diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml new file mode 100644 index 0000000..c425e65 --- /dev/null +++ b/.github/workflows/validate-renovate.yml @@ -0,0 +1,23 @@ +name: Validate Renovate Config + +on: + pull_request: + paths: + - 'renovate.json5' + - '.github/workflows/validate-renovate.yml' + push: + branches: [develop] + paths: + - 'renovate.json5' + - '.github/workflows/validate-renovate.yml' + +jobs: + validate: + name: renovate-config-validator + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: '24' + - run: npx --yes --package renovate@43 -- renovate-config-validator --strict --no-global renovate.json5 diff --git a/renovate.json b/renovate.json deleted file mode 100644 index d9ebaee..0000000 --- a/renovate.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "config:recommended" - ], - "packageRules": [ - { - "description": "Security hardening for GitHub Actions (FIS-17871): pin to SHA digests, delay updates 3 days", - "matchManagers": [ - "github-actions" - ], - "groupName": "GitHub Actions", - "minimumReleaseAge": "3 days", - "pinDigests": true - } - ] -} - diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 0000000..95ee889 --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,15 @@ +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + + // Baseline = `hardcoretech/conf-renovate` (see preset README for the + // inherited policy: SHA-pinned GHA, 3-day release-age soak, OSV alerts, + // per-ecosystem grouping, major-update isolation, datastore version pinning). + // The preset auto-bumps this pin via its own customManager (v1.1.0+). + extends: [ + "github>hardcoretech/conf-renovate#v1.2.1", + // Don't widen semver ranges (`^1.2.3` stays `^1.2.3`). Not in the preset. + ":preserveSemverRanges", + ], + + labels: ["dependencies"], +}