click-extra/renovate.json5 at main · kdeldycke/click-extra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: ["config:recommended", "abandonments:recommended"],

  // PR and issue settings.
  assignees: ["kdeldycke"],
  labels: ["📦 dependencies"],
  dependencyDashboardLabels: ["📦 dependencies"],

  // Schedule settings.
  timezone: "UTC",
  schedule: ["at any time"],

  // Commit message format: "Update `click` to `<8.4`".
  semanticCommits: "disabled",
  commitMessageTopic: "`{{{depName}}}`",
  commitMessageExtra: "to `{{{newValue}}}`",

  // Stabilization periods. Must be > 7 days to match pyproject.toml's exclude-newer.
  minimumReleaseAge: "8 days",
  packageRules: [
    {
      description: "Major updates have a longer stabilization period.",
      matchUpdateTypes: ["major"],
      minimumReleaseAge: "29 days",
    },
    {
      description: "Minor updates have a moderate stabilization period.",
      matchUpdateTypes: ["minor"],
      minimumReleaseAge: "11 days",
    },
    {
      // Must be > 7 days to match pyproject.toml's exclude-newer buffer.
      description: "Patch updates have a shorter stabilization period.",
      matchUpdateTypes: ["patch"],
      minimumReleaseAge: "8 days",
    },
    {
      description: "Backtick-wrap GitHub Actions names in commit messages.",
      matchManagers: ["github-actions"],
      commitMessageTopic: "`{{{depName}}}` action",
    },
    {
      description: "Flag dependencies with no recent releases.",
      matchCurrentAge: "> 1 year",
      addLabels: ["⚠️ stale dependency"],
    },
    {
      description: "Update SHA-256 checksums after binary version bumps.",
      matchFileNames: [".github/workflows/**"],
      postUpgradeTasks: {
        commands: [
          "bash -c 'curl -fsSL https://github.com/astral-sh/uv/releases/download/0.10.7/uv-x86_64-unknown-linux-gnu.tar.gz --output /tmp/uv.tar.gz && echo 9ac6cee4e379a5abfca06e78a777b26b7ba1f81cb7935b97054d80d85ac00774  /tmp/uv.tar.gz | sha256sum --check && tar xzf /tmp/uv.tar.gz --strip-components=1 -C /tmp && /tmp/uvx --no-progress repomatic==6.4.0 update-checksums {{{packageFile}}}'",
        ],
        fileFilters: [".github/workflows/**"],
        executionMode: "update",
      },
    },
    {
      description: "Update uv SHA-256 checksum after version bump in Renovate config.",
      matchDepNames: ["astral-sh/uv"],
      matchFileNames: ["**/renovate.json5"],
      postUpgradeTasks: {
        commands: [
          "bash -c 'curl -fsSL https://github.com/astral-sh/uv/releases/download/{{{newVersion}}}/uv-x86_64-unknown-linux-gnu.tar.gz --output /tmp/uv.tar.gz && sed -i \"/sha256sum/s/[a-f0-9]\\{64\\}/$(sha256sum /tmp/uv.tar.gz | cut -c1-64)/\" {{{packageFile}}}'",
        ],
        fileFilters: ["**/renovate.json5"],
        executionMode: "update",
      },
    },
  ],

  // Security updates: raise PRs immediately when vulnerabilities are detected.
  // Requires "Dependabot alerts" read permission on the token.
  vulnerabilityAlerts: {
    enabled: true,
    labels: ["📦 dependencies", "💣 security"],
  },

