From 00a62aa2bc59cd86f0e443e13d2d131ea4eba81d Mon Sep 17 00:00:00 2001
From: Dmytro Sydorov <dmytro.sydorov@loft.sh>
Date: Thu, 4 Jun 2026 15:27:14 +0200
Subject: [PATCH 1/2] ci: add renovate config

---
 renovate.json | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..4164fc1
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,41 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "baseBranchPatterns": ["main"],
+  "labels": ["dependencies"],
+  "prHourlyLimit": 5,
+  "prConcurrentLimit": 10,
+  "minimumReleaseAge": "3 days",
+  "schedule": ["before 6am on monday"],
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "labels": ["security"]
+  },
+  "packageRules": [
+    {
+      "description": "npm: 7-day stabilization period for all JS deps",
+      "matchManagers": ["npm"],
+      "minimumReleaseAge": "7 days"
+    },
+    {
+      "description": "npm: group all non-major updates",
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "npm-non-major"
+    },
+    {
+      "description": "npm: major updates individually for human review",
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["major"]
+    },
+    {
+      "description": "Group GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "groupName": "github-actions"
+    }
+  ]
+}

From 47ebfb1c0c127b3ac36c3b15f1d88e38458a6aa7 Mon Sep 17 00:00:00 2001
From: Dmytro Sydorov <dmytro.sydorov@loft.sh>
Date: Thu, 4 Jun 2026 15:27:19 +0200
Subject: [PATCH 2/2] ci: add renovate config validation workflow

---
 .github/workflows/validate-renovate.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .github/workflows/validate-renovate.yaml

diff --git a/.github/workflows/validate-renovate.yaml b/.github/workflows/validate-renovate.yaml
new file mode 100644
index 0000000..c620e9b
--- /dev/null
+++ b/.github/workflows/validate-renovate.yaml
@@ -0,0 +1,19 @@
+# Caller workflow for the reusable validate-renovate workflow in loft-sh/github-actions.
+name: Validate Renovate Config
+
+on:
+  pull_request:
+    paths:
+      - 'renovate.json'
+      - 'renovate.json5'
+      - '.renovaterc'
+      - '.renovaterc.json'
+
+permissions: {}
+
+jobs:
+  validate-renovate:
+    permissions:
+      contents: read
+      pull-requests: read
+    uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@b52efbd927586ea78282073f79d2423e552c9f62 # validate-renovate/v1