chore: inline self-contained house Renovate config

[bakerboy448]

Replace bare config:recommended with the full inlined house Renovate config.

• Built on public presets only (config:best-practices, :dependencyDashboard, :semanticCommits, vuln alerts).
• Self-contained — no github>... / local>... cross-repo references.
• Standardizes config across all modifiable repos (CANARY for rollout).

Validated with renovate-config-validator.

Summary by CodeRabbit

Chores

• Enhanced dependency automation configuration to enforce safer update practices: minor and patch updates auto-merge upon successful CI, major updates require manual review, and vulnerability alerts are automatically merged. Lock file maintenance is now scheduled weekly.

[coderabbitai]

Walkthrough

renovate.json is expanded from a single config:recommended preset to a full self-contained configuration. The update adds scheduling, PR concurrency limits, labeling, automerge/rebase rules, vulnerability alert handling, packageRules for GitHub Actions and major updates, lockfile maintenance, and recreateWhen: "auto".

Changes

Renovate Configuration Overhaul

Layer / File(s)	Summary
Full Renovate config replacement renovate.json	Replaces the single-extends config with explicit presets, weekly schedule with timezone, PR concurrency cap, range/label/rebase/branch-prefix settings, vulnerability alerts (automerge + security label), packageRules grouping GitHub Actions minor/patch/digest updates for automerge and flagging major updates with review-required, and lockFileMaintenance with weekly automerge.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is well-written and explains the changes, but it does not follow the repository's required description template structure (missing Script(s) affected section and Checklist).	Update the description to follow the repository template by including the 'Script(s) affected' and 'Checklist' sections, marking relevant items and completion status.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: inline self-contained house Renovate config' clearly and concisely summarizes the main change: converting from a minimal preset-based Renovate configuration to a complete inlined configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/renovate-inline-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@renovate.json`:
- Line 11: Remove the redundant empty ignoreDeps array from the renovate.json
configuration file. The ignoreDeps property with an empty array is the default
behavior in Renovate, so including it explicitly only adds configuration noise
without providing functional value. Simply delete the "ignoreDeps": [] entry
from the configuration object to clean up the configuration file.
- Line 4: The renovate.json configuration has redundant label configuration due
to the `:enableVulnerabilityAlertsWithLabel(security)` preset on line 4 already
setting the "security" label for vulnerability alerts. Locate the
`vulnerabilityAlerts` object in the configuration and remove the `"labels":
["security"]` property from it, while preserving the `schedule` and `automerge`
properties that should remain in that object.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b2b0b9fe-8c36-4a1a-bb89-000597764714

📥 Commits

Reviewing files that changed from the base of the PR and between 5242290 and 45166bc.

📒 Files selected for processing (1)

• renovate.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check Renovate documentation for the enableVulnerabilityAlertsWithLabel preset

# Search for any local documentation or comments about vulnerability alert configuration
rg -i -C3 'vulnerabilityAlerts|enableVulnerabilityAlerts' --glob '*.md'

Repository: baker-scripts/Scripts

Length of output: 47

---

🌐 Web query:

What does the Renovate preset :enableVulnerabilityAlertsWithLabel(security) configure by default?

💡 Result:

The Renovate preset:enableVulnerabilityAlertsWithLabel(security) enables vulnerability alerts and configures Renovate to add a PR label list containing exactly "security" (i.e., it replaces any existing list of PR labels with ["security"]). [1] Concretely, the preset sets vulnerabilityAlerts.enabled = true and vulnerabilityAlerts.labels = ["{{arg0}}"], so with arg0 = security it becomes vulnerabilityAlerts.labels = ["security"]. [1]

Citations:

• 1: https://docs.renovatebot.com/presets-default/

---

🏁 Script executed:

cat -n renovate.json | head -20

Repository: baker-scripts/Scripts

Length of output: 1777

---

Remove redundant "labels": ["security"] from line 12.

The preset :enableVulnerabilityAlertsWithLabel(security) on line 4 already configures vulnerability alerts with the "security" label. The explicit vulnerabilityAlerts configuration on line 12 redundantly specifies "labels": ["security"] again. Keep the schedule and automerge settings, but remove the redundant labels property.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@renovate.json` at line 4, The renovate.json configuration has redundant label
configuration due to the `:enableVulnerabilityAlertsWithLabel(security)` preset
on line 4 already setting the "security" label for vulnerability alerts. Locate
the `vulnerabilityAlerts` object in the configuration and remove the `"labels":
["security"]` property from it, while preserving the `schedule` and `automerge`
properties that should remain in that object.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Remove redundant empty ignoreDeps array.

The ignoreDeps: [] declaration is redundant since an empty array is the default value. Unless this is included explicitly for documentation purposes or to facilitate future modifications, consider removing it to reduce configuration noise.

♻️ Proposed cleanup

-  "branchPrefix": "renovate/", "ignoreDeps": [],
+  "branchPrefix": "renovate/",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@renovate.json` at line 11, Remove the redundant empty ignoreDeps array from
the renovate.json configuration file. The ignoreDeps property with an empty
array is the default behavior in Renovate, so including it explicitly only adds
configuration noise without providing functional value. Simply delete the
"ignoreDeps": [] entry from the configuration object to clean up the
configuration file.