chore: Configure Renovate

[renovate]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

📚 See our Reading List for relevant documentation you may be interested in reading.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

---

Detected Package Files

• rust/Cargo.toml (cargo)
• contrib/vertobot/cpanfile (cpanfile)
• contrib/docker/docker-compose.yml (docker-compose)
• contrib/docker_compose_workers/docker-compose.yaml (docker-compose)
• otlp-test/docker-compose.yaml (docker-compose)
• docker/Dockerfile (dockerfile)
• docker/Dockerfile-dhvirtualenv (dockerfile)
• docker/Dockerfile-famedly (dockerfile)
• docker/Dockerfile-workers (dockerfile)
• docker/complement/Dockerfile (dockerfile)
• docker/editable.Dockerfile (dockerfile)
• .github/workflows/complement_tests.yml (github-actions)
• .github/workflows/docker-famedly.yml (github-actions)
• .github/workflows/docker-pr-dev.yml (github-actions)
• .github/workflows/docker.yml (github-actions)
• .github/workflows/docs-pr.yaml (github-actions)
• .github/workflows/docs.yaml (github-actions)
• .github/workflows/famedly-tests.yml (github-actions)
• .github/workflows/fix_lint.yaml (github-actions)
• .github/workflows/latest_deps.yml (github-actions)
• .github/workflows/poetry_lockfile.yaml (github-actions)
• .github/workflows/push_complement_image.yml (github-actions)
• .github/workflows/release-artifacts.yml (github-actions)
• .github/workflows/schema.yaml (github-actions)
• .github/workflows/tests.yml (github-actions)
• .github/workflows/triage-incoming.yml (github-actions)
• .github/workflows/triage_labelled.yml (github-actions)
• .github/workflows/twisted_trunk.yml (github-actions)
• .gitlab-ci.yml (gitlabci)
• complement/go.mod (gomod)
• pyproject.toml (poetry)

Configuration Summary

Based on the default config's presets, Renovate will:

• Start dependency updates only once this onboarding PR is merged
• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Ensure that every dependency pinned by digest and sourced from Forgejo contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from Gitea contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitHub.com and Github enterprise contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitLab.com contains a link to the commit-to-commit diff
• Correctly link to the source code for golang.org/x packages
• Link to pkg.go.dev/... for golang.org/x packages' title

---

What to Expect

With your current configuration, Renovate will create 83 Pull Requests:

Update dependency authlib to v1.6.12 [SECURITY]

• Branch name: renovate/pypi-authlib-vulnerability
• Merge into: master
• Upgrade authlib to 1.6.12

Update dependency gitpython to v3.1.50 [SECURITY]

• Branch name: renovate/pypi-gitpython-vulnerability
• Merge into: master
• Upgrade gitpython to 3.1.50

Update dependency python-multipart to v0.0.27 [SECURITY]

• Branch name: renovate/pypi-python-multipart-vulnerability
• Merge into: master
• Upgrade python-multipart to 0.0.27

Update dependency idna to v3.15 [SECURITY]

• Branch name: renovate/pypi-idna-vulnerability
• Merge into: master
• Upgrade idna to 3.15

Update dependency lxml to v6.1.0 [SECURITY]

• Branch name: renovate/pypi-lxml-vulnerability
• Merge into: master
• Upgrade lxml to 6.1.0

Update dependency urllib3 to v2.7.0 [SECURITY]

• Branch name: renovate/pypi-urllib3-vulnerability
• Merge into: master
• Upgrade urllib3 to 2.7.0

Update dependency Twisted to v26 [SECURITY]

• Branch name: renovate/pypi-twisted-vulnerability
• Merge into: master
• Upgrade Twisted to 26.4.0

Update dtolnay/rust-toolchain digest to 3c5f7ea

• Schedule: ["at any time"]
• Branch name: renovate/dtolnay-rust-toolchain-digest
• Merge into: master
• Upgrade dtolnay/rust-toolchain to 3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9

Update github.com/matrix-org/complement digest to 6be1478

• Schedule: ["at any time"]
• Branch name: renovate/github.com-matrix-org-complement-digest
• Merge into: master
• Upgrade github.com/matrix-org/complement to 6be1478db0be

