Merge branch 'main' into fix-submodules

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:13.0.14
+FROM ghcr.io/containerbase/devcontainer:13.0.22

.github/workflows/build.yml

@@ -31,12 +31,13 @@ concurrency:
 env:
   DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
   NODE_VERSION: 22
-  PDM_VERSION: 2.20.1 # renovate: datasource=pypi depName=pdm
+  PDM_VERSION: 2.21.0 # renovate: datasource=pypi depName=pdm
   DRY_RUN: true
   TEST_LEGACY_DECRYPTION: true
   SPARSE_CHECKOUT: |-
     .github/actions/
     data/
+    patches/
     tools/
     package.json
     pnpm-lock.yaml
@@ -303,7 +304,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Lint markdown
-        uses: DavidAnson/markdownlint-cli2-action@db43aef879112c3119a410d69f66701e0d530809 # v17.0.0
+        uses: DavidAnson/markdownlint-cli2-action@eb5ca3ab411449c66620fe7f1b3c9e10547144b0 # v18.0.0
 
       - name: Lint fenced code blocks
         run: pnpm doc-fence-check
@@ -437,7 +438,7 @@ jobs:
           merge-multiple: true
 
       - name: Codecov
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: coverage/lcov
@@ -591,7 +592,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Setup PDM
-        uses: pdm-project/setup-pdm@568ddd69406b30de1774ec0044b73ae06e716aa4 # v4.1
+        uses: pdm-project/setup-pdm@b2472ca4258a9ea3aee813980a0100a2261a42fc # v4.2
         with:
           python-version-file: .python-version
           version: ${{ env.PDM_VERSION }}
@@ -683,7 +684,7 @@ jobs:
           show-progress: false
 
       - name: docker-config
-        uses: containerbase/internal-tools@72750e92d57f4ec2412af2f4f63f57eafa626bb4 # v3.4.42
+        uses: containerbase/internal-tools@e386c8e7bd305d803e0874abccbe153ec1d33a6d # v3.5.2
         with:
           command: docker-config
 

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5

.github/workflows/dependency-review.yml

@@ -14,4 +14,4 @@ jobs:
           show-progress: false
 
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/mend-slack.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Post to Slack
         id: slack
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
         with:
           channel-id: 'C05NLTMGCJC'
           # For posting a simple plain text message

.github/workflows/scorecard.yml

@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -25,13 +25,13 @@ jobs:
         with:
           show-progress: false
 
-      - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+      - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           image-ref: ghcr.io/renovatebot/renovate:${{ matrix.tag }}
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+      - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: trivy-results.sarif
           category: 'docker-image-${{ matrix.tag }}'

docs/usage/config-presets.md

@@ -176,7 +176,7 @@ To host your preset config on GitHub:
 
 - Create a new repository. Normally you'd call it `renovate-config` but it can be named anything
 - Add configuration files to this new repo for any presets you want to share. For the default preset, `default.json` will be checked. For named presets, `<preset-name>.json` will be loaded. For example, loading preset `library` would load `library.json`. No other files are necessary.
-- In other repos, reference it in an extends array like "github>owner/name", for example:
+- In other repos, reference it in an extends array like `"github>owner/name"`, for example:
 
   ```json
   {
@@ -195,7 +195,7 @@ To host your preset config on GitLab:
 
 - Create a new repository on GitLab. Normally you'd call it `renovate-config` but it can be named anything
 - Add a `default.json` to this new repo containing the preset config. No other files are necessary
-- In other repos, reference it in an extends array like "gitlab>owner/name", e.g. "gitlab>rarkins/renovate-config"
+- In other repos, reference it in an extends array like `"gitlab>owner/name"`, e.g. `"gitlab>rarkins/renovate-config"`
 
 ## Gitea-hosted Presets
 

docs/usage/configuration-options.md

@@ -122,7 +122,7 @@ If enabled Renovate tries to determine PR assignees by matching rules defined in
 Read the docs for your platform for details on syntax and allowed file locations:
 
 - [GitHub Docs, About code owners](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)
-- [GitLab, Code Owners](https://docs.gitlab.com/ee/user/project/code_owners.html)
+- [GitLab, Code Owners](https://docs.gitlab.com/ee/user/project/codeowners/)
 - [Bitbucket, Set up and use code owners](https://support.atlassian.com/bitbucket-cloud/docs/set-up-and-use-code-owners/)
 
 ## assigneesSampleSize
@@ -2463,8 +2463,9 @@ Here's an example config to limit the "noisy" `aws-sdk` package to weekly update
 {
   "packageRules": [
     {
+      "description": "Schedule aws-sdk updates on Sunday nights (9 PM - 12 AM)",
       "matchPackageNames": ["aws-sdk"],
-      "schedule": ["after 9pm on sunday"]
+      "schedule": ["* 21-23 * * 0"]
     }
   ]
 }
@@ -3836,12 +3837,14 @@ Here are some example schedules and their Cron equivalent:
 <!-- prettier-ignore -->
 !!! note
     For Cron schedules, you _must_ use the `*` wildcard for the minutes value, as Renovate doesn't support minute granularity.
+    And the cron schedule must have five comma separated parts.
 
 One example might be that you don't want Renovate to run during your typical business hours, so that your build machines don't get clogged up testing `package.json` updates.
 You could then configure a schedule like this at the repository level:
 
