ci: add renovate config

.github/workflows/validate-renovate.yaml

@@ -0,0 +1,22 @@
+# Caller workflow for the reusable validate-renovate workflow in loft-sh/github-actions.
+# Before committing, replace <SHA> with the current commit behind the validate-renovate/v1
+# tag (keeps zizmor's unpinned-uses audit clean):
+#   git ls-remote https://github.com/loft-sh/github-actions "refs/tags/validate-renovate/v1"
+name: Validate Renovate Config
+
+on:
+  pull_request:
+    paths:
+      - 'renovate.json'
+      - 'renovate.json5'
+      - '.renovaterc'
+      - '.renovaterc.json'
+
+permissions: {}
+
+jobs:
+  validate-renovate:
+    permissions:
+      contents: read
+      pull-requests: read
+    uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@b52efbd927586ea78282073f79d2423e552c9f62 # validate-renovate/v1

renovate.json

@@ -0,0 +1,59 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "baseBranchPatterns": ["main"],
+  "labels": ["dependencies"],
+  "prHourlyLimit": 5,
+  "prConcurrentLimit": 10,
+  "minimumReleaseAge": "3 days",
+  "schedule": ["before 6am on monday"],
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "labels": ["security"]
+  },
+  "packageRules": [
+    {
+      "description": "npm: 7-day stabilization period for all JS deps",
+      "matchManagers": ["npm"],
+      "minimumReleaseAge": "7 days"
+    },
+    {
+      "description": "npm: group all non-major updates",
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "npm-non-major"
+    },
+    {
+      "description": "npm: major updates individually",
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["major"]
+    },
+    {
+      "description": "Internal loft-sh packages are version-coordinated by hand across the UI repos that consume this library (loft-enterprise, hosted-platform). @loft-enterprise/icons is an unpinnable wildcard, and @loft-enterprise/primitives is this repo's own published name. Managed manually.",
+      "matchManagers": ["npm"],
+      "matchPackageNames": [
+        "@loft-enterprise/client",
+        "@loft-enterprise/icons",
+        "@loft-enterprise/primitives"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Peer dependencies framer-motion and tailwindcss are exact-pinned to match the loft-enterprise consumer (framer-motion 9.0.1, tailwindcss 3.4.0). Bumping them here would desync the peer contract from the consumer. Managed manually alongside loft-enterprise.",
+      "matchManagers": ["npm"],
+      "matchDepTypes": ["peerDependencies"],
+      "matchPackageNames": ["framer-motion", "tailwindcss"],
+      "enabled": false
+    },
+    {
+      "description": "Group GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "groupName": "github-actions"
+    }
+  ],
+  "customManagers": []
+}