Merge branch 'main' into feat/readable-schedule-desc

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:13.5.6
+FROM ghcr.io/containerbase/devcontainer:13.5.8

docs/usage/configuration-options.md

@@ -2426,6 +2426,7 @@ Renovate only queries the OSV database for dependencies that use one of these da
 
 - [`crate`](./modules/datasource/crate/index.md)
 - [`go`](./modules/datasource/go/index.md)
+- [`hackage`](./modules/datasource/hackage/index.md)
 - [`hex`](./modules/datasource/hex/index.md)
 - [`maven`](./modules/datasource/maven/index.md)
 - [`npm`](./modules/datasource/npm/index.md)
@@ -3706,6 +3707,7 @@ This feature works with the following managers:
 - [`dockerfile`](modules/manager/dockerfile/index.md)
 - [`droneci`](modules/manager/droneci/index.md)
 - [`flux`](modules/manager/flux/index.md)
+- [`github-actions`](modules/manager/github-actions/index.md)
 - [`gitlabci`](modules/manager/gitlabci/index.md)
 - [`helm-requirements`](modules/manager/helm-requirements/index.md)
 - [`helm-values`](modules/manager/helm-values/index.md)

docs/usage/docker.md

@@ -307,7 +307,7 @@ Renovate will get the credentials with the [`google-auth-library`](https://www.n
     service_account: ${{ env.SERVICE_ACCOUNT }}
 
