renovate-config/default.json5

// SPDX-License-Identifier: AGPL-3.0-or-later
// SPDX-FileCopyrightText: 2025 Dosh LLC

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",

  // Renovate will open PRs to migrate configuration if needed.
  configMigration: true,

  extends: [
    "config:recommended",
    "docker:pinDigests",
    "helpers:pinGitHubActionDigestsToSemver",
    // Add Merge Confidence Badges to PRs in self-hosted environments.
    // https://docs.renovatebot.com/merge-confidence/
    "mergeConfidence:all-badges",

    // Get all of the crowd sourced replacements for frameworks
    // and libraries to move away from.
    // https://docs.renovatebot.com/presets-replacements/#replacementsall
    "replacements:all",

    // For github.com repos, show the OpenSSF badge if it exists.
    // https://docs.renovatebot.com/presets-security/
    // "security:openssf-scorecard",
    "security:minimumReleaseAgeNpm",

    // Actions Churn
    "group:githubArtifactActions",

    // Web Dev
    "group:algoliasearch-autocompleteMonorepo",
    "group:eslintMonorepo",
    "group:nextjsMonorepo",
    "group:mdxMonorepo",
    "group:react",
    "group:reactMonorepo",
    "group:remark",
    "group:shikiMonorepo",
    "workarounds:nodeDockerVersioning",
    "workarounds:typesNodeVersioning",
  ],

  // Tell Renovate to tag all PRs by default with the `dependencies` label.
  // Otherwise the labels added will be whatever packageRules define below.
  labels: ["dependencies"],

  timezone: "America/Chicago",

  // Rules to override per-package behavior. Create groups, automerge,
  // add additional labels, etc.
  // https://docs.renovatebot.com/configuration-options/#packagerules
  packageRules: [
    // Self managed dependencies that I want to autodeploy
    // whenenever there is a new non-major release or version.
    {
      matchDepNames: [
        "git.auengun.net/dosh-llc/ansible-caddy",
        "git.auengun.net/dosh-llc/ansible-webmin",
        "git.auengun.net/dosh-llc/ansible-zero-trust",
        "git.auengun.net/dosh-llc/bin-caddy",
        "git.auengun.net/homelab/ansible-collection",
        "git.auengun.net/homelab/image-renovate",
      ],
      automerge: true,
      matchUpdateTypes: ["minor", "patch", "digest"],
      // This label doesn't control anything, but it's
      // a nice visual indicator to go with the commit body
      // which ends up obscured when glancing at PRs.
      addLabels: ["automerge"],
    },

    // Group non-major Forgejo actions updates together
    {
      groupName: "Actions Non-Major Updates",
      matchManagers: ["github-actions"],
      matchUpdateTypes: ["minor", "patch", "pinDigest", "digest"],
    },

    // Group OCI Digests
    {
      groupName: "OCI Non-Major Updates",
      matchDatasources: ["docker"],
      matchUpdateTypes: ["minor", "patch", "pinDigest", "digest"],
    },

    {
      matchDepNames: [
        // These are primarily OCI Images
        "docker.io/library/mongo",
        "docker.io/library/postgres",
        "mysql",
        "redis",
        "traefik",
      ],
      schedule: ["on the first day of the week"],
      matchUpdateTypes: ["minor", "patch", "digest"],
    },

    // Infisical's GitHub repo releases the CLI
    // and the Docker Image and other stuff all together.
    // This tries to pull out the Infisical CLI releases
    // to track separately for use in the homelab.
    {
      matchDepNames: ["gh-infisical-cli"],
      extractVersion: "^infisical-cli\\/(?<version>.*)$",
    },
    {
      matchDepNames: ["infisical/infisical"],
      changelogUrl: "https://github.com/Infisical/infisical/releases",
    },

    // Use OpenTofu's registry instead of Terraform
    // https://docs.renovatebot.com/modules/manager/terraform/#terraform-vs-opentofu
    {
      matchDatasources: ["terraform-provider"],
      registryUrls: ["https://registry.opentofu.org"],
    },

    // Ignore RC versions of certain packages
    {
      matchPackageNames: ["proxmox"],
      allowedVersions: "!/-rc\\d*$/"
    },

    // Use Private Forgejo instead of Gitea for Gitea-Releases
    {
      matchDatasources: ["gitea-releases", "forgejo-releases"],
      registryUrls: ["https://git.auengun.net"],
    },

    // Internal mirrors of these are behind by a (few) day(s)
    {
      matchDepNames: [
        "actions/**",
        "docker/**",
        "external-mirrors/**",
        "ghost",
      ],
      "minimumReleaseAge": "1 days",
    },
  ],
  semanticCommits: "enabled",

  // I like the dashboard, don't like the thrashing.
  dependencyDashboard: true,
  dependencyDashboardAutoclose: false,
  dependencyDashboardApproval: false,

  // Experimental feature flag
  "git-submodules": {
    enabled: true,
  },

  "docker-compose": {
    enabled: true,
  },

  customManagers: [
    {
      customType: "regex",
      managerFilePatterns: [
        // Pretty much all of the YAML in the Homelab
        // is suspect to a dep injection somewhere.
        "/^.*\\.ya?ml$/",
        // Makefiles can use the same matcher as YAML
        "/^Makefile$/",
        // Ditto too Dockerfiles
        "/^Dockerfile.*/",
      ],
      matchStrings: [
        // YAML comments start with an anchor, so this pattern is letting us
        // write a comment with the common-ish regexManager pattern but the next line
        // is instead a custom pattern of any amount of white space and then a colon
        // before the actual dependency value to control. This effectively lets us throw away
        // everything before the colon since it's probably meaningless to Renovate but meaningful
        // to the application or YAML file this comment belongs to.
        "# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?\\s+((export|ENV|ARG)\\s+)?[A-Za-z0-9_]+?\\s*[?:=]+?\\s*[\"']?(?<currentValue>.+?)[\"']?(@(?<currentDigest>sha256:[a-f0-9]+))?\\s",
      ],
    },
    // Find `- uses: https://` GitHub actions and pulls from git-refs
    // uses: https://gitea.example.com/org/repo/some/path.yml@main # renovate: datasource=gitea-tags tag = v4
    {
      customType: "regex",
      managerFilePatterns: [
        "/(^|/)(workflow-templates|\\.(?:github|gitea|forgejo)/(?:workflows|actions))/[^/]+\\.ya?ml$/",
        "/(^|/)action\\.ya?ml$/",
      ],
      matchStrings: [
        "^\\s+-?\\s+?uses: (?<replaceString>['\"]?(?<depName>https?:\\/\\/[.\\w-]+\\/[\\w-]+\\/[.\\w-]+)(?<path>\\/.*)?@(?<currentValue>[^\\s'\"]+)['\"]?(?:\\s+#\\s*(?:renovate\\s*:\\s*)?(?:datasource=(?<datasource>[a-z-.]+?))?\\s*(?:pin\\s+|tag\\s*=\\s*)?@?(?<tag>v?\\d+(?:\\.\\d+(?:\\.\\d+)?)?))?)",
      ],
      packageNameTemplate: "{{{ depName }}}",
      datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}git-refs{{/if}}",
    },
  ],
}