From 2a8c2ab4548efa520df5b8188d637bb702912ba7 Mon Sep 17 00:00:00 2001 From: Dmytro Sydorov Date: Thu, 4 Jun 2026 15:27:22 +0200 Subject: [PATCH 1/2] ci: add renovate config --- renovate.json | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..285fe3a --- /dev/null +++ b/renovate.json @@ -0,0 +1,59 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":semanticCommits", + "helpers:pinGitHubActionDigests" + ], + "baseBranchPatterns": ["main"], + "labels": ["dependencies"], + "prHourlyLimit": 5, + "prConcurrentLimit": 10, + "minimumReleaseAge": "3 days", + "schedule": ["before 6am on monday"], + "vulnerabilityAlerts": { + "enabled": true, + "labels": ["security"] + }, + "packageRules": [ + { + "description": "npm: 7-day stabilization period for all JS deps", + "matchManagers": ["npm"], + "minimumReleaseAge": "7 days" + }, + { + "description": "npm: group all non-major updates", + "matchManagers": ["npm"], + "matchUpdateTypes": ["minor", "patch"], + "groupName": "npm-non-major" + }, + { + "description": "npm: major updates individually", + "matchManagers": ["npm"], + "matchUpdateTypes": ["major"] + }, + { + "description": "Internal loft-sh packages are version-coordinated by hand across the UI repos that consume this library (loft-enterprise, hosted-platform). @loft-enterprise/icons is an unpinnable wildcard, and @loft-enterprise/primitives is this repo's own published name. Managed manually.", + "matchManagers": ["npm"], + "matchPackageNames": [ + "@loft-enterprise/client", + "@loft-enterprise/icons", + "@loft-enterprise/primitives" + ], + "enabled": false + }, + { + "description": "Peer dependencies framer-motion and tailwindcss are exact-pinned to match the loft-enterprise consumer (framer-motion 9.0.1, tailwindcss 3.4.0). Bumping them here would desync the peer contract from the consumer. Managed manually alongside loft-enterprise.", + "matchManagers": ["npm"], + "matchDepTypes": ["peerDependencies"], + "matchPackageNames": ["framer-motion", "tailwindcss"], + "enabled": false + }, + { + "description": "Group GitHub Actions updates", + "matchManagers": ["github-actions"], + "groupName": "github-actions" + } + ], + "customManagers": [] +} From d0e857a0c4f7e4f932bd0d00b7645932a7fdfce6 Mon Sep 17 00:00:00 2001 From: Dmytro Sydorov Date: Thu, 4 Jun 2026 15:27:26 +0200 Subject: [PATCH 2/2] ci: add renovate config validation workflow --- .github/workflows/validate-renovate.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/validate-renovate.yaml diff --git a/.github/workflows/validate-renovate.yaml b/.github/workflows/validate-renovate.yaml new file mode 100644 index 0000000..d9888b2 --- /dev/null +++ b/.github/workflows/validate-renovate.yaml @@ -0,0 +1,22 @@ +# Caller workflow for the reusable validate-renovate workflow in loft-sh/github-actions. +# Before committing, replace with the current commit behind the validate-renovate/v1 +# tag (keeps zizmor's unpinned-uses audit clean): +# git ls-remote https://github.com/loft-sh/github-actions "refs/tags/validate-renovate/v1" +name: Validate Renovate Config + +on: + pull_request: + paths: + - 'renovate.json' + - 'renovate.json5' + - '.renovaterc' + - '.renovaterc.json' + +permissions: {} + +jobs: + validate-renovate: + permissions: + contents: read + pull-requests: read + uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@b52efbd927586ea78282073f79d2423e552c9f62 # validate-renovate/v1