From 093f4251bab07780a559290988c7992c2d7b05ad Mon Sep 17 00:00:00 2001
From: Johannes Zorn <hannes@aignostics.com>
Date: Wed, 8 Apr 2026 15:45:28 +0200
Subject: [PATCH] build: Decrease renovate noise

Currently, renovate aggressively creates MRs in our repos, potentially
pulling malicious dependencies from open source componentes before they
may be spottet by the community (supply chain attacks). Furthermore,
they are causing a lot of noise in our inboxes. This change introduces
the following changes:

* updates must be at least 2 weeks old
* unless they fix a known vulnerability
* pull requests are only opened once the change has passed the internal
  checks
---
 renovate.json | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/renovate.json b/renovate.json
index 61cb4263f..26a6ef1b3 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,10 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
+  "extends": ["config:recommended"],
   "timezone": "Europe/Berlin",
   "schedule": ["* 0-5 * * *"],
+  "minimumReleaseAge": "14 days",
+  "internalChecksFilter": "strict",
   "labels": [
     "bot",
     "renovate",
@@ -27,6 +27,13 @@
       "groupName": "GitHub Actions",
       "matchManagers": ["github-actions"],
       "separateMajorMinor": false
+    },
+    {
+      "matchVulnerabilities": true,
+      "minimumReleaseAge": null,
+      "schedule": ["at any time"],
+      "groupName": "security fixes",
+      "addLabels": ["security", "urgent"]
     }
   ]
-}
\ No newline at end of file
+}