From 74fdc0cef73c65a66943ea26e62d71270116ed03 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sat, 13 Jun 2026 11:16:11 +0200
Subject: [PATCH] feat(devops): migrate deprecated renovate.json keys + enable
 vuln surfacing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

matchPackagePatterns → matchPackageNames (regex-glob form /^@tiptap/)
matchPaths → matchFileNames for the digest-bump rule.

Adds osvVulnerabilityAlerts, dependencyDashboard, vulnerabilityAlerts
(labels: security + P1-high), a weekly routine schedule, and
lockFileMaintenance (no automerge) so newly-published advisories are
surfaced proactively rather than discovered on contributor PRs.

Closes part of #818.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 renovate.json | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index 2b4af645..bae03932 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,5 +1,15 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "osvVulnerabilityAlerts": true,
+  "dependencyDashboard": true,
+  "schedule": ["before 6am on monday"],
+  "vulnerabilityAlerts": {
+    "labels": ["security", "P1-high"]
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 6am on monday"]
+  },
   "packageRules": [
     {
       "description": "bucket4j-core is manually pinned outside the Spring BOM — track patch auto-merge, minor/major as PRs.",
@@ -9,13 +19,13 @@
       "matchUpdateTypes": ["patch"]
     },
     {
-      "matchPackagePatterns": ["^@tiptap/"],
+      "matchPackageNames": ["/^@tiptap/"],
       "groupName": "tiptap",
       "automerge": false
     },
     {
       "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
-      "matchPaths": [".gitea/workflows/**", ".gitea/actions/**"],
+      "matchFileNames": [".gitea/workflows/**", ".gitea/actions/**"],
       "matchUpdateTypes": ["digest"],
       "automerge": false,
       "reviewersFromCodeOwners": false