Merge branch 'fix-auto-merge-if-plus-one' into gerrit-remove-deprecat…

…ed-source-branch

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:13.5.5
+FROM ghcr.io/containerbase/devcontainer:13.5.10

.github/workflows/build.yml

@@ -31,7 +31,7 @@ concurrency:
 env:
   DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
   NODE_VERSION: 22
-  PDM_VERSION: 2.22.1 # renovate: datasource=pypi depName=pdm
+  PDM_VERSION: 2.22.2 # renovate: datasource=pypi depName=pdm
   DRY_RUN: true
   TEST_LEGACY_DECRYPTION: true
   SPARSE_CHECKOUT: |-
@@ -304,7 +304,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Lint markdown
-        uses: DavidAnson/markdownlint-cli2-action@eb5ca3ab411449c66620fe7f1b3c9e10547144b0 # v18.0.0
+        uses: DavidAnson/markdownlint-cli2-action@a23dae216ce3fee4db69da41fed90d2a4af801cf # v19.0.0
 
       - name: Lint fenced code blocks
         run: pnpm doc-fence-check
@@ -411,7 +411,7 @@ jobs:
 
       - name: Save coverage artifacts
         if: (success() || failure()) && github.event.pull_request.draft != true && matrix.coverage
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: ${{ matrix.upload-artifact-name }}
           path: |
@@ -567,7 +567,7 @@ jobs:
         run: pnpm test-e2e:pack
 
       - name: Upload
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: renovate-package
           path: renovate-0.0.0-semantic-release.tgz
@@ -611,7 +611,7 @@ jobs:
         run: pnpm test:docs
 
       - name: Upload
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: docs
           path: tmp/docs/
@@ -684,7 +684,7 @@ jobs:
           show-progress: false
 
       - name: docker-config
-        uses: containerbase/internal-tools@c440de95307545d23ff0e0b57018147e02ae217f # v3.5.15
+        uses: containerbase/internal-tools@c8f78cbc830d1883e695d06e3028136656e70f5b # v3.5.17
         with:
           command: docker-config
 

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/autobuild@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1

.github/workflows/scorecard.yml

@@ -43,14 +43,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: 'Upload artifact'
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -31,7 +31,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+      - uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: trivy-results.sarif
           category: 'docker-image-${{ matrix.tag }}'

.nvmrc

@@ -1 +1 @@
-22.11.0
+22.13.0

docs/usage/bazel.md

@@ -145,6 +145,19 @@ archive_override(
 Renovate ignores [`multiple_version_override`](https://bazel.build/rules/lib/globals/module#multiple_version_override).
 `multiple_version_override` does not affect the processing of version updates for a module.
 
+### `git_repository`
+
+If Renovate finds a [`git_repository`](https://bazel.build/rules/lib/repo/git#git_repository), it evaluates the `commit` value at the specified `remote`.
+`remote` is limited to github repos: `https://github.com/<owner>/<repo>.git`
+
+```python
+git_repository(
+    name = "rules_foo",
+    remote = "https://github.com/fooexample/rules_foo.git",
+    commit = "8c94e11c2b05b6f25ced5f23cd07d0cfd36edc1a",
+)
+```
+
 ## Legacy `WORKSPACE` files
 
 Renovate extracts dependencies from the following repository rules:
@@ -160,7 +173,7 @@ Renovate extracts dependencies from the following repository rules:
 It also recognizes when these repository rule names are prefixed with an underscore.
 For example, `_http_archive` is treated the same as `http_archive`.
 
-### `git_repository`
+### `git_repository` (legacy)
 
 Renovate updates any `git_repository` declaration that has the following:
 

docs/usage/configuration-options.md

@@ -2426,6 +2426,7 @@ Renovate only queries the OSV database for dependencies that use one of these da
 
 - [`crate`](./modules/datasource/crate/index.md)
 - [`go`](./modules/datasource/go/index.md)
+- [`hackage`](./modules/datasource/hackage/index.md)
 - [`hex`](./modules/datasource/hex/index.md)
 - [`maven`](./modules/datasource/maven/index.md)
 - [`npm`](./modules/datasource/npm/index.md)
@@ -3706,6 +3707,7 @@ This feature works with the following managers:
 - [`dockerfile`](modules/manager/dockerfile/index.md)
 - [`droneci`](modules/manager/droneci/index.md)
 - [`flux`](modules/manager/flux/index.md)
+- [`github-actions`](modules/manager/github-actions/index.md)
 - [`gitlabci`](modules/manager/gitlabci/index.md)
 - [`helm-requirements`](modules/manager/helm-requirements/index.md)
 - [`helm-values`](modules/manager/helm-values/index.md)

docs/usage/docker.md

@@ -307,7 +307,7 @@ Renovate will get the credentials with the [`google-auth-library`](https://www.n
     service_account: ${{ env.SERVICE_ACCOUNT }}
 