 ```json
 {
+  "description": "Schedule on weekdays at night (10 PM - 4 AM) and anytime on weekends",
   "schedule": ["* 22-23,0-4 * * *", "* * * * 0,6"]
 }
 ```

docs/usage/docker.md

@@ -307,7 +307,7 @@ Renovate will get the credentials with the [`google-auth-library`](https://www.n
     service_account: ${{ env.SERVICE_ACCOUNT }}
 
 - name: renovate
-  uses: renovatebot/github-action@v40.3.6
+  uses: renovatebot/github-action@v41.0.4
   env:
     RENOVATE_HOST_RULES: |
       [
@@ -478,7 +478,7 @@ Make sure to install the Google Cloud SDK into the custom image, as you need the
 For example:
 
 ```Dockerfile
-FROM renovate/renovate:38.142.5
+FROM renovate/renovate:39.28.0
 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
 # under "Installation" for "Debian/Ubuntu"
 RUN ...

docs/usage/examples/opentelemetry.md

@@ -19,7 +19,7 @@ services:
       - '4317'
 
   otel-collector:
-    image: otel/opentelemetry-collector-contrib:0.113.0
+    image: otel/opentelemetry-collector-contrib:0.114.0
     command: ['--config=/etc/otel-collector-config.yml']
     volumes:
       - ./otel-collector-config.yml:/etc/otel-collector-config.yml

docs/usage/examples/self-hosting.md

@@ -24,9 +24,9 @@ It builds `latest` based on the `main` branch and all SemVer tags are published
 
 ```sh title="Example of valid tags"
 docker run --rm renovate/renovate
-docker run --rm renovate/renovate:38
-docker run --rm renovate/renovate:38.142
-docker run --rm renovate/renovate:38.142.5
+docker run --rm renovate/renovate:39
+docker run --rm renovate/renovate:39.28
+docker run --rm renovate/renovate:39.28.0
 ```
 
 <!-- prettier-ignore -->
@@ -62,7 +62,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:38.142.5
+              image: renovate/renovate:39.28.0
               args:
                 - user/repo
               # Environment Variables
@@ -121,7 +121,7 @@ spec:
       template:
         spec:
           containers:
-            - image: renovate/renovate:38.142.5
+            - image: renovate/renovate:39.28.0
               name: renovate-bot
               env: # For illustration purposes, please use secrets.
                 - name: RENOVATE_PLATFORM
@@ -367,7 +367,7 @@ spec:
           containers:
             - name: renovate
               # Update this to the latest available and then enable Renovate on the manifest
-              image: renovate/renovate:38.142.5
+              image: renovate/renovate:39.28.0
               volumeMounts:
                 - name: ssh-key-volume
                   readOnly: true

docs/usage/faq.md

@@ -51,7 +51,7 @@ Follow these steps to see which version the Mend Renovate app is on:
    ```
    INFO: Repository started
    {
-     "renovateVersion": "38.120.1"
+     "renovateVersion": "39.11.5"
    }
    ```
 

docs/usage/getting-started/private-packages.md

@@ -611,7 +611,7 @@ If you need to provide credentials to the Mend Renovate App, please do this:
    }
    ```
 
-For more details, see [Using Secrets with Mend Cloud Apps](../mend-hosted/app-secrets.md).
+For more details, see [Using Secrets with Mend Cloud Apps](../mend-hosted/credentials.md).
 
 ### Access to GitHub Actions Secrets
 

docs/usage/golang.md

@@ -67,16 +67,16 @@ By default, Renovate will keep up with the latest version of the `go` binary.
 
 You can force Renovate to use a specific version of Go by setting a constraint.
 
-```json title="Getting Renovate to use the latest patch version of the 1.16 Go binary"
+```json title="Getting Renovate to use the latest patch version of the 1.23 Go binary"
 {
   "constraints": {
-    "go": "1.16"
+    "go": "1.23"
   }
 }
 ```
 
 We do not support patch level versions for the minimum `go` version.
-This means you cannot use `go 1.16.6`, but you can use `go 1.16` as a constraint.
+This means you cannot use `go 1.23.3`, but you can use `go 1.23` as a constraint.
 
 ### Custom registry support, and authentication
 

docs/usage/key-concepts/scheduling.md

@@ -93,17 +93,15 @@ Some config examples:
 