Update github.com/matrix-org/gomatrixserverlib digest to c9c4687

• Schedule: ["at any time"]
• Branch name: renovate/github.com-matrix-org-gomatrixserverlib-digest
• Merge into: master
• Upgrade github.com/matrix-org/gomatrixserverlib to c9c468727353

Update dependency phonenumbers to v9.0.31

• Schedule: ["at any time"]
• Branch name: renovate/phonenumbers-9.x-lockfile
• Merge into: master
• Upgrade phonenumbers to 9.0.31

Update dependency psycopg2 to v2.9.12

• Schedule: ["at any time"]
• Branch name: renovate/psycopg2-2.x-lockfile
• Merge into: master
• Upgrade psycopg2 to 2.9.12

Update dependency pygithub to v2.9.1

• Schedule: ["at any time"]
• Branch name: renovate/pygithub-2.x-lockfile
• Merge into: master
• Upgrade pygithub to 2.9.1

Update dependency pysaml2 to v7.5.4

• Schedule: ["at any time"]
• Branch name: renovate/pysaml2-7.x-lockfile
• Merge into: master
• Upgrade pysaml2 to 7.5.4

Update dependency setuptools_rust to v1.12.1

• Schedule: ["at any time"]
• Branch name: renovate/setuptools_rust-1.x-lockfile
• Merge into: master
• Upgrade setuptools_rust to 1.12.1

Update dependency tomli to v2.4.1

• Schedule: ["at any time"]
• Branch name: renovate/tomli-2.x-lockfile
• Merge into: master
• Upgrade tomli to 2.4.1

Update dependency tornado to v6.5.6

• Schedule: ["at any time"]
• Branch name: renovate/tornado-6.x-lockfile
• Merge into: master
• Upgrade tornado to 6.5.6

Update dependency txredisapi to v1.4.12

• Schedule: ["at any time"]
• Branch name: renovate/txredisapi-1.x-lockfile
• Merge into: master
• Upgrade txredisapi to 1.4.12

Update dependency types-bleach to v6.3.0.20260508

• Schedule: ["at any time"]
• Branch name: renovate/types-bleach-6.x-lockfile
• Merge into: master
• Upgrade types-bleach to 6.3.0.20260508

Update dependency types-jsonschema to v4.26.0.20260518

• Schedule: ["at any time"]
• Branch name: renovate/types-jsonschema-4.x-lockfile
• Merge into: master
• Upgrade types-jsonschema to 4.26.0.20260518

Update dependency types-netaddr to v1.3.0.20260518

• Schedule: ["at any time"]
• Branch name: renovate/types-netaddr-1.x-lockfile
• Merge into: master
• Upgrade types-netaddr to 1.3.0.20260518

Update dependency types-opentracing to v2.4.10.20260408

• Schedule: ["at any time"]
• Branch name: renovate/types-opentracing-2.x-lockfile
• Merge into: master
• Upgrade types-opentracing to 2.4.10.20260408

Update dependency types-psycopg2 to v2.9.21.20260518

• Schedule: ["at any time"]
• Branch name: renovate/types-psycopg2-2.x-lockfile
• Merge into: master
• Upgrade types-psycopg2 to 2.9.21.20260518

Update dependency types-pyyaml to v6.0.12.20260518

• Schedule: ["at any time"]
• Branch name: renovate/types-pyyaml-6.x-lockfile
• Merge into: master
• Upgrade types-pyyaml to 6.0.12.20260518

Update dependency types-setuptools to v82.0.0.20260518

• Schedule: ["at any time"]
• Branch name: renovate/types-setuptools-82.x-lockfile
• Merge into: master
• Upgrade types-setuptools to 82.0.0.20260518

Update docker.io/library/debian Docker tag to trixie-20260518

• Schedule: ["at any time"]
• Branch name: renovate/docker.io-library-debian-13.x
• Merge into: master
• Upgrade docker.io/library/debian to trixie-20260518

Update Rust crate http to v1.4.1

• Schedule: ["at any time"]
• Branch name: renovate/http-1.x-lockfile
• Merge into: master
• Upgrade http to 1.4.1

Update Rust crate log to v0.4.30

• Schedule: ["at any time"]
• Branch name: renovate/log-0.x-lockfile
• Merge into: master
• Upgrade log to 0.4.30

Update Rust crate serde_json to v1.0.150

• Schedule: ["at any time"]
• Branch name: renovate/serde_json-1.x-lockfile
• Merge into: master
• Upgrade serde_json to 1.0.150

