From 4e6245c516d6aa9ee539627b79de8066589c8b01 Mon Sep 17 00:00:00 2001
From: Jakub Recman <jakub@oxidian.com>
Date: Wed, 18 Feb 2026 09:57:02 +0100
Subject: [PATCH] Add Renovate config

---
 README.md      | 13 +++++++++-
 renovate.json5 | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 renovate.json5

diff --git a/README.md b/README.md
index c4022be..2d2d4a1 100644
--- a/README.md
+++ b/README.md
@@ -20,4 +20,15 @@ jobs:
     uses: EO-DataHub/github-actions/.github/workflows/unit-tests-python-uv.yaml@main
     with:
       PYTHON_VERSION: "3.12"
-```
\ No newline at end of file
+```
+
+## Renovate config
+
+`renovate.json5` defines configuration of Renovate Bot to maintain and upgrade dependencies. This is easily reusable by extending the project's Renovate config (`.github/renovate.json`):
+
+```
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>EO-DataHub/github-actions"]
+}
+```
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..43938db
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,65 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+
+  "extends": [
+    // Core behavior
+    ":dependencyDashboard",
+    ":configMigration",
+    ":semanticCommits",
+    ":semanticPrefixFixDepsChoreOthers",
+    ":ignoreModulesAndTests",
+
+    // Grouping
+    "group:monorepos",
+    "group:recommended",
+
+    // Scheduling & automerge
+    "schedule:weekly",
+    ":maintainLockFilesWeekly",
+    ":automergePatch",
+
+    // Pinning
+    ":pinDevDependencies",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigests",
+
+    // Security
+    "security:minimumReleaseAgeNpm",
+    "security:openssf-scorecard",
+    "mergeConfidence:age-confidence-badges",
+
+    // Docker
+    "preview:dockerCompose",
+    "preview:dockerVersions",
+
+    // Housekeeping
+    "abandonments:recommended",
+    "replacements:all",
+    "workarounds:all",
+    "helpers:githubDigestChangelogs"
+  ],
+
+  "prConcurrentLimit": 5,
+
+  // This requires "Dependabot alerts" enabled
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "addLabels": ["security"],
+    "schedule": ["at any time"]
+  },
+
+  "packageRules": [
+    {
+      "description": "Skip internal reusable workflows and actions",
+      "matchManagers": ["github-actions"],
+      "matchPackageNames": ["EO-DataHub/github-actions"],
+      "enabled": false
+    },
+    {
+      "description": "Pin dev dependency-groups (dependency groups PEP 735)",
+      "matchManagers": ["pep621"],
+      "matchDepTypes": ["dependency-groups"],
+      "rangeStrategy": "pin"
+    }
+  ]
+}