Merge branch 'main' into fix/29629-galaxy-multiple

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:11.11.5
+FROM ghcr.io/containerbase/devcontainer:11.11.21

.github/actions/setup-node/action.yml

@@ -53,7 +53,7 @@ runs:
         standalone: true
 
     - name: Setup Node
-      uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
       with:
         node-version: ${{ inputs.node-version }}
 

.github/contributing.md

@@ -8,6 +8,10 @@ Please give us enough time to investigate the bug before you report it anywhere
 
 Please do not create GitHub issues for security-related doubts or problems.
 
+## Code of Conduct
+
+Please follow the rules in our [Code of Conduct](https://github.com/renovatebot/renovate/blob/main/CODE_OF_CONDUCT.md).
+
 ## Support
 
 If you want help with your Renovate configuration, go to the [discussions tab in the Renovate repository](https://github.com/renovatebot/renovate/discussions) and open a new "config help" discussion post.

.github/label-actions.yml

@@ -20,6 +20,7 @@
      5. Fill out the information in your repository's `README.md`.
      6. Add the link to your reproduction to the first post of your Discussion. If you are not the original author, you can post a new comment with the link.
 
+    If you need help with running renovate on your minimal reproduction repository, please refer to our [Running Renovate guide](https://docs.renovatebot.com/getting-started/running/).
 
     Good luck,
 
@@ -124,6 +125,22 @@
     Read the [Renovate docs, Troubleshooting](https://docs.renovatebot.com/troubleshooting/) to learn more about getting the docs, and getting the correct type of logs.
 
 
+    Thanks, the Renovate team
+
+'auto:logs-reduction':
+  comment: >
+    Hi there,
+
+
+    Please limit the amount of logs you're pasting into this discussion. The maintainers have a limited amount of time to help you, and often do so from mobile devices. It's easier for us if you only paste the relevant parts of the logs, and point us to the lines you think are relevant.
+
+
+    For example, if your problem is about a certain dependency, find the log sections which apply to that dependency and paste only those sections. Similarly, if your problem is about a particular branch/PR, find the log sections which apply to that branch/PR and paste only those sections.
+
+
+    If you're not sure, it's acceptable to paste the full logs, including into a gist. Please try to explain the problem in enough detail to give us starting points to debug. If you only paste the full log, and do nothing else, it is likely that we will take longer to help you, or we may not start to help you at all.
+
+
     Thanks, the Renovate team
 
 'new package manager':
@@ -438,4 +455,23 @@
     If you are a paying Mend.io customer, please tell your support or customer contact that this issue is important to you.
 
 
+    Thanks, the Renovate team
+
+'auto:reduce-complexity':
+  comment: >
+    Hi there,
+
+
+    This discussion is too complex, and we want you to simplify. This way you are more likely to get help or a solution.
+
+
+    For example, if you've pasted your _whole_ complex config, while your problem is about just one part, consider removing the parts that are not relevant to your problem. The best way to do this is to create a [minimal reproduction](https://github.com/renovatebot/renovate/blob/main/docs/development/minimal-reproductions.md).
+
+
+    You may have tried many ways to do something, and described all the methods you tried. If none of the methods worked, please focus on the most promising method, or the ideal solution. Avoid complicating the description (or logs) with the failed attempts.
+
+
+    To summarize: please reduce the complexity of your discussion, to increase the chances of getting help.
+
+
     Thanks, the Renovate team

.github/workflows/build.yml

@@ -31,7 +31,7 @@ concurrency:
 env:
   DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
   NODE_VERSION: 20
-  PDM_VERSION: 2.18.1 # renovate: datasource=pypi depName=pdm
+  PDM_VERSION: 2.18.2 # renovate: datasource=pypi depName=pdm
   DRY_RUN: true
   TEST_LEGACY_DECRYPTION: true
   SPARSE_CHECKOUT: |-
@@ -410,7 +410,7 @@ jobs:
 
       - name: Save coverage artifacts
         if: (success() || failure()) && github.event.pull_request.draft != true && matrix.coverage
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ matrix.upload-artifact-name }}
           path: |
@@ -566,7 +566,7 @@ jobs:
         run: pnpm test-e2e:pack
 
       - name: Upload
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: renovate-package
           path: renovate-0.0.0-semantic-release.tgz
@@ -610,7 +610,7 @@ jobs:
         run: pnpm test:docs
 
       - name: Upload
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: docs
           path: tmp/docs/
@@ -637,7 +637,7 @@ jobs:
           standalone: true
 
       - name: Setup Node.js
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -683,7 +683,7 @@ jobs:
           show-progress: false
 
       - name: docker-config
-        uses: containerbase/internal-tools@c7fd9c98b79b3ae16e46dd33610327507e33275c # v3.4.6
+        uses: containerbase/internal-tools@b6d2b362cb282e8088211f792cc2211529936635 # v3.4.17
         with:
           command: docker-config
 