Update sigstore/cosign-installer action to v4.1.2

• Schedule: ["at any time"]
• Branch name: renovate/sigstore-cosign-installer-4.x
• Merge into: master
• Upgrade sigstore/cosign-installer to 6f9f17788090df1f26f669e9d70d6ae9567deba6

Update actions/setup-python action to v6.2.0

• Schedule: ["at any time"]
• Branch name: renovate/actions-setup-python-6.x
• Merge into: master
• Upgrade actions/setup-python to a309ff8b426b58ec0e2a45f0f869d46889d02405

Update dependency click to v8.4.1

• Schedule: ["at any time"]
• Branch name: renovate/click-8.x-lockfile
• Merge into: master
• Upgrade click to 8.4.1

Update dependency Future to v0.52

• Schedule: ["at any time"]
• Branch name: renovate/future-0.x
• Merge into: master
• Upgrade Future to 0.52

Update dependency IO::Async to v0.805

• Schedule: ["at any time"]
• Branch name: renovate/io-async-0.x
• Merge into: master
• Upgrade IO::Async to 0.805

Update dependency IO::Async::SSL to v0.25

• Schedule: ["at any time"]
• Branch name: renovate/io-async-ssl-0.x
• Merge into: master
• Upgrade IO::Async::SSL to 0.25

Update dependency markdown-it-py to v4.2.0

• Schedule: ["at any time"]
• Branch name: renovate/markdown-it-py-4.x-lockfile
• Merge into: master
• Upgrade markdown-it-py to 4.2.0

Update dependency Net::Async::Matrix to v0.19

• Schedule: ["at any time"]
• Branch name: renovate/net-async-matrix-0.x
• Merge into: master
• Upgrade Net::Async::Matrix to 0.19

Update dependency Net::Async::WebSocket::Protocol to v0.14

• Schedule: ["at any time"]
• Branch name: renovate/net-async-websocket-protocol-0.x
• Merge into: master
• Upgrade Net::Async::WebSocket::Protocol to 0.14

Update dependency packaging to v26.2

• Schedule: ["at any time"]
• Branch name: renovate/packaging-26.x-lockfile
• Merge into: master
• Upgrade packaging to 26.2

Update dependency parent to v0.244

• Schedule: ["at any time"]
• Branch name: renovate/parent-0.x
• Merge into: master
• Upgrade parent to 0.244

Update dependency prometheus-client to v0.25.0

• Schedule: ["at any time"]
• Branch name: renovate/prometheus-client-0.x-lockfile
• Merge into: master
• Upgrade prometheus-client to 0.25.0

Update dependency pydantic to v2.13.4

• Schedule: ["at any time"]
• Branch name: renovate/pydantic-2.x-lockfile
• Merge into: master
• Upgrade pydantic to 2.13.4

Update dependency pympler to v1.1

• Schedule: ["at any time"]
• Branch name: renovate/pympler-1.x-lockfile
• Merge into: master
• Upgrade pympler to 1.1

Update dependency pyOpenSSL to v26.2.0

• Schedule: ["at any time"]
• Branch name: renovate/pyopenssl-26.x-lockfile
• Merge into: master
• Upgrade pyOpenSSL to 26.2.0

Update dependency python to 3.14

• Schedule: ["at any time"]
• Branch name: renovate/python-3.x
• Merge into: master
• Upgrade python to 3.14

Update dependency pytz to v2026.2

• Schedule: ["at any time"]
• Branch name: renovate/pytz-2026.x-lockfile
• Merge into: master
• Upgrade pytz to 2026.2

Update dependency requests to v2.34.2

• Schedule: ["at any time"]
• Branch name: renovate/requests-2.x-lockfile
• Merge into: master
• Upgrade requests to 2.34.2

Update dependency ruff to v0.15.14

• Schedule: ["at any time"]
• Branch name: renovate/ruff-0.x
• Merge into: master
• Upgrade ruff to ==0.15.14

Update dependency sentry-sdk to v2.60.0

• Schedule: ["at any time"]
• Branch name: renovate/sentry-sdk-2.x-lockfile
• Merge into: master
• Upgrade sentry-sdk to 2.60.0

Update dependency sqlglot to v30.8.0

• Schedule: ["at any time"]
• Branch name: renovate/sqlglot-30.x-lockfile
• Merge into: master
• Upgrade sqlglot to 30.8.0

