{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "packageRules": [
    {
      "matchPackagePatterns": ["^@tiptap/"],
      "groupName": "tiptap",
      "automerge": false
    },
    {
      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
      "matchPaths": [".gitea/workflows/**"],
      "matchUpdateTypes": ["digest"],
      "automerge": false,
      "reviewersFromCodeOwners": false
    }
  ]
}