From fb9879def826d96d8131a9901eb0b09edd6ed0e3 Mon Sep 17 00:00:00 2001
From: luckyPipewrench <gitlucky@pipelab.org>
Date: Sun, 17 May 2026 15:52:51 -0400
Subject: [PATCH 1/2] chore(deps): migrate from dependabot to renovate with
 cooldown

Replaces .github/dependabot.yml with renovate.json. Adds a 10-day
minimum release age before any routine update PR opens, with a
vulnerability-alert bypass so CVE fixes fast-track. Enables SHA digest
pinning for GitHub Actions.

Groups preserved from dependabot: pip-deps (pip_requirements + pep621
for pyproject.toml), ci-actions (github-actions).

Requires the Mend Renovate GitHub App, already enabled on the org.
Supersedes the default-config onboarding PR (#17).
---
 .github/dependabot.yml | 28 ----------------------------
 renovate.json          | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 28 deletions(-)
 delete mode 100644 .github/dependabot.yml
 create mode 100644 renovate.json

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 83a7df7..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: pip
-    directory: /
-    schedule:
-      interval: weekly
-    commit-message:
-      prefix: "deps"
-    labels:
-      - dependencies
-    open-pull-requests-limit: 5
-    groups:
-      pip-deps:
-        patterns:
-          - "*"
-
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-    commit-message:
-      prefix: "ci"
-    labels:
-      - ci
-    groups:
-      ci-actions:
-        patterns:
-          - "*"
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..8cb11b1
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    ":maintainLockFilesWeekly"
+  ],
+  "minimumReleaseAge": "10 days",
+  "internalChecksFilter": "strict",
+  "labels": ["dependencies"],
+  "prConcurrentLimit": 10,
+  "vulnerabilityAlerts": {
+    "labels": ["security", "fast-track"],
+    "minimumReleaseAge": "0 days",
+    "schedule": ["at any time"]
+  },
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "pinDigests": true,
+      "commitMessagePrefix": "ci:",
+      "addLabels": ["ci"],
+      "groupName": "ci-actions"
+    },
+    {
+      "matchManagers": ["pip_requirements", "pep621"],
+      "commitMessagePrefix": "deps:",
+      "addLabels": ["python"],
+      "groupName": "pip-deps"
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "addLabels": ["major-update", "needs-review"],
+      "automerge": false
+    }
+  ]
+}

From 55a96d5bc62374a6d10006133926cb0a012079a3 Mon Sep 17 00:00:00 2001
From: luckyPipewrench <gitlucky@pipelab.org>
Date: Sun, 17 May 2026 16:28:24 -0400
Subject: [PATCH 2/2] chore(deps): bypass cooldown for own-org packages

Adds a packageRule to skip the 10-day minimumReleaseAge for any
package matching luckyPipewrench/ or ghcr.io/luckypipewrench/. Same
pattern as the other repos that reference our own org packages.

Fast-tracks pipelock action and image bumps for dogfood loops.
---
 renovate.json | 47 ++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 38 insertions(+), 9 deletions(-)

diff --git a/renovate.json b/renovate.json
index 8cb11b1..25d1f45 100644
--- a/renovate.json
+++ b/renovate.json
@@ -7,30 +7,59 @@
   ],
   "minimumReleaseAge": "10 days",
   "internalChecksFilter": "strict",
-  "labels": ["dependencies"],
+  "labels": [
+    "dependencies"
+  ],
   "prConcurrentLimit": 10,
   "vulnerabilityAlerts": {
-    "labels": ["security", "fast-track"],
+    "labels": [
+      "security",
+      "fast-track"
+    ],
     "minimumReleaseAge": "0 days",
-    "schedule": ["at any time"]
+    "schedule": [
+      "at any time"
+    ]
   },
   "packageRules": [
     {
-      "matchManagers": ["github-actions"],
+      "matchPackagePatterns": [
+        "^luckyPipewrench/",
+        "^ghcr\\.io/luckypipewrench/"
+      ],
+      "minimumReleaseAge": "0 days",
+      "description": "Own-org packages bypass cooldown (we control the supply chain)"
+    },
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
       "pinDigests": true,
       "commitMessagePrefix": "ci:",
-      "addLabels": ["ci"],
+      "addLabels": [
+        "ci"
+      ],
       "groupName": "ci-actions"
     },
     {
-      "matchManagers": ["pip_requirements", "pep621"],
+      "matchManagers": [
+        "pip_requirements",
+        "pep621"
+      ],
       "commitMessagePrefix": "deps:",
-      "addLabels": ["python"],
+      "addLabels": [
+        "python"
+      ],
       "groupName": "pip-deps"
     },
     {
-      "matchUpdateTypes": ["major"],
-      "addLabels": ["major-update", "needs-review"],
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "addLabels": [
+        "major-update",
+        "needs-review"
+      ],
       "automerge": false
     }
   ]