Update dependency thrift to v0.23.0

• Schedule: ["at any time"]
• Branch name: renovate/thrift-0.x-lockfile
• Merge into: master
• Upgrade thrift to 0.23.0

Update dependency types-requests to v2.33.0.20260518

• Schedule: ["at any time"]
• Branch name: renovate/types-requests-2.x-lockfile
• Merge into: master
• Upgrade types-requests to 2.33.0.20260518

Update dependency zope-interface to v8.5

• Schedule: ["at any time"]
• Branch name: renovate/zope-interface-8.x-lockfile
• Merge into: master
• Upgrade zope-interface to 8.5

Update docker.io/library/python Docker tag to v3.14

• Schedule: ["at any time"]
• Branch name: renovate/docker.io-library-python-3.x
• Merge into: master
• Upgrade docker.io/library/python to 3.14-slim-trixie

Update docker.io/python Docker tag to v3.14

• Schedule: ["at any time"]
• Branch name: renovate/docker.io-python-3.x
• Merge into: master
• Upgrade docker.io/python to 3.14-slim

Update go toolchain directive to v1.26.3

• Schedule: ["at any time"]
• Branch name: renovate/go-1.x
• Merge into: master
• Upgrade go to 1.26.3

Update module github.com/tidwall/gjson to v1.19.0

• Schedule: ["at any time"]
• Branch name: renovate/github.com-tidwall-gjson-1.x
• Merge into: master
• Upgrade github.com/tidwall/gjson to v1.19.0

Update opentelemetry-python monorepo to v1.42.1

• Schedule: ["at any time"]
• Branch name: renovate/opentelemetry-python-monorepo
• Merge into: master
• Upgrade opentelemetry-api to ==1.42.1
• Upgrade opentelemetry-exporter-otlp to ==1.42.1
• Upgrade opentelemetry-sdk to ==1.42.1

Update otel/opentelemetry-collector Docker tag to v0.153.0

• Schedule: ["at any time"]
• Branch name: renovate/otel-opentelemetry-collector-0.x
• Merge into: master
• Upgrade otel/opentelemetry-collector to 0.153.0

Update Rust crate icu_segmenter to v2.2.0

• Schedule: ["at any time"]
• Branch name: renovate/icu_segmenter-2.x-lockfile
• Merge into: master
• Upgrade icu_segmenter to 2.2.0

Update Rust crate reqwest to 0.13.0

• Schedule: ["at any time"]
• Branch name: renovate/reqwest-0.x
• Merge into: master
• Upgrade reqwest to 0.13.0

Update Rust crate sha2 to 0.11.0

• Schedule: ["at any time"]
• Branch name: renovate/sha2-0.x
• Merge into: master
• Upgrade sha2 to 0.11.0

Update Rust crate tokio to v1.52.3

• Schedule: ["at any time"]
• Branch name: renovate/tokio-1.x-lockfile
• Merge into: master
• Upgrade tokio to 1.52.3

Update Swatinem/rust-cache action to v2.9.1

• Schedule: ["at any time"]
• Branch name: renovate/swatinem-rust-cache-2.x
• Merge into: master
• Upgrade Swatinem/rust-cache to c19371144df3bb44fab255c43d04cbc2ab54d1c4

Update actions/cache action to v5

• Schedule: ["at any time"]
• Branch name: renovate/actions-cache-5.x
• Merge into: master
• Upgrade actions/cache to v5

Update actions/checkout action to v6

• Schedule: ["at any time"]
• Branch name: renovate/actions-checkout-6.x
• Merge into: master
• Upgrade actions/checkout to v6

Update actions/setup-go action to v6

• Schedule: ["at any time"]
• Branch name: renovate/actions-setup-go-6.x
• Merge into: master
• Upgrade actions/setup-go to v6

Update actions/upload-artifact action to v7

• Schedule: ["at any time"]
• Branch name: renovate/major-github-artifact-actions
• Merge into: master
• Upgrade actions/upload-artifact to v7

Update codecov/codecov-action action to v6

• Schedule: ["at any time"]
• Branch name: renovate/codecov-codecov-action-6.x
• Merge into: master
• Upgrade codecov/codecov-action to v6