 - name: renovate
-  uses: renovatebot/[email protected].7
+  uses: renovatebot/[email protected].9
   env:
     RENOVATE_HOST_RULES: |
       [
@@ -478,7 +478,7 @@ Make sure to install the Google Cloud SDK into the custom image, as you need the
 For example:
 
 ```Dockerfile
-FROM renovate/renovate:39.82.1
+FROM renovate/renovate:39.104.1
 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
 # under "Installation" for "Debian/Ubuntu"
 RUN ...

docs/usage/examples/opentelemetry.md

@@ -14,15 +14,15 @@ name: renovate-otel-demo
 services:
   # Jaeger for storing traces
   jaeger:
-    image: jaegertracing/jaeger:2.1.0
+    image: jaegertracing/jaeger:2.2.0
     ports:
       - '16686:16686' # Web UI
       - '4317' # OTLP gRPC
       - '4318' # OTLP HTTP
 
   # Prometheus for storing metrics
   prometheus:
-    image: prom/prometheus:v3.0.1
+    image: prom/prometheus:v3.1.0
     ports:
       - '9090:9090' # Web UI
       - '4318' # OTLP HTTP
@@ -36,7 +36,7 @@ services:
   otel-collector:
     # Using the Contrib version to access the spanmetrics connector.
     # If you don't need the spanmetrics connector, you can use the standard version
-    image: otel/opentelemetry-collector-contrib:0.116.1
+    image: otel/opentelemetry-collector-contrib:0.117.0
     volumes:
       - ./otel-collector-config.yml:/etc/otelcol-contrib/config.yaml
     ports:

docs/usage/examples/self-hosting.md

@@ -25,8 +25,8 @@ It builds `latest` based on the `main` branch and all SemVer tags are published
 ```sh title="Example of valid tags"
 docker run --rm renovate/renovate
 docker run --rm renovate/renovate:39
-docker run --rm renovate/renovate:39.82
-docker run --rm renovate/renovate:39.82.1
+docker run --rm renovate/renovate:39.104
+docker run --rm renovate/renovate:39.104.1
 ```
 
 <!-- prettier-ignore -->
@@ -62,7 +62,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:39.82.1
+              image: renovate/renovate:39.104.1
               args:
                 - user/repo
               # Environment Variables
@@ -121,7 +121,7 @@ spec:
       template:
         spec:
           containers:
-            - image: renovate/renovate:39.82.1
+            - image: renovate/renovate:39.104.1
               name: renovate-bot
               env: # For illustration purposes, please use secrets.
                 - name: RENOVATE_PLATFORM
@@ -367,7 +367,7 @@ spec:
           containers:
             - name: renovate
               # Update this to the latest available and then enable Renovate on the manifest
-              image: renovate/renovate:39.82.1
+              image: renovate/renovate:39.104.1
               volumeMounts:
                 - name: ssh-key-volume
                   readOnly: true

docs/usage/mend-hosted/.pages

@@ -1,5 +1,6 @@
 title: Mend-hosted Apps
 nav:
+  - 'Overview': 'overview.md'
   - 'Configuration': 'hosted-apps-config.md'
   - 'Credentials': 'credentials.md'
   - 'Migrating Secrets': 'migrating-secrets.md'

docs/usage/mend-hosted/overview.md

@@ -0,0 +1,59 @@
+# Mend Renovate Cloud-hosted (Community and Enterprise)
+
+Mend provides cloud hosting services for running Renovate in free and paid versions:
+
+- Mend Renovate Community Cloud (Free)
+- Mend Renovate Enterprise Cloud
+
+They are available for Git repositories hosted on the following cloud platforms:
+
+- GitHub
+- Bitbucket Cloud
+- Azure DevOps
+
+Mend Renovate cloud will regularly schedule Renovate jobs against all installed repositories.
+It also listens to webhooks and enqueues a Renovate job when relevant changes occur in a repo, or when actions are triggered from the Renovate PRs or Dashboard issue.
+There is a web UI with functionality to view and interact with installed repositories, their jobs and job logs.
+
+## Getting started
+
+To get started using Mend Renovate Cloud versions, access the Developer Portal at [https://developer.mend.io/](https://developer.mend.io/).
+
+Developers can log in using the OAuth credentials from their cloud-based Git repository.
+
+![Developer Portal sign-in screen](../assets/images/portal-sign-in.png)
+
+Features of the Developer Portal include:
+
+- Ability to install, uninstall and view installed repositories
+- Trigger Renovate jobs to run on demand
+- View logs for all Renovate jobs
+- Configure settings that apply at the Org-level or Repo-level
+
+## Resources and Scheduling
+
+The resources, scheduling and concurrency of Renovate jobs is determined by the version of Mend Renovate used by the Org.
+Details of the Mend Renovate Cloud versions are shown in the table below.
+
+|                               | Mend Renovate Community Cloud (Free) | Mend Renovate Enterprise Cloud |
+| ----------------------------- | ------------------------------------ | ------------------------------ |
+| Concurrent jobs per Org       | 1                                    | 16                             |
+| Job scheduling (active repos) | Every 4 hours                        | Hourly (\*1)                   |
+| Job runner CPUs               | 1 CPU                                | 2 CPU                          |
+| Job runner Memory             | 2Gb                                  | 8Gb                            |
