Merge branch 'main' into docs/rclog

Author: jamietanna

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:14.6.20
+FROM ghcr.io/containerbase/devcontainer:14.6.23

.github/actions/calculate-prefetch-matrix/action.yml

@@ -35,7 +35,7 @@ runs:
 
     - name: Check cache miss for MacOS
       id: macos-cache
-      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: node_modules
         key: ${{ env.MACOS_KEY }}

.github/actions/setup-node/action.yml

@@ -53,7 +53,7 @@ runs:
 
     - name: Restore `node_modules`
       id: node-modules-restore
-      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: node_modules
         key: ${{ env.CACHE_KEY }}
@@ -72,7 +72,7 @@ runs:
         standalone: true
 
     - name: Setup Node
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: ${{ inputs.node-version }}
 
@@ -83,7 +83,7 @@ runs:
 
     - name: Cache and restore `pnpm store`
       if: env.CACHE_HIT != 'true'
-      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ${{ env.PNPM_STORE }}
         key: |
@@ -97,7 +97,7 @@ runs:
         enableCrossOsArchive: true
 
     - name: Install dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       if: env.CACHE_HIT != 'true'
       with:
         timeout_minutes: 10
@@ -106,7 +106,7 @@ runs:
 
     - name: Write `node_modules` cache
       if: inputs.save-cache == 'true' && env.CACHE_HIT != 'true'
-      uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: node_modules
         key: ${{ env.CACHE_KEY }}

.github/label-actions.yml

@@ -743,3 +743,15 @@
     This improves the maintainers' time to triage, as key information is clearly indicated in the format we expect.
 
     Thanks, the Renovate team
+
+'auto:monorepos-preset':
+  comment: >
+    Hi there,
+
+    When adding a new monorepo to the `monorepo.json`, please note that:
+
+    - [ ] Any dependency update(s) from this monorepo will be upgraded in a single PR
+    - [ ] If the dependencies are not all versioned identically (i.e. they're all at `16.0.5` and a release in one requires all being updated) this will lead to [Immortal PRs](https://docs.renovatebot.com/key-concepts/pull-requests/#immortal-prs)
+      - This is not be the intended behaviour, and is generally not recommended by Renovate maintainers. We only accept it if the packages strictly need to be updated together.
+
+    It is worth both the author of the PR and the reviewer confirming that this is the intended behaviour.

.github/workflows/auto-label-needs-discussion.yml

@@ -0,0 +1,67 @@
+name: 'Auto-apply `needs-discussion` label to externally raised Issues'
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  issues: write
+
+jobs:
+  label-if-external:
+    runs-on: ubuntu-latest
+    if: github.repository == 'renovatebot/renovate'
+    steps:
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const author = context.payload.issue.user.login;
+
+            let roleName;
+            try {
+              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: author,
+              });
+              roleName = data.role_name;
+            } catch (err) {
+              if (err.status === 404) {
+                // User is not a collaborator — treat as no access
+                roleName = 'none';
+              } else {
+                throw err;
+              }
+            }
+
+            // allow users who have a minimum of Triage access on the project to raise Issues without auto-labelling
+            const triagePlus = ['admin', 'maintain', 'write', 'triage'];
+            if (!triagePlus.includes(roleName)) {
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.issue.number,
+                labels: ['needs-discussion'],
+              });
+              core.info(`Added 'needs-discussion' label (author role: ${roleName})`);
+
+              // GitHub Actions adding the label won't trigger dessant/label-actions, so we need to do it manually
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.issue.number,
+                body: `**Please create a GitHub Discussion instead of this issue.**\n\nIssues in this repository are for creation by Maintainers only - please create a GitHub Discussion instead.\nIf needed, a Renovate maintainer will create an Issue after your Discussion been triaged and confirmed.\n\nThis Issue will now be closed and locked. We may later batch-delete this issue. This way we keep Issues actionable, and free of duplicates or wrong bug reports.\n\nThanks, the Renovate team`,
+              });
+
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.issue.number,
+                state: 'closed',
+                state_reason: 'not_planned',
+              });
+
+              core.info(`Commented and closed issue as not planned`);
+            } else {
+              core.info(`Skipping label — author has ${roleName} access`);
+            }