 - name: renovate
-  uses: renovatebot/[email protected].7
+  uses: renovatebot/[email protected].8
   env:
     RENOVATE_HOST_RULES: |
       [
@@ -478,7 +478,7 @@ Make sure to install the Google Cloud SDK into the custom image, as you need the
 For example:
 
 ```Dockerfile
-FROM renovate/renovate:39.86.0
+FROM renovate/renovate:39.91.0
 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
 # under "Installation" for "Debian/Ubuntu"
 RUN ...

docs/usage/examples/opentelemetry.md

@@ -22,7 +22,7 @@ services:
 
   # Prometheus for storing metrics
   prometheus:
-    image: prom/prometheus:v3.0.1
+    image: prom/prometheus:v3.1.0
     ports:
       - '9090:9090' # Web UI
       - '4318' # OTLP HTTP

docs/usage/examples/self-hosting.md

@@ -25,8 +25,8 @@ It builds `latest` based on the `main` branch and all SemVer tags are published
 ```sh title="Example of valid tags"
 docker run --rm renovate/renovate
 docker run --rm renovate/renovate:39
-docker run --rm renovate/renovate:39.86
-docker run --rm renovate/renovate:39.86.0
+docker run --rm renovate/renovate:39.91
+docker run --rm renovate/renovate:39.91.0
 ```
 
 <!-- prettier-ignore -->
@@ -62,7 +62,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:39.86.0
+              image: renovate/renovate:39.91.0
               args:
                 - user/repo
               # Environment Variables
@@ -121,7 +121,7 @@ spec:
       template:
         spec:
           containers:
-            - image: renovate/renovate:39.86.0
+            - image: renovate/renovate:39.91.0
               name: renovate-bot
               env: # For illustration purposes, please use secrets.
                 - name: RENOVATE_PLATFORM
@@ -367,7 +367,7 @@ spec:
           containers:
             - name: renovate
               # Update this to the latest available and then enable Renovate on the manifest
-              image: renovate/renovate:39.86.0
+              image: renovate/renovate:39.91.0
               volumeMounts:
                 - name: ssh-key-volume
                   readOnly: true

docs/usage/self-hosted-experimental.md

@@ -23,6 +23,13 @@ For more information see [the OpenTelemetry docs](opentelemetry.md).
 
 If set to any value, Renovate will always paginate requests to GitHub fully, instead of stopping after 10 pages.
 
+## `RENOVATE_STATIC_REPO_CONFIG`
+
+If set to a _valid_ `JSON` string containing a _valid_ Renovate configuration, it will be applied to the repository config before resolving the actual configuration file within the repository.
+
+> [!warning]
+> An invalid value will result in the scan being aborted.
+
 ## `RENOVATE_X_DOCKER_HUB_DISABLE_LABEL_LOOKUP`
 
 If set to any value, Renovate will skip attempting to get release labels (e.g. gitRef, sourceUrl) from manifest annotations for `https://index.docker.io`.

lib/config/decrypt.spec.ts

@@ -12,6 +12,7 @@ describe('config/decrypt', () => {
     beforeEach(() => {
       config = {};
       GlobalConfig.reset();
+      delete process.env.MEND_HOSTED;
       delete process.env.RENOVATE_X_ENCRYPTED_STRICT;
     });
 
@@ -34,8 +35,19 @@ describe('config/decrypt', () => {
 
     it('throws exception if encrypted found but no privateKey', async () => {
       config.encrypted = { a: '1' };
+
       process.env.RENOVATE_X_ENCRYPTED_STRICT = 'true';
+      await expect(decryptConfig(config, repository)).rejects.toThrow(
+        'config-validation',
+      );
+    });
+
+    // coverage
+    it('throws exception if encrypted found but no privateKey- Mend Hosted', async () => {
+      config.encrypted = { a: '1' };
 
+      process.env.MEND_HOSTED = 'true';
+      process.env.RENOVATE_X_ENCRYPTED_STRICT = 'true';
       await expect(decryptConfig(config, repository)).rejects.toThrow(
         'config-validation',
       );

lib/config/decrypt.ts

@@ -179,6 +179,12 @@ export async function decryptConfig(
           error.validationSource = 'config';
           error.validationError = 'Encrypted config unsupported';
           error.validationMessage = `This config contains an encrypted object at location \`$.${key}\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \`privateKey\` in Global Configuration.`;
+          if (process.env.MEND_HOSTED === 'true') {
+            error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).
+Please migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/
+
+Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;
+          }
           throw error;
         } else {
           logger.error('Found encrypted data but no privateKey');

lib/config/options/index.ts

@@ -516,7 +516,7 @@ const options: RenovateOptions[] = [
     description:
       'Change this value to override the default Renovate sidecar image.',
     type: 'string',
-    default: 'ghcr.io/containerbase/sidecar:13.5.6',
+    default: 'ghcr.io/containerbase/sidecar:13.5.8',
     globalOnly: true,
   },
   {

lib/config/presets/internal/global.ts

@@ -4,7 +4,7 @@ import type { Preset } from '../types';
 
 export const presets: Record<string, Preset> = {
   safeEnv: {
-    allowedEnv: ['GO*'],
+    allowedEnv: ['GO*', 'RUSTC_BOOTSTRAP'],
     description:
       'Hopefully safe environment variables to allow users to configure.',
   },

lib/config/presets/internal/group.ts

@@ -451,7 +451,11 @@ const staticGroups = {
     packageRules: [
       {
         groupName: 'react monorepo',
-        matchPackageNames: ['@types/react', '@types/react-dom'],
+        matchPackageNames: [
+          '@types/react',
+          '@types/react-dom',
+          '@types/react-is',
+        ],
       },
     ],
   },

lib/data/monorepo.json

@@ -55,6 +55,7 @@
