name: Renovate

# Runs Renovate daily to surface newly-published advisories via OSV.dev
# (osvVulnerabilityAlerts) and open routine update PRs on a weekly batch
# schedule (see renovate.json §schedule). Security/vulnerability PRs are
# raised immediately regardless of the weekly schedule window.
#
# Required Gitea secrets (see docs/adr/041-renovate-runner-setup.md):
#   RENOVATE_TOKEN  — PAT with scopes: contents + pull_request + issues
#                     Belongs to a dedicated bot account. Branch protection
#                     on main must forbid this bot pushing directly.
#
# Platform config is injected via env vars below; the renovate.json in the
# repo root carries only dependency rules (no platform/endpoint/repos).
#
# Digest pin: renovatebot/github-action@8217b3fc286df088d7c27f3255fe8414463bc0fd
# corresponds to release v46.1.15. Update by bumping both the digest and the
# renovate-version when Renovate publishes a new release. Renovate itself
# will open a PR to bump this digest once it runs.

on:
  schedule:
    - cron: "0 3 * * *"  # daily at 03:00 UTC — cuts OSV-alert latency to ≤1 day
  workflow_dispatch:

jobs:
  renovate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Renovate
        # Pinned by digest — this action holds contents+pull_request+issues
        # scopes; an unpinned tag is a supply-chain risk (see ADR-041).
        uses: renovatebot/github-action@8217b3fc286df088d7c27f3255fe8414463bc0fd  # v46.1.15
        with:
          configurationFile: renovate.json
          token: ${{ secrets.RENOVATE_TOKEN }}
          renovate-version: "46.1.15"
        env:
          RENOVATE_PLATFORM: gitea
          RENOVATE_ENDPOINT: https://git.raddatz.cloud
          RENOVATE_REPOSITORIES: '["marcel/familienarchiv"]'
          LOG_LEVEL: info