From 7618e426980fbea4b356d4142c64d87108ac091a Mon Sep 17 00:00:00 2001
From: Martin Nonnenmacher <martin.nonnenmacher@doubleopen.org>
Date: Thu, 2 Apr 2026 12:46:36 +0200
Subject: [PATCH 1/3] ci(renovate): Enable automerge for non-major updates

Let Renovate enable automerge for PRs that contain non-major updates to
reduce the amount of clicks required to merge dependency updates. Note
that these PRs still need to be approved and pass CI checks before they
are merged.

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@doubleopen.org>
---
 renovate-config.json | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/renovate-config.json b/renovate-config.json
index b33811a..07c01c8 100644
--- a/renovate-config.json
+++ b/renovate-config.json
@@ -9,5 +9,12 @@
   "dependencyDashboard": true,
   "labels": [
     "dependencies"
+  ],
+  "packageRules": [
+    {
+      "description": "Automerge non-major updates",
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    }
   ]
 }

From a03fdde4465dd39d6e5f71b20aac900459c13b75 Mon Sep 17 00:00:00 2001
From: Martin Nonnenmacher <martin.nonnenmacher@doubleopen.org>
Date: Thu, 2 Apr 2026 12:47:26 +0200
Subject: [PATCH 2/3] ci(renovate): Delay update of NPM packages by 7 days

Due to the frequent supply chain attacks in the NPM ecosystem, delay
updates of NPM packages by 7 days to reduce the risk of updating to
compromised versions.

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@doubleopen.org>
---
 renovate-config.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/renovate-config.json b/renovate-config.json
index 07c01c8..0379d8e 100644
--- a/renovate-config.json
+++ b/renovate-config.json
@@ -15,6 +15,10 @@
       "description": "Automerge non-major updates",
       "matchUpdateTypes": ["minor", "patch"],
       "automerge": true
+    },
+    {
+      "matchDatasources": ["npm"],
+      "minimumReleaseAge": "7 days"
     }
   ]
 }

From 00c7b738835e4b63ab38a98cc411d0e0084494c3 Mon Sep 17 00:00:00 2001
From: Martin Nonnenmacher <martin.nonnenmacher@doubleopen.org>
Date: Thu, 2 Apr 2026 12:51:24 +0200
Subject: [PATCH 3/3] ci: Add a workflow to validate the Renovate config

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@doubleopen.org>
---
 .github/workflows/renovate-validation.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .github/workflows/renovate-validation.yml

diff --git a/.github/workflows/renovate-validation.yml b/.github/workflows/renovate-validation.yml
new file mode 100644
index 0000000..f15b199
--- /dev/null
+++ b/.github/workflows/renovate-validation.yml
@@ -0,0 +1,18 @@
+name: Renovate Validation
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  renovate-validation:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Validate Renovate Config
+      run: npx -y --package renovate@latest -- renovate-config-validator renovate-config.json