{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "packageRules": [
    {
      "description": "bucket4j-core is manually pinned outside the Spring BOM — track patch auto-merge, minor/major as PRs.",
      "matchPackageNames": ["com.bucket4j:bucket4j-core"],
      "groupName": "bucket4j",
      "automerge": true,
      "matchUpdateTypes": ["patch"]
    },
    {
      "matchPackagePatterns": ["^@tiptap/"],
      "groupName": "tiptap",
      "automerge": false
    },
    {
      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
      "matchPaths": [".gitea/workflows/**", ".gitea/actions/**"],
      "matchUpdateTypes": ["digest"],
      "automerge": false,
      "reviewersFromCodeOwners": false
    }
  ]
}