Integrate renovate bot for all dependency updates (#37050)

Replaces Dependabot with Renovate. The new setup: - One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a 5-day release-age cooldown. Vulnerability PRs ship next-day via daily cron + Renovate's `vulnerabilityAlerts` schedule bypass. - All `uses:` action refs SHA-pinned with patch-level version comments (same format as #36971, which this supersedes); `helpers:pinGitHubActionDigests` keeps future bumps in that format. - `renovatebot/github-action` runtime image pinned via the upstream-recommended `RENOVATE_VERSION` env + magic comment + `customManagers:githubActionsVersions` preset, so Renovate keeps the pin updated. - Custom regex manager tracks the `*_PACKAGE ?= <import-path>@<version>` lines in `Makefile` (golangci-lint, swagger, actionlint, etc.) and groups them into the same Go PR via `matchDatasources: ["go"]`. - Post-upgrade tasks regenerate `assets/go-licenses.json` (`make tidy`) and the SVG sprite (`make svg`), gated by an env-level command allowlist. - Replaces the standalone `cron-flake-updater` workflow — Renovate's nix manager tracks `flake.nix` inputs and produces the same `flake.lock` bump PRs on the regular weekly schedule. - npm and gomod-replace pins live in `renovate.json5` only; `updates@17.16.3` reads them from there too, so the standalone `updates.config.ts` is gone and one source of truth covers both tools. Fixes: https://github.com/go-gitea/gitea/issues/33386 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io>
2026-04-26 16:25:22 +02:00
parent b3ed4cde9a
commit 99cd4f6b22
19 changed files with 240 additions and 162 deletions
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -366,8 +366,8 @@ importers:
        specifier: 8.59.0
        version: 8.59.0(eslint@10.2.1(jiti@2.6.1))(typescript@6.0.3)
      updates:
-        specifier: 17.15.5
-        version: 17.15.5
+        specifier: 17.16.3
+        version: 17.16.3
      vitest:
        specifier: 4.1.4
        version: 4.1.4(@types/node@25.6.0)(happy-dom@20.9.0)(vite@8.0.9(@types/node@25.6.0)(esbuild@0.28.0)(jiti@2.6.1))
@@ -3902,8 +3902,8 @@ packages:
    peerDependencies:
      browserslist: '>= 4.21.0'

-  updates@17.15.5:
-    resolution: {integrity: sha512-Ce004Zzj63jL/Vml1YFGOoFSpzpxRVQlAVAo65HShwg0v1UpOzmYYAiYAi1Z7ILH65QtfqHQCphSHeqR5SgPAg==}
+  updates@17.16.3:
+    resolution: {integrity: sha512-j+bkgObnDVB9hYTSg1tflwGtkFg23ZrgXiqRmRw3Reu/sh2P29M9oecxavO9uBMO2bbKpgC1OBrAnIpNZtL01w==}
    engines: {node: '>=22'}
    hasBin: true

@@ -8019,7 +8019,7 @@ snapshots:
      escalade: 3.2.0
      picocolors: 1.1.1

-  updates@17.15.5: {}
+  updates@17.16.3: {}

  uri-js@4.4.1:
    dependencies: