From fc33eb66bbd628a54e8323537a5aadbdb8e67135 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 19 Dec 2025 16:29:37 +0000
Subject: [PATCH 1/5] Add renovate.json

---
 renovate.json | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 00000000..1e9f4b64
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,6 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "local>BraneFramework/.github:renovate-config"
+    ]
+}

From 216e29a5d7466eb12c37458853637ad47c587e2c Mon Sep 17 00:00:00 2001
From: Daniel Voogsgerd <daniel@voogsgerd.nl>
Date: Fri, 19 Dec 2025 16:04:00 +0100
Subject: [PATCH 2/5] chore: Improve renovate config

---
 renovate.json  |  6 ----
 renovate.json5 | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+), 6 deletions(-)
 delete mode 100644 renovate.json
 create mode 100644 renovate.json5

diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index 1e9f4b64..00000000
--- a/renovate.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": [
-        "local>BraneFramework/.github:renovate-config"
-    ]
-}
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 00000000..23c9984d
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,93 @@
+// Brane's renovate config
+//
+// Some settings are set to their default value, this is not by accident.
+// Sometimes we are deliberate in our choice even if its default. Please annotate these choices with a comment.
+// Renovate was chosen over dependabot as dependabot does not handle minimal versions appropriately.
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        // I actively choose recommended over best practices.
+        // I'm unsure if digest pinning for docker and github actions is worthwhile for Brane at this moment
+        "config:recommended",
+        ":semanticCommitTypeAll(chore)",
+
+        // I would recommend earlyMondays during active development, and monthly in passive phases
+        "schedule:earlyMondays",
+
+        // Create PRs for Renovate config updates
+        ":configMigration",
+    ],
+
+    "timezone": "Europe/Amsterdam",
+    "labels": ["C-Dependencies"],
+
+    // I think automerge can be tricky with supply chain security.
+    // It also has a tendency to break MSRV I think.
+    "automerge": false,
+
+    // Make sure we do not get too crowded with PRs, if there are five open we should probably be focussing on those first.
+    // Only reason I can think of to remove or increase this limit is because I want the regular monthly update set
+    "prConcurrentLimit": 5,
+    "prHourlyLimit": 5,
+
+    // Vulnerability alerts are obviously important
+    "vulnerabilityAlerts": {
+        "addLabels": ["P-Critical", "C-Security"],
+    },
+
+    // This is also a possibility quite similar to the current minor & patch rules.
+    // The upside of the other solution is that it allows for more finegrained control in the future.
+    // It also can provide more semantic information of what it actually upgraded instead of some big lockfile diff
+    // Note: This might be needed in the future if the package rules for patch & minor differ from
+    "lockFileMaintenance": { "enabled": false },
+
+    "packageRules": [
+        // Add things to this section if you want them to apply to rust updates only
+        // TODO: Add all Rust related configuration options
+        {
+            "matchManagers": ["cargo"],
+        },
+
+        // Note: These updates are to the lockfile only as manifest dependencies
+        // specify the minimal version, wrile the lockfile specifies the actual version.
+        // Note: We group patch and minor together here
+        {
+            "matchUpdateTypes": ["minor"],
+            "matchManagers": ["cargo"],
+            "matchCurrentValue": "!/^v?0\\./",
+            "groupName": "all non-major dependencies (exclude 0.x.y)",
+            "groupSlug": "cargo-minor-patch-semver",
+            "prPriority": 9,
+        },
+        {
+            "matchUpdateTypes": ["patch"],
+            "matchManagers": ["cargo"],
+            "matchCurrentValue": "!/^v?0\\.0\\./",
+            "groupName": "all non-major dependencies (exclude 0.x.y)",
+            "groupSlug": "cargo-minor-patch-semver",
+            "prPriority": 9,
+        },
+
+        // We can group github actions updates together, they almost always apply with very little intervention.
+        // Combining them reduces the noise a lot
+        {
+            "matchManagers": ["github-actions"],
+            "addLabels": ["A-CI", "A-CD"],
+            "groupName": "GitHub actions",
+            "groupSlug": "gh-actions",
+        }
+
+        // TODO: We probably want to update Docker images as well here.
+    ],
+
+
+    // If Brane is not in active development I recommend changing this to false.
+    // The updates are still listed in the dashboard this way.
+    "major": {
+        "dependencyDashboardApproval": false,
+    },
+
+    // Do not take immediately update.
+    // The chances of a package being yanked in the first couple of days are not negligible.
+    "minimumReleaseAge": "3",
+}

