[ITEP-83030] Enable self-hosted Renovate bot to track Tracker Service Conan C++ dependencies

.github/renovate.json5

@@ -0,0 +1,117 @@
+// SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+// # SPDX-License-Identifier: Apache-2.0
+
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["config:base"],
+  description: "Renovate configuration for Tracker Service Conan C++ dependencies",
+  enabledManagers: ["conan"],
+  labels: ["dependencies", "renovate", "tracker"],
+  schedule: ["before 10am on the first day of the month"],
+  timezone: "UTC",
+  reviewers: ["saratpoluri", "dmytroye", "tdorauintc"],
+  packageRules: [
+    {
+      description: "Conan dependencies - group patch updates",
+      matchManagers: ["conan"],
+      matchUpdateTypes: ["patch"],
+      groupName: "tracker conan patch updates",
+      automerge: false,
+    },
+    {
+      description: "Conan dependencies - group minor updates",
+      matchManagers: ["conan"],
+      matchUpdateTypes: ["minor"],
+      groupName: "tracker conan minor updates",
+    },
+    {
+      description: "Conan dependencies - handle major updates individually",
+      matchManagers: ["conan"],
+      matchUpdateTypes: ["major"],
+      groupName: null,
+      labels: ["dependencies", "major-update", "tracker"],
+    },
+    {
+      description: "OpenCV updates - needs careful testing",
+      matchPackageNames: ["opencv"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "opencv", "needs-testing", "tracker"],
+      prPriority: 10,
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "OpenCV",
+    },
+    {
+      description: "Testing libraries - GTest",
+      matchPackageNames: ["gtest"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "testing", "tracker"],
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "GTest",
+    },
+    {
+      description: "Logging libraries - Quill",
+      matchPackageNames: ["quill"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "logging", "tracker"],
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "Quill",
+    },
+    {
+      description: "MQTT libraries - Paho MQTT",
+      matchPackageNames: ["paho-mqtt-cpp"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "mqtt", "tracker"],
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "Paho MQTT",
+    },
+    {
+      description: "CLI libraries - CLI11",
+      matchPackageNames: ["cli11"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "cli", "tracker"],
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "CLI11",
+    },
+    {
+      description: "HTTP libraries - cpp-httplib",
+      matchPackageNames: ["cpp-httplib"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "http", "tracker"],
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "cpp-httplib",
+    },
+    {
+      description: "JSON libraries - RapidJSON",
+      matchPackageNames: ["rapidjson"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "json", "tracker"],
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "RapidJSON",
+    },
+    {
+      description: "Math libraries - Eigen",
+      matchPackageNames: ["eigen"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "math", "tracker"],
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "Eigen",
+    },
+  ],
+  conan: {
+    enabled: true,
+    fileMatch: ["tracker/conanfile.txt$"],
+  },
+  prConcurrentLimit: 5,
+  prHourlyLimit: 2,
+  commitMessagePrefix: "Tracker Conan:",
+  semanticCommits: "enabled",
+  platformAutomerge: false,
+  rebaseWhen: "behind-base-branch",
+  separateMajorMinor: true,
+  separateMinorPatch: false,
+  rangeStrategy: "pin",
+  vulnerabilityAlerts: {
+    enabled: true,
+    labels: ["security", "tracker"],
+  },
+}

.github/workflows/renovate-config-validator.yml

@@ -0,0 +1,47 @@
+---
+# SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+# Renovate configuration validator
+#
+# This workflow validates changes proposed into Renovate configuration file
+# (.github/renovate.json5) and prevents invalid configuration to be used by Renovate.
+#
+# Required Secrets:
+# - None
+#
+# Automatically triggered on:
+# - Pull requests to .github/renovate.json5.
+#
+
+name: "[Updates] Validate Renovate configuration"
+
+on:
+  pull_request:
+    paths:
+      - ".github/renovate.json5"
+
+permissions: {} # No permissions by default
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: "Checkout configuration"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Validate configuration"
+        run: |
+          # renovate: datasource=docker
+          export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:43.24
+          docker run --rm --entrypoint "renovate-config-validator" \
+          -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \
+          ${RENOVATE_IMAGE} "/renovate.json5"

.github/workflows/renovate.yml

@@ -0,0 +1,94 @@
+---
+# SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+# Dependencies Management Workflow
+#
+# This workflow automates the dependency management for Tracker Service C++ dependencies
+# using self-hosted Renovate to ensure dependencies remain up-to-date and security
+# fixes are delivered regularly.
+#
+# Key Features:
+# - Automated PR creation for Conan dependencies in tracker/conanfile.txt
+# - Dry-run mode for debug purposes
+# - Dependency dashboard maintenance (available in GitHub issues)
+#
+# Managed Dependencies:
+# - Conan C++ packages: quill, cli11, cpp-httplib, rapidjson, gtest, opencv, eigen, paho-mqtt-cpp
+# - Configuration: .github/renovate.json5
+# - Target file: tracker/conanfile.txt
+#
+# Process Stages:
+#
+# 1. Dependencies Management:
+#    - Runs on a daily schedule
+#    - Identifies Conan dependencies that can be updated based on .github/renovate.json5 configuration
+#    - Opens corresponding PRs with respect to schedule defined in Renovate config (monthly)
+#    - Updates Renovate Dependency dashboard available in GitHub issues
+#
+# Required Secrets:
+# - RENOVATE_APP_ID: application ID
+# - RENOVATE_APP_PEM: application private key
+#
+# Example Usage:
+# 1. Scheduled Run:
+#    Automatically runs daily (checks monthly schedule in config)
+#
+# 2. Manual Trigger:
+#    workflow_dispatch:
+#    inputs:
+#      dry-run:
+#        description: "Run Renovate in dry-run mode (no PR)"
+#        required: false
+#        default: false
+#        type: boolean
+#
+# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues.
+
+name: "[Updates] Renovate (Tracker Service)"
+on:
+  schedule:
+    # daily
+    - cron: "0 2 * * *"
+
+  # allow to manually trigger this workflow
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Run Renovate in dry-run mode (no PR)"
+        required: false
+        default: false
+        type: boolean
+
+permissions: {}
+
+jobs:
+  renovate:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Get token"
+        id: get-github-app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PEM }}
+
+      - name: "Self-hosted Renovate"
+        uses: renovatebot/github-action@8b7941943a108b2cc2150730963164aa8baeab8c # v44.2.2
+        with:
+          configurationFile: .github/renovate.json5
+          token: "${{ steps.get-github-app-token.outputs.token }}"
+        env:
+          LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }}
+          # Dry run if the event is workflow_dispatch AND the dry-run input is true
+          RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }}
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: ${{ github.repository }}