Merge branch 'main' into refactor/use-yaml

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:11.11.9
+FROM ghcr.io/containerbase/devcontainer:11.11.17

.github/label-actions.yml

@@ -20,6 +20,7 @@
      5. Fill out the information in your repository's `README.md`.
      6. Add the link to your reproduction to the first post of your Discussion. If you are not the original author, you can post a new comment with the link.
 
+    If you need help with running renovate on your minimal reproduction repository, please refer to our [Running Renovate guide](https://docs.renovatebot.com/getting-started/running/).
 
     Good luck,
 
@@ -124,6 +125,22 @@
     Read the [Renovate docs, Troubleshooting](https://docs.renovatebot.com/troubleshooting/) to learn more about getting the docs, and getting the correct type of logs.
 
 
+    Thanks, the Renovate team
+
+'auto:logs-reduction':
+  comment: >
+    Hi there,
+
+
+    Please limit the amount of logs you're pasting into this discussion. The maintainers have a limited amount of time to help you, and often do so from mobile devices. It's easier for us if you only paste the relevant parts of the logs, and point us to the lines you think are relevant.
+
+
+    For example, if your problem is about a certain dependency, find the log sections which apply to that dependency and paste only those sections. Similarly, if your problem is about a particular branch/PR, find the log sections which apply to that branch/PR and paste only those sections.
+
+
+    If you're not sure, it's acceptable to paste the full logs, including into a gist. Please try to explain the problem in enough detail to give us starting points to debug. If you only paste the full log, and do nothing else, it is likely that we will take longer to help you, or we may not start to help you at all.
+
+
     Thanks, the Renovate team
 
 'new package manager':
@@ -438,4 +455,23 @@
     If you are a paying Mend.io customer, please tell your support or customer contact that this issue is important to you.
 
 
+    Thanks, the Renovate team
+
+'auto:reduce-complexity':
+  comment: >
+    Hi there,
+
+
+    This discussion is too complex, and we want you to simplify. This way you are more likely to get help or a solution.
+
+
+    For example, if you've pasted your _whole_ complex config, while your problem is about just one part, consider removing the parts that are not relevant to your problem. The best way to do this is to create a [minimal reproduction](https://github.com/renovatebot/renovate/blob/main/docs/development/minimal-reproductions.md).
+
+
+    You may have tried many ways to do something, and described all the methods you tried. If none of the methods worked, please focus on the most promising method, or the ideal solution. Avoid complicating the description (or logs) with the failed attempts.
+
+
+    To summarize: please reduce the complexity of your discussion, to increase the chances of getting help.
+
+
     Thanks, the Renovate team

.github/workflows/build.yml

@@ -31,7 +31,7 @@ concurrency:
 env:
   DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
   NODE_VERSION: 20
-  PDM_VERSION: 2.18.1 # renovate: datasource=pypi depName=pdm
+  PDM_VERSION: 2.18.2 # renovate: datasource=pypi depName=pdm
   DRY_RUN: true
   TEST_LEGACY_DECRYPTION: true
   SPARSE_CHECKOUT: |-
@@ -683,7 +683,7 @@ jobs:
           show-progress: false
 
       - name: docker-config
-        uses: containerbase/internal-tools@85061d6ea57790418fdf4e2672560b82654478de # v3.4.12
+        uses: containerbase/internal-tools@b6d2b362cb282e8088211f792cc2211529936635 # v3.4.17
         with:
           command: docker-config
 

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7

.github/workflows/scorecard.yml

@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -31,7 +31,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+      - uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
         with:
           sarif_file: trivy-results.sarif
           category: 'docker-image-${{ matrix.tag }}'

.python-version

@@ -1 +1 @@
-3.12.5
+3.12.6

CODE_OF_CONDUCT.md

@@ -62,7 +62,7 @@ We get many questions each week and do our best to answer each one.
 To get the help you need, please be prepared to give detailed logs or descriptions of your issues.
 If you do not want to spend the effort giving us enough information, it's likely you will not get the help you need.
 
