fix: skip Renovate bun lock artifacts for npm updates

[marcusrbrown]

Summary

• broaden the Renovate Bun lockfile artifact workaround from the Bun manager to Bun + npm managers
• clarify that the failure comes from Renovate's RENOVATE_BINARY_SOURCE=install / containerbase install-tool bun <version> path
• keep postUpgradeTasks as the path that regenerates bun.lock, formatting, and dist artifacts

Verification

• bunx --package renovate renovate-config-validator .github/renovate.json5
• git diff --check

Context

#1016 updates package.json and triggers Renovate's npm-manager artifact update path for bun.lock. That path currently fails with install-tool bun 1.3.14, while the branch's lockfile is already regenerated by postUpgradeTasks.

[fro-bot]

Verdict: PASS

Broadening skipArtifactsUpdate from ['bun'] to ['bun', 'npm'] is the correct fix. PR #1016 edits package.json, which Renovate routes through the npm manager's artifact-update path. That path also tries to refresh bun.lock via install-tool bun <ver> (containerbase), which fails in the RENOVATE_BINARY_SOURCE=install self-hosted action environment — exactly the failure the existing bun-only rule already worked around for direct lockfile updates. Extending the same rule to the npm manager closes the remaining gap.

Blocking issues

None

Non-blocking concerns

• The lockfile now relies entirely on postUpgradeTasks (bun install) to stay current for npm-manager PRs as well. This is the same mechanism already trusted for bun-manager PRs, so the risk is unchanged — but it does mean the renovate/artifacts check no longer validates bun.lock; correctness depends on postUpgradeTasks running successfully on every branch. The inline comment documents this trade-off and the removal condition well.
• The rule skips all npm artifact updates, not just bun.lock. Verified this is harmless here: the repo contains only bun.lock (no package-lock.json/yarn.lock/pnpm-lock.yaml), so there are no other npm artifacts to suppress. Worth re-checking the comment's scoping note if a non-bun lockfile is ever introduced.

Missing tests

None — this is a Renovate config change with no executable code path. Validated via renovate-config-validator (passes) and git diff --check (clean). Effective behavior can only be confirmed by a live Renovate run on an npm-manager update branch.

Risk assessment (LOW): Blast radius is limited to Renovate's artifact-update behavior on dependency PRs; no production/runtime code is touched. Regression likelihood is low and self-correcting (a stale lockfile would surface in postUpgradeTasks/CI). No security exposure.

---

Run Summary

Field	Value
Event	pull_request
Repository	fro-bot/agent
Run ID	28278218579
Cache	hit
Session	ses_0f8b7f851ffel1I0gQUscsMb5O