       "https://github.com/awslabs/aws-sdk-rust"
     ],
     "awsappsync": "https://github.com/awslabs/aws-mobile-appsync-sdk-js",
+    "axum": "https://github.com/tokio-rs/axum",
     "azure-functions-dotnet-worker": "https://github.com/Azure/azure-functions-dotnet-worker",
     "azure azure-libraries-for-net": "https://github.com/Azure/azure-libraries-for-net",
     "azure azure-sdk-for-net": "https://github.com/Azure/azure-sdk-for-net",

lib/modules/manager/github-actions/extract.ts

@@ -10,7 +10,11 @@ import { GithubRunnersDatasource } from '../../datasource/github-runners';
 import { GithubTagsDatasource } from '../../datasource/github-tags';
 import * as dockerVersioning from '../../versioning/docker';
 import { getDep } from '../dockerfile/extract';
-import type { PackageDependency, PackageFileContent } from '../types';
+import type {
+  ExtractConfig,
+  PackageDependency,
+  PackageFileContent,
+} from '../types';
 import type { Workflow } from './types';
 
 const dockerActionRe = regEx(/^\s+uses\s*: ['"]?docker:\/\/([^'"]+)\s*$/);
@@ -44,7 +48,10 @@ function detectCustomGitHubRegistryUrlsForActions(): PackageDependency {
   return {};
 }
 
-function extractWithRegex(content: string): PackageDependency[] {
+function extractWithRegex(
+  content: string,
+  config: ExtractConfig,
+): PackageDependency[] {
   const customRegistryUrlsPackageDependency =
     detectCustomGitHubRegistryUrlsForActions();
   logger.trace('github-actions.extractWithRegex()');
@@ -57,7 +64,7 @@ function extractWithRegex(content: string): PackageDependency[] {
     const dockerMatch = dockerActionRe.exec(line);
     if (dockerMatch) {
       const [, currentFrom] = dockerMatch;
-      const dep = getDep(currentFrom);
+      const dep = getDep(currentFrom, true, config.registryAliases);
       dep.depType = 'docker';
       deps.push(dep);
       continue;
@@ -126,11 +133,14 @@ function detectDatasource(registryUrl: string): PackageDependency {
   };
 }
 
-function extractContainer(container: unknown): PackageDependency | undefined {
+function extractContainer(
+  container: unknown,
+  registryAliases: Record<string, string> | undefined,
+): PackageDependency | undefined {
   if (is.string(container)) {
-    return getDep(container);
+    return getDep(container, true, registryAliases);
   } else if (is.plainObject(container) && is.string(container.image)) {
-    return getDep(container.image);
+    return getDep(container.image, true, registryAliases);
   }
   return undefined;
 }
@@ -181,6 +191,7 @@ function extractRunners(runner: unknown): PackageDependency[] {
 function extractWithYAMLParser(
   content: string,
   packageFile: string,
+  config: ExtractConfig,
 ): PackageDependency[] {
   logger.trace('github-actions.extractWithYAMLParser()');
   const deps: PackageDependency[] = [];
@@ -198,14 +209,14 @@ function extractWithYAMLParser(
   }
 
   for (const job of Object.values(pkg?.jobs ?? {})) {
-    const dep = extractContainer(job?.container);
+    const dep = extractContainer(job?.container, config.registryAliases);
     if (dep) {
       dep.depType = 'container';
       deps.push(dep);
     }
 
     for (const service of Object.values(job?.services ?? {})) {
-      const dep = extractContainer(service);
+      const dep = extractContainer(service, config.registryAliases);
       if (dep) {
         dep.depType = 'service';
         deps.push(dep);
@@ -221,11 +232,12 @@ function extractWithYAMLParser(
 export function extractPackageFile(
   content: string,
   packageFile: string,
+  config: ExtractConfig = {}, // TODO: enforce ExtractConfig
 ): PackageFileContent | null {
   logger.trace(`github-actions.extractPackageFile(${packageFile})`);
   const deps = [
-    ...extractWithRegex(content),
-    ...extractWithYAMLParser(content, packageFile),
+    ...extractWithRegex(content, config),
+    ...extractWithYAMLParser(content, packageFile, config),
   ];
   if (!deps.length) {
     return null;

lib/modules/manager/gradle/parser.spec.ts

@@ -759,12 +759,13 @@ describe('modules/manager/gradle/parser', () => {
 
   describe('heuristic dependency matching', () => {
     it.each`
-      input                                  | output
-      ${'("foo", "bar", "1.2.3")'}           | ${{ depName: 'foo:bar', currentValue: '1.2.3' }}
-      ${'("foo", "bar", "1.2.3", "4.5.6")'}  | ${null}
-      ${'(["foo", "bar", "1.2.3"])'}         | ${null}
-      ${'someMethod("foo", "bar", "1.2.3")'} | ${{ depName: 'foo:bar', currentValue: '1.2.3' }}
-      ${'listOf("foo", "bar", "baz")'}       | ${null}
+      input                                                                    | output
+      ${'("foo", "bar", "1.2.3")'}                                             | ${{ depName: 'foo:bar', currentValue: '1.2.3' }}
+      ${'("foo", "bar", "1.2.3", "4.5.6")'}                                    | ${null}
+      ${'(["foo", "bar", "1.2.3"])'}                                           | ${null}
+      ${'someMethod("foo", "bar", "1.2.3")'}                                   | ${{ depName: 'foo:bar', currentValue: '1.2.3' }}
+      ${'listOf("foo", "bar", "baz")'}                                         | ${null}
+      ${'java { registerFeature(foo) { capability("foo", "bar", "1.2.3") } }'} | ${null}
     `('$input', ({ input, output }) => {
       const { deps } = parseGradle(input);
       expect(deps).toMatchObject([output].filter(is.truthy));

lib/modules/manager/gradle/parser/dependencies.ts

@@ -4,6 +4,7 @@ import type { Ctx } from '../types';
 import {
   GRADLE_PLUGINS,
   cleanupTempVars,
+  qDotOrBraceExpr,
   qTemplateString,
   qValueMatcher,
   storeInTokenMap,