 ```json title="Renovate should run each day before 4 am"
 {
-  "schedule": ["before 4am"]
+  "description": "Schedule daily before 4 AM",
+  "schedule": ["* 0-3 * * *"]
 }
 ```
 
 ```json title="Renovate should run outside of common office hours"
 {
-  "schedule": [
-    "after 10pm every weekday",
-    "before 5am every weekday",
-    "every weekend"
-  ]
+  "description": "Schedule during typical non-office hours on weekdays (i.e., 10 PM - 5 AM) and anytime on weekends",
+  "schedule": ["* 0-4,22-23 * * 1-5", "* * * * 0,6"]
 }
 ```
 
@@ -121,8 +119,9 @@ The scheduling feature can be very useful for "noisy" packages that are updated
 {
   "packageRules": [
     {
+      "description": "Schedule aws-sdk updates on Sunday nights (9 PM - 12 AM)",
       "matchPackageNames": ["aws-sdk"],
-      "schedule": ["after 9pm on sunday"]
+      "schedule": ["* 21-23 * * 0"]
     }
   ]
 }

docs/usage/mend-hosted/.pages

@@ -1,5 +1,5 @@
 title: Mend-hosted Apps
 nav:
   - 'Configuration': 'hosted-apps-config.md'
-  - 'App Secrets': 'app-secrets.md'
+  - 'Credentials': 'credentials.md'
   - 'Migrating Secrets': 'migrating-secrets.md'

docs/usage/mend-hosted/app-secrets.md → docs/usage/mend-hosted/credentials.md

@@ -31,6 +31,7 @@ To add a secret for the Mend cloud app:
    ![Credentials settings page](../assets/images/app-settings/app-credentials.png)
 
 4. Reference the secret from Renovate config files inside the repo.
+   Alternatively, you can use the Host Rules UI (see below).
 
    ```json
    {
@@ -43,6 +44,21 @@ To add a secret for the Mend cloud app:
    }
    ```
 
+### Adding a host rule through the UI
+
+You can centrally add/configure Host Rules through the Mend UI as an alternative to including them in Renovate presets.
+
+1. Open the _Credentials_ section of the settings page for the relevant Org or Repo.
+2. Select `ADD HOST RULE` to open the "Add a Host Rule" dialog box.
+
+   ![Add Host Rule](../assets/images/app-settings/add-host-rule.png)
+
+3. Fill out the details for your host rule.
+
+   As an example, if you are a Bitbucket or Azure DevOps user, and you want to specify a github.com token to fetch release notes and enable github-based datasources, you could create a host rule like this:
+
+   ![Host Rules dialog box](../assets/images/app-settings/host-rules.png)
+
 ## Organization secrets vs repository secrets
 
 ### Secret scope

docs/usage/mend-hosted/migrating-secrets.md

@@ -1,6 +1,6 @@
 # Migrating Secrets from Repo Config to App Settings
 
-On 01-Oct-2024 the Mend Renovate cloud apps will stop reading any encrypted secrets from the Renovate configuration file on your repository.
+Use of encrypted secrets in the Mend Renovate cloud apps has been deprecated and soon the apps will stop reading any encrypted secrets from the Renovate configuration file on your repository.
 Previously, you could encrypt a secret with the [Renovate encryption tool](https://app.renovatebot.com/encrypt) and then put it in your Renovate config file.
 
 Going forward, all secrets must be stored in the App settings on the cloud.
@@ -102,4 +102,4 @@ If you were expecting to import a secret originally encrypted by Renovate:
 
 ## Related links
 
-- [Using Secrets with Mend Cloud Apps](app-secrets.md)
+- [Using Secrets with Mend Cloud Apps](credentials.md)

docs/usage/noise-reduction.md

@@ -91,9 +91,10 @@ You don't want to get too far behind, so how about we update `eslint` packages o
 {
   "packageRules": [
     {
+      "description": "Schedule updates on first day of each month",
       "matchPackageNames": ["/eslint/"],
       "groupName": "eslint",
-      "schedule": ["on the first day of the month"]
+      "schedule": ["* * 1 * *"]
     }
   ]
 }
@@ -105,9 +106,10 @@ Or perhaps at least weekly:
 {
   "packageRules": [
     {
+      "description": "Schedule updates on Monday mornings(before 4 AM)",
       "matchPackageNames": ["/eslint/"],
       "groupName": "eslint",
-      "schedule": ["before 4am on monday"]
+      "schedule": ["* 0-3 * * 1"]
     }
   ]
 }
@@ -165,9 +167,10 @@ Let's automerge it if all the linting updates pass:
 {
   "packageRules": [
     {
+      "description": "Schedule updates on Monday mornings(before 4 AM)",
       "matchPackageNames": ["/eslint/"],
       "groupName": "eslint",
-      "schedule": ["before 4am on monday"],
+      "schedule": ["* 0-3 * * 1"],
       "automerge": true,
       "automergeType": "branch"
     }