Update dependency cryptography to v48

• Schedule: ["at any time"]
• Branch name: renovate/cryptography-48.x-lockfile
• Merge into: master
• Upgrade cryptography to 48.0.0

Update dependency Data::UUID to v1

• Schedule: ["at any time"]
• Branch name: renovate/data-uuid-1.x
• Merge into: master
• Upgrade Data::UUID to 1.227

Update dependency Getopt::Long to v2

• Schedule: ["at any time"]
• Branch name: renovate/getopt-long-2.x
• Merge into: master
• Upgrade Getopt::Long to 2.58

Update dependency IO::Socket::SSL to v2

• Schedule: ["at any time"]
• Branch name: renovate/io-socket-ssl-2.x
• Merge into: master
• Upgrade IO::Socket::SSL to 2.098

Update dependency JSON to v4

• Schedule: ["at any time"]
• Branch name: renovate/json-4.x
• Merge into: master
• Upgrade JSON to 4.11

Update dependency ubuntu to v24

• Schedule: ["at any time"]
• Branch name: renovate/ubuntu-24.x
• Merge into: master
• Upgrade ubuntu to 24.04

Update dependency YAML to v1

• Schedule: ["at any time"]
• Branch name: renovate/yaml-1.x
• Merge into: master
• Upgrade YAML to 1.31

Update docker.io/library/postgres Docker tag to v18

• Schedule: ["at any time"]
• Branch name: renovate/docker.io-library-postgres-18.x
• Merge into: master
• Upgrade docker.io/library/postgres to 18-trixie

Update docker.io/postgres Docker tag to v18

• Schedule: ["at any time"]
• Branch name: renovate/docker.io-postgres-18.x
• Merge into: master
• Upgrade docker.io/postgres to 18-alpine

Update docker/build-push-action action to v7.2.0

• Schedule: ["at any time"]
• Branch name: renovate/docker-build-push-action-7.x
• Merge into: master
• Upgrade docker/build-push-action to f9f3042f7e2789586610d6e8b85c8f03e5195baf
• Upgrade docker/build-push-action to v7

Update docker/login-action action to v4.2.0

• Schedule: ["at any time"]
• Branch name: renovate/docker-login-action-4.x
• Merge into: master
• Upgrade docker/login-action to 650006c6eb7dba73a995cc03b0b2d7f5ca915bee
• Upgrade docker/login-action to v4

Update docker/metadata-action action to v6.1.0

• Schedule: ["at any time"]
• Branch name: renovate/docker-metadata-action-6.x
• Merge into: master
• Upgrade docker/metadata-action to 80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9
• Upgrade docker/metadata-action to v6

Update docker/setup-buildx-action action to v4.1.0

• Schedule: ["at any time"]
• Branch name: renovate/docker-setup-buildx-action-4.x
• Merge into: master
• Upgrade docker/setup-buildx-action to d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
• Upgrade docker/setup-buildx-action to v4

Update hashicorp/vault-action action to v4

• Schedule: ["at any time"]
• Branch name: renovate/hashicorp-vault-action-4.x
• Merge into: master
• Upgrade hashicorp/vault-action to 892a26828f195e65540a40b4768ae4571f51ebfc

🚸 PR creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prHourlyLimit for details.

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR was generated by Mend Renovate. View the repository job log.

[Copilot]

Pull request overview

This PR adds Renovate configuration to enable automated dependency updates for the Synapse project. The configuration uses the recommended preset and will create 49 pull requests to update various dependencies across multiple package managers including Python, Rust, Docker, and GitHub Actions.

Changes:

• Adds renovate.json with basic Renovate configuration using the config:recommended preset

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The repository already has Dependabot configured in .github/dependabot.yml for pip, docker, github-actions, and cargo ecosystems. Running both Renovate and Dependabot simultaneously can lead to duplicate dependency update PRs and conflicts. Consider either disabling Dependabot or configuring Renovate to ignore the ecosystems already managed by Dependabot. If you intend to migrate from Dependabot to Renovate, the .github/dependabot.yml file should be removed or disabled.

Suggested change

	"config:recommended"
	"config:recommended"
	],
	"packageRules": [
	{
	"matchManagers": [
	"pip_requirements",
	"pip_setup",
	"pipenv",
	"poetry",
	"pip-compile",
	"dockerfile",
	"github-actions",
	"cargo"
	],
	"enabled": false
	}