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8

.github/workflows/mend-slack.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Post to Slack
         id: slack
-        uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
+        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
         with:
           channel-id: 'C05NLTMGCJC'
           # For posting a simple plain text message

.github/workflows/scorecard.yml

@@ -43,14 +43,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: 'Upload artifact'
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -31,7 +31,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+      - uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           sarif_file: trivy-results.sarif
           category: 'docker-image-${{ matrix.tag }}'

.github/workflows/update-data.yml

@@ -27,7 +27,7 @@ jobs:
           standalone: true
 
       - name: Set up Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: pnpm

.nvmrc

@@ -1 +1 @@
-20.16.0
+20.17.0

.python-version

@@ -1 +1 @@
-3.12.5
+3.12.6

CODE_OF_CONDUCT.md

@@ -25,18 +25,65 @@ Sadly, it's common in Open Source projects for a few users to behave in an aggre
 A user might say something like: "You should have fixed this bug already!", or "Why am I still waiting for this feature?".
 We do not allow this kind of behavior.
 
+### No mean comments
+
 We expect basic politeness, do not act rude.
 For example: it is okay if you ask a question and do not thank us afterwards.
-But avoid writing mean comments like: "Pity the documentation didn’t say that." or "Thanks for nothing.".
+But avoid writing mean comments like:
+
+- "Pity the documentation didn’t say that."
+- "Thanks for nothing."
+
+### No thumbs-down emojis (except on polls)
+
+Do not give a thumbs-down emoji to posts.
+Even if you are sad, or angry about a response: do not use the thumbs-down emoji.
+
+The only time a thumbs-down is appropriate is when we, or a user, asks for a vote about something.
+
+### Do not start Twitter mobs
+
+Do not (try to) start Twitter mobs against the project or maintainers.
+Especially if you got rate-limited from interacting with this project, because you did not follow the rules.
+
+## We are not a village square
+
+This repository is a place where a minority show up to do the work.
+The vast majority benefit, for example by getting their support questions answered.
+
+This repository is not a "village square" where all opinions are equal.
+Nor is everyone's time equal here.
 
 ## Respect the time of those who help you
 
-Respect goes both ways, but time is limited.
-When you ask for help, please remember that the maintainer's time is valuable.
+When you ask for help, please remember that the maintainer's time is the limited resource here.
 We get many questions each week and do our best to answer each one.
+
 To get the help you need, please be prepared to give detailed logs or descriptions of your issues.
 If you do not want to spend the effort giving us enough information, it's likely you will not get the help you need.
 
+### Why we sometimes give short answers
+
+We have limited time, which means we may:
+
+- only give you a short answer
+- forget to soften the blow of a negative answer with "I'm really sorry but.."
+
+We know that getting a short answer feels bad.
+Please remember that we are doing the best we can to improve Renovate.
+We often respond from mobile devices.
+
+### No "any update on this?" type comments
+
+Do not post comments in Discussions or Issues to demand a response, like: "Any update on this?".
+These comments force a maintainer to either repond, or hide your comment.
+
+Our development is mostly done in the open on GitHub.
+It's rare that updates are hidden from you.
+Please do not comment on GitHub "just in case there are updates".
+
+When you comment on a stalled topic, please add new information, or valuable insight.
+
 Remember, most of the support provided by our team, including the Mend.io staff, is _unpaid_.
 
 ## Blocking and unblocking
@@ -76,6 +123,8 @@ This way most issues are ready to work on, either by us or the community.
 
 We may reject ideas that are too specialized, or that would make the project too hard to maintain.
 
+### Pull Request reviews
+
 We have strict coding standards and reviews to keep our code in good shape.
 A feature or fix must of course work, but it must also be well designed to stay maintainable.
 We may ask you to improve your code several times in a row, which can be difficult for you.

docs/development/adding-a-package-manager.md

@@ -108,3 +108,84 @@ Use `updateDependency` if _both_ conditions apply:
 ### `updateLockedDependency` (optional)
 
