From 8cb2bca870f072a03641b34c5db99c6a090d14cb Mon Sep 17 00:00:00 2001
From: Jack Yeh <jack.yeh@gofreight.com>
Date: Mon, 18 May 2026 19:19:27 +0800
Subject: [PATCH] chore: adopt shared conf-renovate preset (v1.2.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Switches this repo onto the org-shared Renovate preset
`hardcoretech/conf-renovate` pinned at v1.2.1. Mirrors the
gf-admin-console pilot (#182, merged) and the svc-thor adoption (#160).

What changed vs. the prior `renovate.json`:
- File renamed `renovate.json` → `renovate.json5` so override rationale
  can live as inline comments. The old file is deleted in this commit
  (renovate.json has higher precedence than .json5 in Renovate's lookup).
- Dropped `extends: ["config:recommended"]` — preset already extends
  `config:best-practices` (a stricter superset).
- Dropped the FIS-17871 GHA-hardening packageRule — same SHA-pin +
  3-day soak policy is now provided by the preset's `security` atomic
  preset (locked). The previous local form lacked a `matchUpdateTypes`
  filter and would silently override the locked major-isolation policy.

Adds `.github/workflows/validate-renovate.yml` (no pre-commit infra in this repo, so a standalone workflow is the lowest-overhead gate).
---
 .github/workflows/validate-renovate.yml | 23 +++++++++++++++++++++++
 renovate.json                           | 18 ------------------
 renovate.json5                          | 15 +++++++++++++++
 3 files changed, 38 insertions(+), 18 deletions(-)
 create mode 100644 .github/workflows/validate-renovate.yml
 delete mode 100644 renovate.json
 create mode 100644 renovate.json5

diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
new file mode 100644
index 0000000..c425e65
--- /dev/null
+++ b/.github/workflows/validate-renovate.yml
@@ -0,0 +1,23 @@
+name: Validate Renovate Config
+
+on:
+  pull_request:
+    paths:
+      - 'renovate.json5'
+      - '.github/workflows/validate-renovate.yml'
+  push:
+    branches: [develop]
+    paths:
+      - 'renovate.json5'
+      - '.github/workflows/validate-renovate.yml'
+
+jobs:
+  validate:
+    name: renovate-config-validator
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+      - run: npx --yes --package renovate@43 -- renovate-config-validator --strict --no-global renovate.json5
diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index d9ebaee..0000000
--- a/renovate.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
-  "packageRules": [
-    {
-      "description": "Security hardening for GitHub Actions (FIS-17871): pin to SHA digests, delay updates 3 days",
-      "matchManagers": [
-        "github-actions"
-      ],
-      "groupName": "GitHub Actions",
-      "minimumReleaseAge": "3 days",
-      "pinDigests": true
-    }
-  ]
-}
-
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..95ee889
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,15 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // Baseline = `hardcoretech/conf-renovate` (see preset README for the
+  // inherited policy: SHA-pinned GHA, 3-day release-age soak, OSV alerts,
+  // per-ecosystem grouping, major-update isolation, datastore version pinning).
+  // The preset auto-bumps this pin via its own customManager (v1.1.0+).
+  extends: [
+    "github>hardcoretech/conf-renovate#v1.2.1",
+    // Don't widen semver ranges (`^1.2.3` stays `^1.2.3`). Not in the preset.
+    ":preserveSemverRanges",
+  ],
+
+  labels: ["dependencies"],
+}