DefectDojo
diff --git a/‎.github/renovate.json‎
Lines changed: 25 additions & 8 deletions b/‎.github/renovate.json‎
Lines changed: 25 additions & 8 deletions
diff --git a/‎.github/workflows/build-docker-images-for-testing.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build-docker-images-for-testing.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/detect-merge-conflicts.yaml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/detect-merge-conflicts.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/gh-pages.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/gh-pages.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/helm-docs-updates.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/helm-docs-updates.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/k8s-tests.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/k8s-tests.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/renovate.yaml‎
Lines changed: 24 additions & 0 deletions b/‎.github/workflows/renovate.yaml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎.github/workflows/shellcheck.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/shellcheck.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/slack-pr-reminder.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/slack-pr-reminder.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test-helm-chart.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/test-helm-chart.yml‎
Lines changed: 3 additions & 3 deletions
@@ -1,21 +1,38 @@
 {
   "extends": [
-    "config:base"
+    "config:recommended"
   ],
   "dependencyDashboard": true,
   "dependencyDashboardApproval": false,
-  "baseBranches": ["dev"],
+  "baseBranchPatterns": ["dev"],
   "rebaseWhen": "conflicted",
   "separateMinorPatch": true,
-  "ignorePaths": ["requirements.txt", "requirements-lint.txt", "components/package.json", "components/package-lock.json", "dojo/components/yarn.lock", "dojo/components/package.json", "Dockerfile**"],
+  "ignorePaths": [
+    "requirements.txt",
+    "requirements-lint.txt",
+    "components/package.json",
+    "components/package-lock.json",
+    "dojo/components/yarn.lock",
+    "dojo/components/package.json",
+    "Dockerfile**"
+  ],
   "ignoreDeps": [],
   "packageRules": [{
-    "packagePatterns": ["*"],
-    "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{toVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",
+    "matchPackageNames": ["*"],
+    "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",
     "commitMessageSuffix": "({{packageFile}})",
     "labels": ["dependencies"]
   }],
-  "registryAliases": {
-    "bitnami": "https://charts.bitnami.com/bitnami"
-  }
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^.github/workflows//"
+      ],
+      "matchStrings": [
+        "\\w*:\\s[\"']?(?<currentValue>\\S*[^\"']?)[\"']?\\s#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s"
+      ],
+      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
+    }
+  ]
 }
@@ -40,7 +40,7 @@ jobs:
           echo $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
 
@@ -7,7 +7,7 @@ on:
       - master
       - bugfix
       - release/*
-      
+
   pull_request_target:
     types: [synchronize]
 
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: check if prs are conflicted
+        # we experience a high error rate so we allow this to fail but still have the check become green on the PR
+        continue-on-error: true
         uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
         with:
           dirtyLabel: "conflicts-detected"
 
@@ -15,13 +15,13 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.140.1'
+          hugo-version: '0.140.1' # renovate: datasource=github-releases depName=gohugoio/hugo versioning=loose
           extended: true
 
       - name: Setup Node
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '22.20.0'
+          node-version: '22.20.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
 
       - name: Cache dependencies
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
 
@@ -13,7 +13,7 @@ jobs:
   docs_updates:
     name: Update documentation
     runs-on: ubuntu-latest
-    if: startsWith(github.head_ref, 'renovate/') or startsWith(github.head_ref, 'dependabot/')
+    if: startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -16,9 +16,9 @@ jobs:
           # databases, broker and k8s are independent, so we don't need to test each combination
           # lastest k8s version (https://kubernetes.io/releases/) and the oldest officially supported version
           # are tested (https://kubernetes.io/releases/)
-          - k8s: 'v1.34.1'
+          - k8s: 'v1.34.1' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
             os: debian
-          - k8s: 'v1.31.13'
+          - k8s: 'v1.31.13' # Do not track with renovate as we likely want to rev this manually
             os: debian
     steps:
       - name: Checkout
@@ -27,7 +27,7 @@ jobs:
       - name: Setup Minikube
         uses: manusa/actions-setup-minikube@b589f2d61bf96695c546929c72b38563e856059d # v2.14.0
         with:
-          minikube version: 'v1.37.0'
+          minikube version: 'v1.37.0' # renovate: datasource=github-releases depName=kubernetes/minikube versioning=loose
           kubernetes version: ${{ matrix.k8s }}
           driver: docker
           start args: '--addons=ingress --cni calico'
 
@@ -0,0 +1,24 @@
+name: "Renovate validation"
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - dev
+      - master
+      - bugfix
+      - release/*
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: validate
+        uses: suzuki-shunsuke/github-action-renovate-config-validator@c22827f47f4f4a5364bdba19e1fe36907ef1318e # v1.1.1
+        with:
+          strict: "true"
+          validator_version: 41.146.0 # renovate: datasource=github-releases depName=renovatebot/renovate
@@ -4,8 +4,8 @@ on:
   pull_request:
 env:
   SHELLCHECK_REPO: 'koalaman/shellcheck'
-  SHELLCHECK_VERSION: 'v0.9.0'
-  SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71'
+  SHELLCHECK_VERSION: 'v0.9.0' # renovate: datasource=github-releases depName=koalaman/shellcheck versioning=loose
+  SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71' # Renovate config is not currently adjusted to update hash - it needs to be done manually for now
 jobs:
   shellcheck:
     runs-on: ubuntu-latest
 
@@ -11,7 +11,7 @@ jobs:
     if: github.repository == 'DefectDojo/django-DefectDojo' # Notify only in core repo, not in forks - it would just fail in fork
     steps:
       - name: Notify reviewers in Slack
-        uses: DefectDojo-Inc/notify-pr-reviewers-action@master
+        uses: DefectDojo-Inc/notify-pr-reviewers-action@be26734e06338b41be6e70ce96027a51aa9ba9c6 # master
         with:
           owner: "DefectDojo"
           repository: "django-DefectDojo"
 
@@ -24,7 +24,7 @@ jobs:
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: 3.14
+          python-version: 3.14 # Renovate helper is not needed here
 
       - name: Configure Helm repos
         run: |-
@@ -34,8 +34,8 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
-          yamale_version: 6.0.0
-          yamllint_version: 1.37.1
+          yamale_version: 6.0.0 # renovate: datasource=pypi depName=yamale versioning=semver
+          yamllint_version: 1.37.1 # renovate: datasource=pypi depName=yamllint versioning=semver
 
       - name: Determine target branch
         id: ct-branch-target