74fdc0cef7
matchPackagePatterns → matchPackageNames (regex-glob form /^@tiptap/) matchPaths → matchFileNames for the digest-bump rule. Adds osvVulnerabilityAlerts, dependencyDashboard, vulnerabilityAlerts (labels: security + P1-high), a weekly routine schedule, and lockFileMaintenance (no automerge) so newly-published advisories are surfaced proactively rather than discovered on contributor PRs. Closes part of #818. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
35 lines
1.2 KiB
JSON
35 lines
1.2 KiB
JSON
{
|
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
"osvVulnerabilityAlerts": true,
|
|
"dependencyDashboard": true,
|
|
"schedule": ["before 6am on monday"],
|
|
"vulnerabilityAlerts": {
|
|
"labels": ["security", "P1-high"]
|
|
},
|
|
"lockFileMaintenance": {
|
|
"enabled": true,
|
|
"schedule": ["before 6am on monday"]
|
|
},
|
|
"packageRules": [
|
|
{
|
|
"description": "bucket4j-core is manually pinned outside the Spring BOM — track patch auto-merge, minor/major as PRs.",
|
|
"matchPackageNames": ["com.bucket4j:bucket4j-core"],
|
|
"groupName": "bucket4j",
|
|
"automerge": true,
|
|
"matchUpdateTypes": ["patch"]
|
|
},
|
|
{
|
|
"matchPackageNames": ["/^@tiptap/"],
|
|
"groupName": "tiptap",
|
|
"automerge": false
|
|
},
|
|
{
|
|
"description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
|
|
"matchFileNames": [".gitea/workflows/**", ".gitea/actions/**"],
|
|
"matchUpdateTypes": ["digest"],
|
|
"automerge": false,
|
|
"reviewersFromCodeOwners": false
|
|
}
|
|
]
|
|
}
|