-### Wy we sometimes give short answers
+### Why we sometimes give short answers
 
 We have limited time, which means we may:
 

docs/development/adding-a-package-manager.md

@@ -108,3 +108,84 @@ Use `updateDependency` if _both_ conditions apply:
 ### `updateLockedDependency` (optional)
 
 Use `updateLockedDependency` to directly update dependencies in lock files.
+
+## Package files and Lock files
+
+In Renovate terminology, "package files" are the files where human-readable dependency definitions are kept.
+For example, this includes npm's `package.json` file, Maven's `pom.xml` file, and Docker's `Dockerfile`.
+
+Some package managers may additionally have "lock files", e.g. npm's `package-lock.json`.
+If a lock file is present in a repository then Renovate needs to update both in the same commit, otherwise the update may be "broken".
+Therefore if a new manager is being developed and it is usual to have a lock file, supporting lock file updating should be done from the start.
+
+Supporting lock file updating usually requires Renovate to support a third party tool, e.g. `npm`, `poetry`, etc.
+It's rare and not recommended for Renovate to "reverse engineer" lock file formats and make updates manually instead of calling such tools.
+Adding support for such tools requires adding awareness of each tool to [Containerbase](https://github.com/containerbase/base) first.
+
+Here are the various ways in approximate order in which lock file awareness should be added to a manager:
+
+### Lock file maintenance
+
+The purpose of lock file maintenance is to update all locked dependencies (including transitive) to the latest possible versions.
+
+There are two approaches which can be used:
+
+- Delete the existing lock file, then call a command like `<tool> install` to regenerate it, or
+- Call a command like `<tool> update` if such a command exists to satisfy this same requirement (updating the entire lock file where possible)
+
+Where available, the second approach is better because lock file may sometimes have platform-specific information (e.g. amd64, arm64) which can be lost if the lock file is regenerated completely as in the first approach.
+
+### Lock file updating after a package file change
+
+This functionality is often mandatory from initial implementation.
+
+In this scenario, an `updateArtifacts()` function must be added.
+Its purpose is to essentially "sync" the lock file to the package file changes made by Renovate, so that both files can be updated in the same commit.
+
+Usually, the flow is like this:
+
+1. Renovate makes changes to the version or constraint in the package file directly,
+2. Renovate calls a tool command like "<tool> install", "<tool> lock", etc.
+3. If the tool command resulted in a changed lock file (it usually should), then Renovate commits the changes along with the package file change
+
+### Locked version extracting and dependency pinning
+
+The next step is for the manager's "extract" functionality to return a `lockedVersion` for dependencies whenever a lock file exists.
+To do this, the manager should:
+
+1. Parse the lock file
+2. Associate each dependency from the package file with its entry in the lock file
+3. Add that associated version as `lockedVersion`
+
+Once `lockedVersion` is provided, Renovate should be able to "pin" constraints/ranges into exact versions, if the user configures as such (e.g. `rangeStrategy=pin`) however Renovate _won't_ automatically be able to make lockfile-only updates.
+
+### Lock file-only updates
+
+#### updateArtifacts()
+
+It's a common scenario where users want or need to retain constraints in their package file (e.g. `^1.0.0`) and have Renovate make updates to the lock file when new versions are available (e.g. updating from a locked value of `1.1.0` to `1.1.1`).
+In this case, it's a prerequisite that the manager must extract `lockedVersion` as described above.
+
+In addition to this, the manager needs to add logic to `updateArtifacts()` to detect if any of the updates it has been passed satisfy `isLockFileUpdate=true`.
+If any lock file-only updates have been passed, then the manager typically needs to run specific commands to update/bump the locked version for one specific dependency only.
+This functionality is manager-specific, and depends heavily on the capabilities of the third party tool, but a mix of the following approaches are used in Renovate, from best to worst:
+
+- Renovate calls a tool command to specifically update the dependency in question to the specific version, e.g. `<tool> update <dependency name>@<new version>`
+- Renovate manually updates the locked version in the lock file it needs updated, then calls a `<tool> install` command to "fix" up the remaining parts (hashes, transitive dependencies, etc). This is good if it works but it is prone to breaking in future releases because it's possible that the maintainers of the tool are not aware of people using it in this manner, even if it works unintentionally.
+- Renovate calls a tool command similar to the first approach, except the tool doesn't support specific versions, e.g. `<tool> update <dependency name>`. This approach can be problematic because Renovate might _want_ to update to e.g. v1.1.1 but instead the tool finds a newer v1.1.2 and that's what the user gets instead
+
+A further complication is that sometimes dependencies need to be upgraded together or else there are peer dependency problems or other conflicts.
+In that case it's best if the tool can support a list of dependencies to update and they are done all at once.
+
+#### updateLockedDependency()
+
+The `updateLockedDependency()` method is optional for managers but recommended that any manager which supports `rangeStrategy=update-lockfile` implements the `updateLockedDependency()` method.
+The most valuable part of this method is returning quickly if a dependency is already updated, so that tool commands don't need to be run every time.
+
+The simplest logic for this method is:
+
+1. Parse the existing lock file
+2. If the locked version of the dependency is already updated to the version specified then return `{ status: 'already-updated' }`
+3. Otherwise, return `{ status: 'unsupported' }`
+
+An example of this can be seen in [the composer manager source code for updateLockedDependency()](https://github.com/renovatebot/renovate/blob/da4964ac05952f9fe0543ba1174fcd62ad083d48/lib/modules/manager/composer/update-locked.ts#L7-L30).=

