).

No behaviour change for the deps Renovate would have opened anyway — this just makes the run actually succeed.

Test plan

• renovate-config-validator --strict --no-global renovate.json5 passes locally (Node 24 + renovate@43, LOG_LEVEL=warn, exit 0)
• CI pre-commit runs the same gate on PR + push

Post-merge verification

Will confirm after merge:

• Renovate run on the default branch succeeds (no config-validation issue re-opened)
• Renovate opens any pending grouped PR(s) — backend-non-major / gha-non-major

[github-actions]

Unit Test Results

4 tests   4 ✔️  0s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 0b20119.

♻️ This comment has been updated with latest results.

[gitvelocity-reviewer]

Final Merge Review (Official Score)

This is the official score for PR #16, calculated on the final merged code.
Merge commit: 0da691a224c8818bfe244814069f2ec449b22e45

---

Summary

This PR upgrades the Renovate dependency management configuration from a minimal renovate.json (17 lines) to a comprehensive renovate.json5 (95 lines) with well-documented rules. Key changes include:

1. renovate.json → renovate.json5: Migration to JSON5 format with extensive inline documentation, adding volume controls (PR rate limiting), security baseline (OSV vulnerability alerts, CVE isolation), per-ecosystem grouping rules (Python/GHA), major update isolation, and lock file maintenance bundling.
2. .pre-commit-config.yaml: Adds renovate-config-validator hook with --strict --no-global flags to validate the Renovate config in CI.
3. .github/workflows/lint.yml: Bumps Python version from 3.8 → 3.9 (likely required for the new pre-commit hook).

The change is primarily a DevOps/tooling improvement — hardening the dependency update pipeline with thoughtful security and operational controls.

---

Scoring

S (Scope): 5/20

• 3 files touched, all in CI/tooling layer
• No new public APIs, endpoints, or user-facing behavior
• Contained within the dependency management subsystem
• The renovate.json5 is a meaningful configuration expansion but stays within one tooling domain

A (Architecture): 4/20

• Introduces renovate-config-validator as a new pre-commit gate — a small but meaningful architectural addition to the CI pipeline
• Migrates config format (JSON → JSON5) with structural improvements
• No new service dependencies or cross-component changes
• Follows existing CI patterns

I (Implementation): 6/20

• The renovate.json5 demonstrates solid understanding of Renovate's rule system: packageRules with matchManagers, matchUpdateTypes, groupName: null intentional unbatching for security/major updates, internalChecksFilter: "strict", osvVulnerabilityAlerts
• Inline comments explain non-obvious decisions (e.g., why groupName: null for CVEs, why both poetry and pep621 are listed)
• Not algorithmically complex, but requires domain knowledge of Renovate's behavior model
• The volume control design (weekly schedule + concurrent/hourly limits as a proxy for weekly cap) shows nuanced understanding

R (Risk): 3/20

• Low risk: configuration-only change, easily reversible
• Worst case: Renovate creates unexpected PRs or the validator rejects valid configs
• No data migrations, no auth changes, no production code paths affected
• Python 3.8 → 3.9 bump in lint workflow is minor and low-risk

Q (Quality): 7/15

• The inline documentation is genuinely good — explains why decisions were made (e.g., groupName: null rationale, soak window purpose, pep621 + poetry dual listing)
• The renovate-config-validator hook provides automated validation — this is self-testing infrastructure
• No formal test files, but the nature of the change (config) doesn't warrant unit tests
• Could have included a brief PR description explaining the migration rationale more explicitly

P (Performance/Security): 3/5

• osvVulnerabilityAlerts: true explicitly addresses security
• SHA pinning for GHA (pinDigests: true) is a supply-chain security measure
• minimumReleaseAge: "3 days" soak window is a security/stability control
• CVE PRs intentionally unbatched (groupName: null) — thoughtful security design

---

Base Score Calculation

Sub-score	Points
S (Scope)	5
A (Architecture)	4
I (Implementation)	6
R (Risk)	3
Q (Quality)	7
P (Performance/Security)	3
Base Score	28

Effort Scale Assessment

• Effective Lines: 94 (pre-computed)
• File Count: 3 (pre-computed)
• ESF Tier: Small (0.4x) — confirmed per prompt header

Base Tier (Lines): 94 lines → Small (0.4x)
File Tier (Files): 3 files → Micro
Gap: Micro - Small = -1 tier → No bump
Final ESF: 0.4x

Final Score

28 × 0.4 = 11.2 → 11

---

Code Quality Data (JSON)

{
  "_schema": "code_quality_v5",
  "total_score": 11,
  "total_factors": "28 × 0.4 (Small ESF) = 11.2 → 11",
  "scope_score": 5,
  "scope_factors": "3 files in CI/tooling layer only; no new APIs or user-facing behavior; contained within dependency management subsystem",
  "architecture_score": 4,
  "architecture_factors": "Adds renovate-config-validator pre-commit gate; JSON→JSON5 format migration with structural improvements; follows existing CI patterns; no new service dependencies",
  "implementation_score": 6,
  "implementation_factors": "Demonstrates solid Renovate domain knowledge: intentional groupName:null for CVE/major isolation, internalChecksFilter:strict, osvVulnerabilityAlerts, dual poetry+pep621 manager coverage; well-commented non-obvious decisions; not algorithmically complex",
  "risk_score": 3,
  "risk_factors": "Config-only change, easily reversible; no data migrations, no auth changes, no production code paths; Python 3.8→3.9 bump in lint workflow is minor",
  "quality_score": 7,
  "quality_factors": "Inline documentation explains why decisions were made; renovate-config-validator provides automated self-validation; no formal tests but config nature doesn't warrant them; good but not exceptional documentation rigor",
  "perf_security_score": 3,
  "perf_security_factors": "osvVulnerabilityAlerts:true; SHA pinning for GHA supply-chain security; 3-day soak window; CVE PRs intentionally unbatched for security isolation"
}