  // Custom managers for hard-coded versions in workflow files.
  customManagers: [
    {
      description: "Update npm packages in workflow install commands.",
      customType: "regex",
      fileMatch: ["\\.github/workflows/.+\\.yaml$"],
      matchStrings: [
        // Matches: npm install package@version or "package@version"
        "npm.+install.+?\"?(?<depName>@?[a-z0-9-]+(/[a-z0-9-]+)?)@(?<currentValue>[0-9.]+)\"?",
      ],
      datasourceTemplate: "npm",
    },
    {
      description: "Update actionlint version in download URL and matcher URL.",
      customType: "regex",
      fileMatch: ["\\.github/workflows/.+\\.yaml$"],
      matchStrings: [
        // The download URL contains the version twice:
        //   actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz
        // Both patterns are needed so Renovate updates both occurrences.
        "actionlint/releases/download/v(?<currentValue>[0-9.]+)/",
        "actionlint_(?<currentValue>[0-9.]+)_linux",
        // Matches: actionlint/refs/tags/v1.7.10/
        "actionlint/refs/tags/v(?<currentValue>[0-9.]+)/",
      ],
      depNameTemplate: "rhysd/actionlint",
      datasourceTemplate: "github-releases",
    },
    {
      description: "Update labelmaker version in download URL.",
      customType: "regex",
      fileMatch: ["\\.github/workflows/.+\\.yaml$"],
      matchStrings: [
        // Matches: labelmaker/releases/download/v0.6.4/
        "labelmaker/releases/download/v(?<currentValue>[0-9.]+)/",
      ],
      depNameTemplate: "jwodder/labelmaker",
      datasourceTemplate: "github-releases",
    },
    {
      description: "Update Python packages in uv/uvx commands.",
      customType: "regex",
      fileMatch: ["\\.github/workflows/.+\\.yaml$"],
      matchStrings: [
        // Matches: uvx 'package==1.2.3', uv tool install 'package==1.2.3',
        // uv pip install 'package==1.2.3', --with 'package==1.2.3',
        // also with optional extras like 'package[extra]==1.2.3'.
        // Requires uvx/uv/--with prefix to avoid matching arbitrary single-quoted strings.
        "(?:uvx?|--with)[^'\\n]*'(?<depName>[a-z][a-z0-9_-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[0-9.]+)'",
      ],
      datasourceTemplate: "pypi",
    },
    {
      description: "Update lychee version in download URL.",
      customType: "regex",
      fileMatch: ["\\.github/workflows/.+\\.yaml$"],
      matchStrings: [
        // Matches: lychee/releases/download/lychee-v0.23.0/
        "lychee/releases/download/lychee-v(?<currentValue>[0-9.]+)/",
      ],
      depNameTemplate: "lycheeverse/lychee",
      datasourceTemplate: "github-releases",
      extractVersionTemplate: "^lychee-v(?<version>.*)$",
    },
    {
      description: "Update typos version in download URL.",
      customType: "regex",
      fileMatch: ["\\.github/workflows/.+\\.yaml$"],
      matchStrings: [
        // The download URL contains the version twice:
        //   typos/releases/download/v1.43.3/typos-v1.43.3-x86_64-...
        // Both patterns are needed so Renovate updates both occurrences.
        "typos/releases/download/v(?<currentValue>[0-9.]+)/",
        "typos-v(?<currentValue>[0-9.]+)-",
      ],
      depNameTemplate: "crate-ci/typos",
      datasourceTemplate: "github-releases",
    },
    {
      description: "Update Biome version in download URL.",
      customType: "regex",
      fileMatch: ["\\.github/workflows/.+\\.yaml$"],
      matchStrings: [
        // Matches: biome/releases/download/%40biomejs%2Fbiome%402.3.12/
        "biome/releases/download/%40biomejs%2Fbiome%40(?<currentValue>[0-9.]+)/",
      ],
      depNameTemplate: "biomejs/biome",
      datasourceTemplate: "github-releases",
      extractVersionTemplate: "^@biomejs/biome@(?<version>.*)$",
    },
    {
      description: "Update uv version in postUpgradeTasks download URL.",
      customType: "regex",
      fileMatch: ["renovate\\.json5$"],
      matchStrings: [
        "uv/releases/download/(?<currentValue>[0-9.]+)/",
      ],
      depNameTemplate: "astral-sh/uv",
      datasourceTemplate: "github-releases",
    },
  ],
}