feat(devops): migrate deprecated renovate.json keys + enable vuln surfacing

matchPackagePatterns → matchPackageNames (regex-glob form /^@tiptap/) matchPaths → matchFileNames for the digest-bump rule. Adds osvVulnerabilityAlerts, dependencyDashboard, vulnerabilityAlerts (labels: security + P1-high), a weekly routine schedule, and lockFileMaintenance (no automerge) so newly-published advisories are surfaced proactively rather than discovered on contributor PRs. Closes part of #818. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-13 11:16:11 +02:00
parent bde1237358
commit 74fdc0cef7
1 changed files with 12 additions and 2 deletions
--- a/renovate.json
+++ b/renovate.json
@@ -1,5 +1,15 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "osvVulnerabilityAlerts": true,
+  "dependencyDashboard": true,
+  "schedule": ["before 6am on monday"],
+  "vulnerabilityAlerts": {
+    "labels": ["security", "P1-high"]
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 6am on monday"]
+  },
  "packageRules": [
    {
      "description": "bucket4j-core is manually pinned outside the Spring BOM — track patch auto-merge, minor/major as PRs.",
@@ -9,13 +19,13 @@
      "matchUpdateTypes": ["patch"]
    },
    {
-      "matchPackagePatterns": ["^@tiptap/"],
+      "matchPackageNames": ["/^@tiptap/"],
      "groupName": "tiptap",
      "automerge": false
    },
    {
      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
-      "matchPaths": [".gitea/workflows/**", ".gitea/actions/**"],
+      "matchFileNames": [".gitea/workflows/**", ".gitea/actions/**"],
      "matchUpdateTypes": ["digest"],
      "automerge": false,
      "reviewersFromCodeOwners": false