+| Job runner Disk space         | 15Gb                                 | 40Gb                           |
+| Job timeout                   | 30 minutes                           | 60 minutes                     |
+| Merge Confidence Workflows    | Not included                         | Included                       |
+| Mend.io Helpdesk Support      | Not included                         | Included                       |
+
+(1) Bitbucket repositories running Mend Renovate Enterprise are scheduled to run every 4 hours, to avoid hitting rate limits on GitHub APIs.
+
+**Mend Renovate Community Cloud (Free)** - Available for free for all repositories.
+
+**Mend Renovate Enterprise Cloud** - Supported premium version. Contact Mend at [[email protected]](mailto:[email protected]) for purchase details.
+
+<!-- prettier-ignore -->
+!!! note
+    OSS-licensed orgs can request increased resources on Mend Renovate Community Cloud.
+    To request increased resources, create a “[Suggest an Idea](https://github.com/renovatebot/renovate/discussions/categories/suggest-an-idea)” item on the Renovate discussions board on GitHub.
+    Acceptance is at the discretion of Mend.io.

docs/usage/self-hosted-experimental.md

@@ -23,6 +23,13 @@ For more information see [the OpenTelemetry docs](opentelemetry.md).
 
 If set to any value, Renovate will always paginate requests to GitHub fully, instead of stopping after 10 pages.
 
+## `RENOVATE_STATIC_REPO_CONFIG`
+
+If set to a _valid_ `JSON` string containing a _valid_ Renovate configuration, it will be applied to the repository config before resolving the actual configuration file within the repository.
+
+> [!warning]
+> An invalid value will result in the scan being aborted.
+
 ## `RENOVATE_X_DOCKER_HUB_DISABLE_LABEL_LOOKUP`
 
 If set to any value, Renovate will skip attempting to get release labels (e.g. gitRef, sourceUrl) from manifest annotations for `https://index.docker.io`.

lib/config/decrypt.spec.ts

@@ -12,6 +12,7 @@ describe('config/decrypt', () => {
     beforeEach(() => {
       config = {};
       GlobalConfig.reset();
+      delete process.env.MEND_HOSTED;
       delete process.env.RENOVATE_X_ENCRYPTED_STRICT;
     });
 
@@ -34,8 +35,19 @@ describe('config/decrypt', () => {
 
     it('throws exception if encrypted found but no privateKey', async () => {
       config.encrypted = { a: '1' };
+
       process.env.RENOVATE_X_ENCRYPTED_STRICT = 'true';
+      await expect(decryptConfig(config, repository)).rejects.toThrow(
+        'config-validation',
+      );
+    });
+
+    // coverage
+    it('throws exception if encrypted found but no privateKey- Mend Hosted', async () => {
+      config.encrypted = { a: '1' };
 
+      process.env.MEND_HOSTED = 'true';
+      process.env.RENOVATE_X_ENCRYPTED_STRICT = 'true';
       await expect(decryptConfig(config, repository)).rejects.toThrow(
         'config-validation',
       );

lib/config/decrypt.ts

@@ -179,6 +179,12 @@ export async function decryptConfig(
           error.validationSource = 'config';
           error.validationError = 'Encrypted config unsupported';
           error.validationMessage = `This config contains an encrypted object at location \`$.${key}\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \`privateKey\` in Global Configuration.`;
+          if (process.env.MEND_HOSTED === 'true') {
+            error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).
+Please migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/
+
+Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;
+          }
           throw error;
         } else {
           logger.error('Found encrypted data but no privateKey');

lib/config/options/index.ts

@@ -516,7 +516,7 @@ const options: RenovateOptions[] = [
     description:
       'Change this value to override the default Renovate sidecar image.',
     type: 'string',
-    default: 'ghcr.io/containerbase/sidecar:13.5.5',
+    default: 'ghcr.io/containerbase/sidecar:13.5.10',
     globalOnly: true,
   },
   {

lib/config/presets/common.ts

@@ -74,6 +74,7 @@ const renamedMonorepos: Record<string, string> = {
   Steeltoe: 'steeltoe',
   stryker: 'stryker-js',
   Swashbuckle: 'swashbuckle-aspnetcore',
+  nrwl: 'nx',
 };
 
 for (const [from, to] of Object.entries(renamedMonorepos)) {

lib/config/presets/github/index.ts

@@ -24,7 +24,7 @@ export async function fetchJSONFile(
   logger.trace({ url }, `Preset URL`);
   let res: { body: { content: string } };
   try {
-    res = await http.getJson(url);
+    res = await http.getJsonUnchecked(url);
   } catch (err) {
     // istanbul ignore if: not testable with nock
     if (err instanceof ExternalHostError) {

lib/config/presets/gitlab/index.ts

@@ -14,7 +14,7 @@ async function getDefaultBranchName(
   urlEncodedPkgName: string,
   endpoint: string,
 ): Promise<string> {
-  const res = await gitlabApi.getJson<GitlabProject>(
+  const res = await gitlabApi.getJsonUnchecked<GitlabProject>(
     `${endpoint}projects/${urlEncodedPkgName}`,
   );
   return res.body.default_branch ?? 'master'; // should never happen, but we keep this to ensure the current behavior