From b75bfa1088daa4d299d62ce1742ec0def95bee21 Mon Sep 17 00:00:00 2001
From: Daniel Voogsgerd <daniel@voogsgerd.nl>
Date: Fri, 19 Dec 2025 16:23:52 +0100
Subject: [PATCH 3/5] Update comment

---
 renovate.json5 | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/renovate.json5 b/renovate.json5
index 23c9984d..a8590c95 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -81,8 +81,11 @@
     ],
 
 
-    // If Brane is not in active development I recommend changing this to false.
-    // The updates are still listed in the dashboard this way.
+    // Set this to false if Brane is in active development and relatively up to date.
+    // If there is little time for major updates, enable this setting.
+    // With this setting enabled, updates are still listed in the dashboard, but only
+    // PRs are created when you're ready. Updating major dependencies in Brane can be
+    // a lot of work.
     "major": {
         "dependencyDashboardApproval": false,
     },

From c7631e4ee3c02c9de7a7f1e419c76d2ee6adbd07 Mon Sep 17 00:00:00 2001
From: Daniel Voogsgerd <daniel@voogsgerd.nl>
Date: Fri, 19 Dec 2025 16:30:18 +0100
Subject: [PATCH 4/5] Alternative approval notation

---
 renovate.json5 | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/renovate.json5 b/renovate.json5
index a8590c95..de065fa8 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -46,6 +46,13 @@
         // TODO: Add all Rust related configuration options
         {
             "matchManagers": ["cargo"],
+            // Set this to false if Brane is in active development and relatively up to date.
+            // If there is little time for major updates, enable this setting.
+            // With this setting enabled, updates are still listed in the dashboard, but only
+            // PRs are created when you're ready. Updating major dependencies in Brane can be
+            // a lot of work.
+            // Note: This setting is overridden for patch and minor versions
+            "dependencyDashboardApproval": true,
         },
 
         // Note: These updates are to the lockfile only as manifest dependencies
@@ -58,6 +65,7 @@
             "groupName": "all non-major dependencies (exclude 0.x.y)",
             "groupSlug": "cargo-minor-patch-semver",
             "prPriority": 9,
+            "dependencyDashboardApproval": false,
         },
         {
             "matchUpdateTypes": ["patch"],
@@ -66,6 +74,7 @@
             "groupName": "all non-major dependencies (exclude 0.x.y)",
             "groupSlug": "cargo-minor-patch-semver",
             "prPriority": 9,
+            "dependencyDashboardApproval": false,
         },
 
         // We can group github actions updates together, they almost always apply with very little intervention.
@@ -80,16 +89,6 @@
         // TODO: We probably want to update Docker images as well here.
     ],
 
-
-    // Set this to false if Brane is in active development and relatively up to date.
-    // If there is little time for major updates, enable this setting.
-    // With this setting enabled, updates are still listed in the dashboard, but only
-    // PRs are created when you're ready. Updating major dependencies in Brane can be
-    // a lot of work.
-    "major": {
-        "dependencyDashboardApproval": false,
-    },
-
     // Do not take immediately update.
     // The chances of a package being yanked in the first couple of days are not negligible.
     "minimumReleaseAge": "3",

From 6805a2eaa340cf41becd75643a5653174499b0e8 Mon Sep 17 00:00:00 2001
From: Daniel Voogsgerd <daniel@voogsgerd.nl>
Date: Fri, 19 Dec 2025 16:44:39 +0100
Subject: [PATCH 5/5] fix(renovate): Ignore docker

---
 renovate.json5 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/renovate.json5 b/renovate.json5
index de065fa8..476de639 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -84,9 +84,13 @@
             "addLabels": ["A-CI", "A-CD"],
             "groupName": "GitHub actions",
             "groupSlug": "gh-actions",
-        }
+        },
 
-        // TODO: We probably want to update Docker images as well here.
+        // TODO: Enable this
+        {
+            "matchManagers": ["docker", "docker-compose"],
+            "enabled": false,
+        }
     ],
 
     // Do not take immediately update.