@@ -204,4 +205,6 @@ export const qDependencies = q.alt(
   qKotlinShortNotationDependencies,
   qKotlinMapNotationDependencies,
   qImplicitGradlePlugin,
+  // avoid heuristic matching of gradle feature variant capabilities
+  qDotOrBraceExpr('java', q.sym<Ctx>('registerFeature').tree()),
 );

lib/modules/manager/pep621/utils.spec.ts

@@ -4,17 +4,18 @@ import { parsePEP508 } from './utils';
 describe('modules/manager/pep621/utils', () => {
   describe('parsePEP508()', () => {
     it.each`
-      value                                                        | success  | packageName            | currentValue       | extras              | marker
-      ${''}                                                        | ${false} | ${undefined}           | ${undefined}       | ${undefined}        | ${undefined}
-      ${undefined}                                                 | ${false} | ${undefined}           | ${undefined}       | ${undefined}        | ${undefined}
-      ${null}                                                      | ${false} | ${undefined}           | ${undefined}       | ${undefined}        | ${undefined}
-      ${'blinker'}                                                 | ${true}  | ${'blinker'}           | ${undefined}       | ${undefined}        | ${undefined}
-      ${'packaging==20.0.0'}                                       | ${true}  | ${'packaging'}         | ${'==20.0.0'}      | ${undefined}        | ${undefined}
-      ${'packaging>=20.9,!=22.0'}                                  | ${true}  | ${'packaging'}         | ${'>=20.9,!=22.0'} | ${undefined}        | ${undefined}
-      ${'cachecontrol[filecache]>=0.12.11'}                        | ${true}  | ${'cachecontrol'}      | ${'>=0.12.11'}     | ${['filecache']}    | ${undefined}
-      ${'tomli>=1.1.0; python_version < "3.11"'}                   | ${true}  | ${'tomli'}             | ${'>=1.1.0'}       | ${undefined}        | ${'python_version < "3.11"'}
-      ${'typing-extensions; python_version < "3.8"'}               | ${true}  | ${'typing-extensions'} | ${undefined}       | ${undefined}        | ${'python_version < "3.8"'}
-      ${'typing-extensions[test-feature]; python_version < "3.8"'} | ${true}  | ${'typing-extensions'} | ${undefined}       | ${['test-feature']} | ${'python_version < "3.8"'}
+      value                                                        | success  | packageName            | currentValue       | extras                  | marker
+      ${''}                                                        | ${false} | ${undefined}           | ${undefined}       | ${undefined}            | ${undefined}
+      ${undefined}                                                 | ${false} | ${undefined}           | ${undefined}       | ${undefined}            | ${undefined}
+      ${null}                                                      | ${false} | ${undefined}           | ${undefined}       | ${undefined}            | ${undefined}
+      ${'blinker'}                                                 | ${true}  | ${'blinker'}           | ${undefined}       | ${undefined}            | ${undefined}
+      ${'packaging==20.0.0'}                                       | ${true}  | ${'packaging'}         | ${'==20.0.0'}      | ${undefined}            | ${undefined}
+      ${'packaging>=20.9,!=22.0'}                                  | ${true}  | ${'packaging'}         | ${'>=20.9,!=22.0'} | ${undefined}            | ${undefined}
+      ${'cachecontrol[filecache]>=0.12.11'}                        | ${true}  | ${'cachecontrol'}      | ${'>=0.12.11'}     | ${['filecache']}        | ${undefined}
+      ${'private-depB[extra1, extra2]~=2.4'}                       | ${true}  | ${'private-depB'}      | ${'~=2.4'}         | ${['extra1', 'extra2']} | ${undefined}
+      ${'tomli>=1.1.0; python_version < "3.11"'}                   | ${true}  | ${'tomli'}             | ${'>=1.1.0'}       | ${undefined}            | ${'python_version < "3.11"'}
+      ${'typing-extensions; python_version < "3.8"'}               | ${true}  | ${'typing-extensions'} | ${undefined}       | ${undefined}            | ${'python_version < "3.8"'}
+      ${'typing-extensions[test-feature]; python_version < "3.8"'} | ${true}  | ${'typing-extensions'} | ${undefined}       | ${['test-feature']}     | ${'python_version < "3.8"'}
     `(
       '(parse $value"',
       ({ value, success, packageName, currentValue, extras, marker }) => {

lib/modules/manager/pep621/utils.ts

@@ -10,7 +10,7 @@ import { PyProjectSchema } from './schema';
 import type { Pep508ParseResult, Pep621ManagerData } from './types';
 
 const pep508Regex = regEx(
-  /^(?<packageName>[A-Z0-9._-]+)\s*(\[(?<extras>[A-Z0-9,._-]+)\])?\s*(?<currentValue>[^;]+)?(;\s*(?<marker>.*))?/i,
+  /^(?<packageName>[A-Z0-9._-]+)\s*(\[(?<extras>[A-Z0-9\s,._-]+)\])?\s*(?<currentValue>[^;]+)?(;\s*(?<marker>.*))?/i,
 );
 
 export const depTypes = {
@@ -49,7 +49,8 @@ export function parsePEP508(
     result.marker = regExpExec.groups.marker;
   }
   if (is.nonEmptyString(regExpExec.groups.extras)) {
-    result.extras = regExpExec.groups.extras.split(',');
+    // trim to remove allowed whitespace between brackets
+    result.extras = regExpExec.groups.extras.split(',').map((e) => e.trim());
   }
 
   return result;

lib/modules/platform/bitbucket/pr-cache.spec.ts

@@ -166,8 +166,8 @@ describe('modules/platform/bitbucket/pr-cache', () => {
     );
 
     expect(res).toMatchObject([
-      { number: 1, title: 'title' },
       { number: 2, title: 'title' },
+      { number: 1, title: 'title' },
     ]);
     expect(cache).toEqual({
       httpCache: {},