Renovate #36

	name: Renovate

	on:
	workflow_dispatch:
	schedule:
	- cron: '0 4 * * 1' # 04:00 UTC every Monday (before 6am schedule window)

	permissions:
	contents: write
	pull-requests: write
	issues: write
	# actions: read (implicit)

	concurrency:
	group: renovate
	cancel-in-progress: false

	jobs:
	renovate:
	name: Run Renovate
	runs-on: ubuntu-latest
	env:
	LOG_LEVEL: info
	RENOVATE_CONFIG_FILE: renovate.json
	steps:
	- name: Verify RENOVATE_TOKEN secret
	run: \|
	if [ -z "${{ secrets.RENOVATE_TOKEN }}" ]; then
	echo "ERROR: RENOVATE_TOKEN secret is not set."
	echo "Create a classic Personal Access Token with at least 'repo' scope (and 'workflow' if you want github-actions manager) and add it as repository secret RENOVATE_TOKEN." \
	"Do NOT rely on GITHUB_TOKEN as Renovate requires a PAT for proper PR/workflow triggering.";
	exit 1
	fi
	- name: Checkout
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

	- name: Self-hosted Renovate
	uses: renovatebot/github-action@03026bd55840025343414baec5d9337c5f9c7ea7 # v44.0.4
	with:
	configurationFile: renovate.json
	token: ${{ secrets.RENOVATE_TOKEN }}
	env:
	RENOVATE_REPOSITORIES: ${{ github.repository }}
	# Limit concurrency to avoid rate spikes
	RENOVATE_PR_HOURLY_LIMIT: 2
	RENOVATE_PR_CONCURRENT_LIMIT: 10

Provide feedback