docs/usage/configuration-options.md

@@ -2103,7 +2103,7 @@ In the case that a user is automatically added as reviewer (such as Renovate App
 
 ## ignoreScripts
 
-Applicable for npm, Composer and Copier only for now. Set this to `true` if running scripts causes problems.
+Applicable for npm, bun, Composer and Copier only for now. Set this to `true` if running scripts causes problems.
 
 ## ignoreTests
 
@@ -2417,7 +2417,7 @@ The matching process for a package rule:
 - Combining multiple matchers will restrict the resulting matches (they're AND-ed together):
   `matchCurrentVersion`, `matchCurrentValue`, `matchNewValue`, `matchConfidence`, `matchCurrentAge`,
   `matchManagers`, `matchDatasources`, `matchCategories`, `matchDepTypes`, `matchUpdateTypes`,
-  `matchRepositories`/`excludeRepositories`, `matchBaseBranches`, `matchFileNames`
+  `matchRepositories`, `matchBaseBranches`, `matchFileNames`
 
 Here is an example if you want to group together all packages starting with `eslint` into a single branch/PR:
 
@@ -2593,7 +2593,7 @@ Use this field to restrict rules to a particular branch. e.g.
   "packageRules": [
     {
       "matchBaseBranches": ["main"],
-      "excludePackagePatterns": ["^eslint"],
+      "matchPackageNames": ["!/^eslint/"],
       "enabled": false
     }
   ]
@@ -2607,7 +2607,7 @@ This field also supports Regular Expressions if they begin and end with `/`. e.g
   "packageRules": [
     {
       "matchBaseBranches": ["/^release/.*/"],
-      "excludePackagePatterns": ["^eslint"],
+      "matchPackageNames": ["!/^eslint/"],
       "enabled": false
     }
   ]

docs/usage/docker.md

@@ -307,7 +307,7 @@ Renovate will get the credentials with the [`google-auth-library`](https://www.n
     service_account: ${{ env.SERVICE_ACCOUNT }}
 
