From cb6e501fb97323ec71de8a5c4345f36a090e9513 Mon Sep 17 00:00:00 2001
From: Jack Yeh <jack.yeh@gofreight.com>
Date: Mon, 18 May 2026 19:19:15 +0800
Subject: [PATCH 1/2] chore: adopt shared conf-renovate preset (v1.2.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Switches this repo onto the org-shared Renovate preset
`hardcoretech/conf-renovate` pinned at v1.2.1. Mirrors the
gf-admin-console pilot (#182, merged) and the svc-thor adoption (#160).

What the preset provides (inherited, no local declaration):
- `config:best-practices` baseline + dependency dashboard.
- SHA-pinned GHA + 3-day release-age soak + OSV alerts (locked).
- Per-ecosystem PR grouping with major-update isolation.
- Datastore version pinning (mysql / rabbitmq / valkey on docker+helm).
- Built-in self-bump customManager — future preset releases auto-PR a
  bump of the `#v1.2.1` pin without per-repo config.

Adds `.github/workflows/validate-renovate.yml` (no pre-commit infra in this repo, so a standalone workflow is the lowest-overhead gate).
---
 .github/workflows/validate-renovate.yml | 23 +++++++++++++++++++++++
 renovate.json5                          | 15 +++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 .github/workflows/validate-renovate.yml
 create mode 100644 renovate.json5

diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
new file mode 100644
index 0000000..6b52dea
--- /dev/null
+++ b/.github/workflows/validate-renovate.yml
@@ -0,0 +1,23 @@
+name: Validate Renovate Config
+
+on:
+  pull_request:
+    paths:
+      - 'renovate.json5'
+      - '.github/workflows/validate-renovate.yml'
+  push:
+    branches: [master]
+    paths:
+      - 'renovate.json5'
+      - '.github/workflows/validate-renovate.yml'
+
+jobs:
+  validate:
+    name: renovate-config-validator
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+      - run: npx --yes --package renovate@43 -- renovate-config-validator --strict --no-global renovate.json5
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..95ee889
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,15 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // Baseline = `hardcoretech/conf-renovate` (see preset README for the
+  // inherited policy: SHA-pinned GHA, 3-day release-age soak, OSV alerts,
+  // per-ecosystem grouping, major-update isolation, datastore version pinning).
+  // The preset auto-bumps this pin via its own customManager (v1.1.0+).
+  extends: [
+    "github>hardcoretech/conf-renovate#v1.2.1",
+    // Don't widen semver ranges (`^1.2.3` stays `^1.2.3`). Not in the preset.
+    ":preserveSemverRanges",
+  ],
+
+  labels: ["dependencies"],
+}

From 1f55591527f4864f534337ec094e49a418919162 Mon Sep 17 00:00:00 2001
From: Jack Yeh <jack.yeh@gofreight.com>
Date: Tue, 19 May 2026 21:38:17 +0800
Subject: [PATCH 2/2] chore(renovate): tighten validate workflow + clarify
 inherited policy

- Workflow now triggers on every Renovate config filename (renovate.json,
  .renovaterc, .github/renovate.json, etc.) so a future PR can't bypass
  validation by adding a higher-precedence file.
- Workflow refuses to run if any higher-precedence config is present at
  run time, surfacing the conflict loudly instead of silently overriding.
- File-level comment on renovate.json5 now spells out the inherited
  policy (config:best-practices baseline, atomic preset chain) so readers
  don't have to chase the preset source.
---
 .github/workflows/validate-renovate.yml | 32 +++++++++++++++++++++++++
 renovate.json5                          | 12 +++++++---
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
index 6b52dea..66fa499 100644
--- a/.github/workflows/validate-renovate.yml
+++ b/.github/workflows/validate-renovate.yml
@@ -1,14 +1,28 @@
 name: Validate Renovate Config
 
+# Triggers on any path Renovate would pick up as a config (see lookup order:
+# https://docs.renovatebot.com/configuration-options/#configurationoptions).
+# Listing them all means a PR can't accidentally bypass validation by adding,
+# say, a higher-precedence `renovate.json` while only the `.json5` is path-filtered.
 on:
   pull_request:
     paths:
+      - 'renovate.json'
       - 'renovate.json5'
+      - '.renovaterc'
+      - '.renovaterc.json'
+      - '.github/renovate.json'
+      - '.github/renovate.json5'
       - '.github/workflows/validate-renovate.yml'
   push:
     branches: [master]
     paths:
+      - 'renovate.json'
       - 'renovate.json5'
+      - '.renovaterc'
+      - '.renovaterc.json'
+      - '.github/renovate.json'
+      - '.github/renovate.json5'
       - '.github/workflows/validate-renovate.yml'
 
 jobs:
@@ -17,7 +31,25 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+
+      # We've deliberately chosen `renovate.json5` (supports comments). Any
+      # higher-precedence config file (`renovate.json`, `.renovaterc`,
+      # `.github/renovate.json`) would silently override it — fail loudly
+      # so a stray file is caught at PR time.
+      - name: Refuse higher-precedence config files
+        run: |
+          higher_precedence=(renovate.json .renovaterc .renovaterc.json .github/renovate.json)
+          found=()
+          for f in "${higher_precedence[@]}"; do
+            [[ -f "$f" ]] && found+=("$f")
+          done
+          if (( ${#found[@]} > 0 )); then
+            echo "::error::Higher-precedence Renovate config file(s) present — these override renovate.json5: ${found[*]}"
+            exit 1
+          fi
+
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
+
       - run: npx --yes --package renovate@43 -- renovate-config-validator --strict --no-global renovate.json5
diff --git a/renovate.json5 b/renovate.json5
index 95ee889..cb48299 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -1,9 +1,15 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
 
-  // Baseline = `hardcoretech/conf-renovate` (see preset README for the
-  // inherited policy: SHA-pinned GHA, 3-day release-age soak, OSV alerts,
-  // per-ecosystem grouping, major-update isolation, datastore version pinning).
+  // Baseline = `hardcoretech/conf-renovate`. Inherited policy from the
+  // preset's `default.json5`:
+  // - `config:best-practices` (dependency dashboard, internal-checks-filter,
+  //   `groupName: null` for major updates, etc.)
+  // - SHA-pinned GHA + 3-day release-age soak + OSV vulnerability alerts
+  // - Per-ecosystem PR grouping (backend / frontend / docker / gha / terraform)
+  // - Datastore version pinning (mysql / rabbitmq / valkey on docker+helm)
+  // - PR volume controls (`prConcurrentLimit: 4`, `prHourlyLimit: 4`)
+  // - Weekly Monday schedule
   // The preset auto-bumps this pin via its own customManager (v1.1.0+).
   extends: [
     "github>hardcoretech/conf-renovate#v1.2.1",