# 🤖 Renovate Bot

Welcome! This is the dedicated account that powers **Renovate Bot** on our self‑hosted Gitea instance.  
Its sole mission: keep our dependencies up to date, consistent, and secure—so you can focus on writing code rather than chasing version bumps.

---

## What Renovate Does

| 📦 | **Detects dependencies** in supported files (e.g. `package.json`, `pom.xml`, `Dockerfile`, `go.mod`, etc.) |
|----|-------------------------------------------------------------------------------------------------------------|
| 🔎 | **Checks upstream registries** for new releases, security patches, and licensing changes                    |
| 🛠 | **Opens pull requests** with version updates, changelogs, and automated release notes                       |
| 🚦 | **Groups or re‑bases PRs** to respect repository rules, semantic‑versioning, your schedule, and config       |

---

## Typical Pull Request Anatomy

```
renovate/<package-name>-<new-version>
│
├─ 📄  commit: build(deps): update <package> to <new-version>
├─ 📝  PR body: changelog‑extract, release notes, breaking‑change highlights
└─ 🔖  labels: dependencies • renovate • ❗️ major (if semver‑major)
```

**Heads‑up:** The branch naming and commit convention above is standard but can be adjusted in repository‑level config.

---

## Interacting With the Bot

| Action | How |
|--------|-----|
| **Merge or close** | Treat Renovate PRs like any other. Fast‑forward merges are preferred to keep history clean. |
| **Re‑run a failed PR** | Comment `@renovate-bot rebase` or `@renovate-bot recreate` on the PR. |
| **Pause updates** | Add the label `renovate‑ignore` **or** set `"enabled": false` in `renovate.json`. |
| **Schedule batches** | Define `schedule`: `"before 05:00 on monday"` etc. in your config. |
| **Group deps** | Use `"packageRules"` with a `groupName` key to bundle related packages. |

---

## Quick‑Start: Per‑Repo Config

Create a **`renovate.json`** at the repository root (or inherit from a preset) – for example:

```jsonc
{
  "extends": ["config:base"],
  "dependencyDashboard": true,
  "schedule": ["before 06:00 on monday"],
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "labels": ["❗️major"]
    }
  ]
}
```

*Need more?* Consult the official docs: <https://docs.renovatebot.com/>.

---

## Security & Trust

* Runs in our private CI and never executes dependency code—only updates manifest files.  
* Auth tokens are scoped to the minimal permissions required (read code, write PRs, no direct pushes to default branch).  
* Changelogs are included so you can audit releases before merging.  

---

## FAQs

* **Why so many PRs?**  
  Tune `schedule`, enable grouping, or raise thresholds in your `renovate.json`.

* **The update breaks my build.**  
  Close the PR and add a pin/range in your manifest, or configure Renovate to ignore that dependency version.

* **Can I opt-out completely?**  
  Yes—set `"enabled": false` in your repo config or ask the DevOps team to disable the repo.

---

## Maintainer & Support

* Primary contact: **DevOps / Platform Team** (`contact@morlana.net`)
* Emergency stop: remove Renovate from the repo permissions, then ping DevOps.

> **Happy automated upgrading!**  
> – Renovate Bot 🤖
```