 - name: renovate
-  uses: renovatebot/[email protected].7
+  uses: renovatebot/[email protected].9
   env:
     RENOVATE_HOST_RULES: |
       [
@@ -478,7 +478,7 @@ Make sure to install the Google Cloud SDK into the custom image, as you need the
 For example:
 
 ```Dockerfile
-FROM renovate/renovate:38.59.2
+FROM renovate/renovate:38.80.0
 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
 # under "Installation" for "Debian/Ubuntu"
 RUN ...

docs/usage/examples/opentelemetry.md

@@ -13,13 +13,13 @@ version: '3'
 services:
   # Jaeger
   jaeger:
-    image: jaegertracing/all-in-one:1.60.0
+    image: jaegertracing/all-in-one:1.61.0
     ports:
       - '16686:16686'
       - '4317'
 
   otel-collector:
-    image: otel/opentelemetry-collector-contrib:0.108.0
+    image: otel/opentelemetry-collector-contrib:0.109.0
     command: ['--config=/etc/otel-collector-config.yml']
     volumes:
       - ./otel-collector-config.yml:/etc/otel-collector-config.yml

docs/usage/examples/self-hosting.md

@@ -25,8 +25,8 @@ It builds `latest` based on the `main` branch and all SemVer tags are published
 ```sh title="Example of valid tags"
 docker run --rm renovate/renovate
 docker run --rm renovate/renovate:38
-docker run --rm renovate/renovate:38.59
-docker run --rm renovate/renovate:38.59.2
+docker run --rm renovate/renovate:38.80
+docker run --rm renovate/renovate:38.80.0
 ```
 
 <!-- prettier-ignore -->
@@ -62,7 +62,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:38.59.2
+              image: renovate/renovate:38.80.0
               args:
                 - user/repo
               # Environment Variables
@@ -121,7 +121,7 @@ spec:
       template:
         spec:
           containers:
-            - image: renovate/renovate:38.59.2
+            - image: renovate/renovate:38.80.0
               name: renovate-bot
               env: # For illustration purposes, please use secrets.
                 - name: RENOVATE_PLATFORM
@@ -367,7 +367,7 @@ spec:
           containers:
             - name: renovate
               # Update this to the latest available and then enable Renovate on the manifest
-              image: renovate/renovate:38.59.2
+              image: renovate/renovate:38.80.0
               volumeMounts:
                 - name: ssh-key-volume
                   readOnly: true

docs/usage/key-concepts/presets.md

@@ -12,51 +12,58 @@ To learn how to create your own presets, how to host them, and how to extend fro
 Use presets to:
 
 - Set up the bot with good default settings
-- Reduce duplication of your configuration
+- Avoid duplicating your configuration
 - Share your configuration with others
-- Use somebody else's configuration and extend it with your own rules
+- Use somebody else's configuration as-is, or extend it with your own rules
 
 ## How to use presets
 
-Let's say you're using the `config:recommended` preset, and want to pin your GitHub Action digests.
-Instead of writing your own Renovate config, you search through Renovate's built-in presets.
-You find the the `helpers:pinGitHubActionDigests` preset and add it to the `extends` array:
+Say you're using the `config:recommended` preset, and want to pin your GitHub Action digests.
+Instead of writing your own Renovate config, you search the docs, and find the `helpers:pinGitHubActionDigests` preset.
+Then you add the preset to the `"extends"` array in your Renovate configuration file:
 
 ```json
 {
   "extends": ["config:recommended", "helpers:pinGitHubActionDigests"]
 }
 ```
 
-Renovate now follows the rules for `config:recommended` plus the rules for `helpers:pinGitHubActionDigests`.
-If there is a logical conflict between presets, then the last preset in the array wins.
+In the example above, Renovate follows the rules from the `config:recommended` preset, plus the rules for `helpers:pinGitHubActionDigests`.
+
+<!-- prettier-ignore -->
+!!! tip
+    If there is a logical conflict between presets, then the _last_ preset in the `"extends"` array "wins".
 
 ## Managing config for many repositories
 
-If you manage Renovate for many repositories, then you should create a global preset configuration.
-Then you extend the global preset in each repository.
-This way you have all global configuration in a single file, in a single repository.
+If you manage the Renovate configuration for many repositories, we recommend that you:
+
+1. Create a global preset configuration
+1. Extend from the global preset in all of the repositories that should use your global preset as base
+
+This way, when you want to change your global Renovate configuration, you only need to edit the global preset file.
 
 ## Presets are modular
 
-Preset configs are modular, they can be as small as a single package rule or as large as an entire configuration.
-This is similar to the way you can share ESLint configurations.
+Preset configs are modular: a preset can be as small or large as you need.
+A preset can even extend from _other_ presets.
 
 ## Built-in presets
 
-Renovate comes with a lot of built-in presets that you can use.
-Browse [Renovate's default presets](../presets-default.md) to find any that are useful to you.
-Once you find a preset you like, put it in an `extends` array in your config file.
+Renovate comes with many built-in presets.
+We recommend you browse [Renovate's default presets](../presets-default.md).
+Again, to use the preset: add it to the `"extends"` array in your Renovate config file.
 
 ### Contributing a new built-in preset
 
 If you have a Renovate config that may help others, you can put it into Renovate's built-in presets.
-
 Read [Contributing to presets](../config-presets.md#contributing-to-presets) to learn how.
 
 ## Summary
 
 In short:
 
-- Browse [Renovate's default presets](../presets-default.md) to find any that are useful to you
-- Publish your own if you wish to reuse them across repositories
+- Browse [Renovate's default presets](../presets-default.md), or our other presets, to find helpful presets
+- Use presets by putting them in the `"extends"` array in your Renovate config file
+- To manage the Renovate configuration for many repositories at once, create a global preset config file
+- The order of presets matters: in a logical conflict, the last preset in the `"extends"` array "wins"