.github/workflows/auto-pr.yml

@@ -4,10 +4,17 @@ on:
   pull_request_target:
     types:
       - opened
+      - ready_for_review
+      - converted_to_draft
 
 jobs:
   review:
-    if: github.event.action == 'opened' && !endsWith(github.event.pull_request.user.login, '[bot]')
+    if: >-
+      !endsWith(github.event.pull_request.user.login, '[bot]') &&
+      (
+        (github.event.action == 'opened' && !github.event.pull_request.draft) ||
+        github.event.action == 'ready_for_review'
+      )
     runs-on: ubuntu-24.04
     permissions:
       pull-requests: write
@@ -16,3 +23,31 @@ jobs:
         with:
           reviewers: ${{ vars.REVIEWERS }}
           max-num-of-reviewers: 2
+
+  remove-review:
+    if: >-
+      !endsWith(github.event.pull_request.user.login, '[bot]') &&
+      github.event.action == 'converted_to_draft'
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const { data: { users, teams } } = await github.rest.pulls.listRequestedReviewers({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            const reviewers = users.map(u => u.login);
+            const team_reviewers = teams.map(t => t.slug);
+            if (reviewers.length || team_reviewers.length) {
+              await github.rest.pulls.removeRequestedReviewers({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.payload.pull_request.number,
+                reviewers,
+                team_reviewers,
+              });
+            }

.github/workflows/build.yml

@@ -238,7 +238,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Restore prettier cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .cache/prettier
           # we need to add the hash because prettier cache doesn't detect plugin changes
@@ -256,7 +256,7 @@ jobs:
 
       - name: Save prettier cache
         if: github.event_name == 'push'
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .cache/prettier
           key: prettier-cache-${{ hashFiles('pnpm-lock.yaml', 'package.json') }}-${{ github.run_id }}-${{ github.run_attempt }}
@@ -313,7 +313,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Restore tsbuildinfo cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .cache/tsbuildinfo
           key: tsbuildinfo-${{ hashFiles('pnpm-lock.yaml') }}
@@ -324,7 +324,7 @@ jobs:
 
       - name: Save tsbuildinfo cache
         if: github.event_name == 'push'
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .cache/tsbuildinfo
           key: tsbuildinfo-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.run_attempt }}
@@ -362,9 +362,9 @@ jobs:
           args: -color -ignore "invalid activity type \"destroyed\" for \"merge_group\" Webhook event. available types are \"checks_requested\""
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
         with:
-          version: v1.23.1
+          version: 1.24.1
 
   test:
     needs: [setup, prefetch]
@@ -398,7 +398,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Cache vitest
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .cache/vitest
           key: |
@@ -812,7 +812,7 @@ jobs:
       - run: df -h
 
       - name: docker-config
-        uses: containerbase/internal-tools@c5b576e3871ea09b535647f7826a5869e98e560d # v4.5.19
+        uses: containerbase/internal-tools@c5bbb40464e0ca4dd03b5bb10331eb331762e125 # v4.5.28
         with:
           command: docker-config
 
@@ -914,7 +914,7 @@ jobs:
           curl --retry 5 --silent https://renovatebot.github.io/helm-charts/index.yaml -o tools/mkdocs/site/helm-charts/index.yaml
 
       - name: Upload GitHub Pages artifact
-        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: tools/mkdocs/site
 
@@ -930,7 +930,7 @@ jobs:
     steps:
       - name: Post to Slack
         id: slack
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
         with:
           webhook: ${{ secrets.RENOVATEBOT_SLACK_WEBHOOK_MAIN_FAILURES }}
           webhook-type: incoming-webhook
@@ -950,7 +950,7 @@ jobs:
     steps:
       - name: Post to Slack
         id: slack
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
         with:
           webhook: ${{ secrets.RENOVATEBOT_SLACK_WEBHOOK_MAIN_FAILURES }}
           webhook-type: incoming-webhook

.github/workflows/check-commit-messages.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check for 'Closes \#' in commit messages
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             // Co-authored-by: Claude Sonnet 4.5 (GitHub Copilot)

.github/workflows/close-answered-discussions.yml

@@ -22,7 +22,7 @@ jobs:
         with:
           show-progress: false
 
-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const script = require('.github/workflows/close-answered-discussions/script.js')

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2