zeph 0.21.2

name: Renovate

on:
  schedule:
    - cron: "0 6 * * 1"
  workflow_dispatch:
    inputs:
      logLevel:
        description: "Renovate log level"
        required: false
        default: "info"
        type: choice
        options:
          - info
          - debug
      dryRun:
        description: "Dry run mode"
        required: false
        default: "disabled"
        type: choice
        options:
          - disabled
          - extract
          - lookup
          - full
  push:
    branches: [main]
    paths: [".github/renovate.json"]
  pull_request:
    paths: [".github/renovate.json", ".github/workflows/renovate.yml"]

# The workflow itself only needs read access. RENOVATE_TOKEN (PAT with repo+workflow
# scopes) provides write access for branch creation and PR management.
permissions:
  contents: read

jobs:
  validate-config:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: "24.15.0"

      - name: Validate Renovate config
        run: |
          npx --yes --package=renovate@43 -- \
            renovate-config-validator --strict --no-global .github/renovate.json

  renovate:
    needs: validate-config
    if: github.event_name != 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - uses: renovatebot/github-action@79dc0ba74dc3de28db0a7aeb1d0b95d5bf5fde2a # v46.1.13
        env:
          RENOVATE_REPOSITORIES: ${{ github.repository }}
          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
          RENOVATE_DRY_RUN: ${{ inputs.dryRun == 'disabled' && 'null' || inputs.dryRun }}
        with:
          token: ${{ secrets.RENOVATE_TOKEN }}
          configurationFile: .github/renovate.json