From b6392127a5e5d8fa4c82846ae17647fb17590db2 Mon Sep 17 00:00:00 2001
From: Fischer <fischer@nodus.to>
Date: Fri, 29 May 2026 03:13:35 -0500
Subject: [PATCH 1/6] ci: add shared Renovate preset

---
 default.json | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 default.json

diff --git a/default.json b/default.json
new file mode 100644
index 0000000..614da0e
--- /dev/null
+++ b/default.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "description": "Shared Renovate preset for getnodus repositories.",
+  "extends": [
+    "config:recommended",
+    "helpers:pinGitHubActionDigests",
+    ":dependencyDashboard",
+    ":semanticCommits"
+  ],
+  "minimumReleaseAge": "3 days",
+  "prHourlyLimit": 0,
+  "labels": ["dependencies"],
+  "packageRules": [
+    {
+      "description": "Auto-merge non-major updates; platform auto-merge waits for required checks.",
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": true,
+      "platformAutomerge": true
+    },
+    {
+      "description": "Bundle all GitHub Actions updates into one PR.",
+      "matchManagers": ["github-actions"],
+      "groupName": "github-actions"
+    },
+    {
+      "description": "Major updates always require manual review.",
+      "matchUpdateTypes": ["major"],
+      "automerge": false,
+      "addLabels": ["major-update"]
+    }
+  ]
+}

From 2dd8e399a23563c049cc7633ad156d8b093dbeeb Mon Sep 17 00:00:00 2001
From: Fischer <fischer@nodus.to>
Date: Fri, 29 May 2026 03:13:36 -0500
Subject: [PATCH 2/6] ci: enable Renovate for .github repo

---
 renovate.json | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..8279e5e
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,4 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>getnodus/.github"]
+}

From b2dbcb44f3e381ac28fe2ac4927cbd0b0e8471f8 Mon Sep 17 00:00:00 2001
From: Fischer <fischer@nodus.to>
Date: Fri, 29 May 2026 03:13:37 -0500
Subject: [PATCH 3/6] ci: add self-hosted Renovate runner (GitHub Actions cron)

---
 .github/workflows/renovate.yml | 48 ++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 .github/workflows/renovate.yml

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 0000000..ed1e127
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,48 @@
+name: Renovate
+
+# Self-hosted Renovate that runs on GitHub's runners (matches CI; no external
+# host). Scans all getnodus repos that contain a renovate.json and opens/merges
+# dependency PRs per the shared preset (default.json in this repo).
+#
+# Requires a "Renovate" GitHub App installed on the org, with its credentials
+# stored as repo/org secrets RENOVATE_APP_ID and RENOVATE_APP_PRIVATE_KEY.
+
+on:
+  schedule:
+    - cron: "0 6 * * 1" # Mondays 06:00 UTC
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Renovate log level"
+        type: choice
+        default: info
+        options: [debug, info, warn]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: renovate
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate a token for the Renovate GitHub App
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
+          owner: getnodus
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v46
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+        env:
+          RENOVATE_AUTODISCOVER: "true"
+          RENOVATE_AUTODISCOVER_FILTER: "getnodus/*"
+          RENOVATE_ONBOARDING: "false"
+          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}

From b558fc970d5333a6d3fb2ec044345e77f2523f0f Mon Sep 17 00:00:00 2001
From: Fischer <fischer@nodus.to>
Date: Fri, 29 May 2026 03:13:39 -0500
Subject: [PATCH 4/6] ci: add actionlint check for workflows

---
 .github/workflows/actionlint.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/actionlint.yml

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000..5387914
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,24 @@
+name: actionlint
+
+# Lints workflow files so Renovate (and humans) have a real green signal before
+# merging changes to the actions that power other repos. Mark this check as
+# required in branch protection to gate auto-merge on it.
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Run actionlint
+        uses: docker://rhysd/actionlint:1.7.12
+        with:
+          args: -color

From 91a7fe3a8ba7aa5eec90eb78e0012c1207e40204 Mon Sep 17 00:00:00 2001
From: Fischer <fischer@nodus.to>
Date: Fri, 29 May 2026 03:13:39 -0500
Subject: [PATCH 5/6] ci: drop dependabot.yml (replaced by Renovate)

---
 .github/dependabot.yml | 8 --------
 1 file changed, 8 deletions(-)
 delete mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 4c39a33..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: "ci"

From 244983f5ccca8fe64f7516ff5c2296d0923199f4 Mon Sep 17 00:00:00 2001
From: Fischer <fischer@nodus.to>
Date: Fri, 29 May 2026 03:32:02 -0500
Subject: [PATCH 6/6] ci: drop self-hosted runner (using Mend-hosted Renovate
 app)

---
 .github/workflows/renovate.yml | 48 ----------------------------------
 1 file changed, 48 deletions(-)
 delete mode 100644 .github/workflows/renovate.yml

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
deleted file mode 100644
index ed1e127..0000000
--- a/.github/workflows/renovate.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: Renovate
-
-# Self-hosted Renovate that runs on GitHub's runners (matches CI; no external
-# host). Scans all getnodus repos that contain a renovate.json and opens/merges
-# dependency PRs per the shared preset (default.json in this repo).
-#
-# Requires a "Renovate" GitHub App installed on the org, with its credentials
-# stored as repo/org secrets RENOVATE_APP_ID and RENOVATE_APP_PRIVATE_KEY.
-
-on:
-  schedule:
-    - cron: "0 6 * * 1" # Mondays 06:00 UTC
-  workflow_dispatch:
-    inputs:
-      logLevel:
-        description: "Renovate log level"
-        type: choice
-        default: info
-        options: [debug, info, warn]
-
-permissions:
-  contents: read
-
-concurrency:
-  group: renovate
-  cancel-in-progress: false
-
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Generate a token for the Renovate GitHub App
-        id: app-token
-        uses: actions/create-github-app-token@v3
-        with:
-          app-id: ${{ secrets.RENOVATE_APP_ID }}
-          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
-          owner: getnodus
-
-      - name: Run Renovate
-        uses: renovatebot/github-action@v46
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-        env:
-          RENOVATE_AUTODISCOVER: "true"
-          RENOVATE_AUTODISCOVER_FILTER: "getnodus/*"
-          RENOVATE_ONBOARDING: "false"
-          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}