 Use `updateLockedDependency` to directly update dependencies in lock files.
+
+## Package files and Lock files
+
+In Renovate terminology, "package files" are the files where human-readable dependency definitions are kept.
+For example, this includes npm's `package.json` file, Maven's `pom.xml` file, and Docker's `Dockerfile`.
+
+Some package managers may additionally have "lock files", e.g. npm's `package-lock.json`.
+If a lock file is present in a repository then Renovate needs to update both in the same commit, otherwise the update may be "broken".
+Therefore if a new manager is being developed and it is usual to have a lock file, supporting lock file updating should be done from the start.
+
+Supporting lock file updating usually requires Renovate to support a third party tool, e.g. `npm`, `poetry`, etc.
+It's rare and not recommended for Renovate to "reverse engineer" lock file formats and make updates manually instead of calling such tools.
+Adding support for such tools requires adding awareness of each tool to [Containerbase](https://github.com/containerbase/base) first.
+
+Here are the various ways in approximate order in which lock file awareness should be added to a manager:
+
+### Lock file maintenance
+
+The purpose of lock file maintenance is to update all locked dependencies (including transitive) to the latest possible versions.
+
+There are two approaches which can be used:
+
+- Delete the existing lock file, then call a command like `<tool> install` to regenerate it, or
+- Call a command like `<tool> update` if such a command exists to satisfy this same requirement (updating the entire lock file where possible)
+
+Where available, the second approach is better because lock file may sometimes have platform-specific information (e.g. amd64, arm64) which can be lost if the lock file is regenerated completely as in the first approach.
+
+### Lock file updating after a package file change
+
+This functionality is often mandatory from initial implementation.
+
+In this scenario, an `updateArtifacts()` function must be added.
+Its purpose is to essentially "sync" the lock file to the package file changes made by Renovate, so that both files can be updated in the same commit.
+
+Usually, the flow is like this:
+
+1. Renovate makes changes to the version or constraint in the package file directly,
+2. Renovate calls a tool command like "<tool> install", "<tool> lock", etc.
+3. If the tool command resulted in a changed lock file (it usually should), then Renovate commits the changes along with the package file change
+
+### Locked version extracting and dependency pinning
+
+The next step is for the manager's "extract" functionality to return a `lockedVersion` for dependencies whenever a lock file exists.
+To do this, the manager should:
+
+1. Parse the lock file
+2. Associate each dependency from the package file with its entry in the lock file
+3. Add that associated version as `lockedVersion`
+
+Once `lockedVersion` is provided, Renovate should be able to "pin" constraints/ranges into exact versions, if the user configures as such (e.g. `rangeStrategy=pin`) however Renovate _won't_ automatically be able to make lockfile-only updates.
+
+### Lock file-only updates
+
+#### updateArtifacts()
+
+It's a common scenario where users want or need to retain constraints in their package file (e.g. `^1.0.0`) and have Renovate make updates to the lock file when new versions are available (e.g. updating from a locked value of `1.1.0` to `1.1.1`).
+In this case, it's a prerequisite that the manager must extract `lockedVersion` as described above.
+
+In addition to this, the manager needs to add logic to `updateArtifacts()` to detect if any of the updates it has been passed satisfy `isLockFileUpdate=true`.
+If any lock file-only updates have been passed, then the manager typically needs to run specific commands to update/bump the locked version for one specific dependency only.
+This functionality is manager-specific, and depends heavily on the capabilities of the third party tool, but a mix of the following approaches are used in Renovate, from best to worst:
+
+- Renovate calls a tool command to specifically update the dependency in question to the specific version, e.g. `<tool> update <dependency name>@<new version>`
+- Renovate manually updates the locked version in the lock file it needs updated, then calls a `<tool> install` command to "fix" up the remaining parts (hashes, transitive dependencies, etc). This is good if it works but it is prone to breaking in future releases because it's possible that the maintainers of the tool are not aware of people using it in this manner, even if it works unintentionally.
+- Renovate calls a tool command similar to the first approach, except the tool doesn't support specific versions, e.g. `<tool> update <dependency name>`. This approach can be problematic because Renovate might _want_ to update to e.g. v1.1.1 but instead the tool finds a newer v1.1.2 and that's what the user gets instead
+
+A further complication is that sometimes dependencies need to be upgraded together or else there are peer dependency problems or other conflicts.
+In that case it's best if the tool can support a list of dependencies to update and they are done all at once.
+
+#### updateLockedDependency()
+
+The `updateLockedDependency()` method is optional for managers but recommended that any manager which supports `rangeStrategy=update-lockfile` implements the `updateLockedDependency()` method.
+The most valuable part of this method is returning quickly if a dependency is already updated, so that tool commands don't need to be run every time.
+
+The simplest logic for this method is:
+
+1. Parse the existing lock file
+2. If the locked version of the dependency is already updated to the version specified then return `{ status: 'already-updated' }`
+3. Otherwise, return `{ status: 'unsupported' }`
+
+An example of this can be seen in [the composer manager source code for updateLockedDependency()](https://github.com/renovatebot/renovate/blob/da4964ac05952f9fe0543ba1174fcd62ad083d48/lib/modules/manager/composer/update-locked.ts#L7-L30).=

docs/development/best-practices.md

@@ -297,7 +297,10 @@ if (end) {
 
 ## Fixtures
 
-Use the `Fixture` class to load fixtures.
+Where possible, reduce the test fixture to a size where an inline `codeBlock` is possible to use instead of a separate fixture file.
+Inline `codeBlock`s improve performance plus are more readable.
+
+Use the `Fixture` class if loading fixtures from files.
 For example:
 
 ```ts