From 84ede35c242bc28f13eb311c5e837f49f7251d07 Mon Sep 17 00:00:00 2001
From: Jean-Paul van Ravensberg <14926452+DevSecNinja@users.noreply.github.com>
Date: Fri, 1 May 2026 06:38:32 +0000
Subject: [PATCH] feat(renovate): add merge: manual label rules

Label major updates and non-github-actions 0.x minor/patch as
'merge: manual' so PRs not covered by autoMerge.json5 are visibly
flagged for human review.
---
 .renovate/labels.json5 | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/.renovate/labels.json5 b/.renovate/labels.json5
index 1ff399e..552d669 100644
--- a/.renovate/labels.json5
+++ b/.renovate/labels.json5
@@ -44,17 +44,30 @@
       addLabels: ["merge: auto"],
     },
     {
-      description: "Label trusted GitHub Actions auto-merge PRs (including 0.x)",
+      description: "Label all GitHub Actions minor/patch/pinDigest as auto-merge (covered by autoMerge.json5 regardless of 0.x)",
       matchManagers: ["github-actions"],
-      matchPackageNames: ["/^actions\\//", "/^docker\\//", "/^github\\//"],
-      matchUpdateTypes: ["minor", "patch"],
+      matchUpdateTypes: ["pinDigest", "minor", "patch"],
       addLabels: ["merge: auto"],
     },
     {
-      description: "Label GitHub Actions pinDigest PRs (auto-merged via SHA pinning)",
+      description: "Label major updates as requiring manual review/merge",
+      matchUpdateTypes: ["major"],
+      addLabels: ["merge: manual"],
+    },
+    {
+      description: "Label non-github-actions 0.x minor/patch as manual (breaking changes possible, not auto-merged)",
+      matchManagers: ["bundler", "cargo", "composer", "docker-compose", "dockerfile", "gomod", "gradle", "helm-values", "helmv3", "kubernetes", "maven", "mise", "npm", "nuget", "pip-compile", "pip_requirements", "pipenv", "poetry", "pre-commit", "setup-cfg", "terraform"],
+      matchUpdateTypes: ["minor", "patch"],
+      matchCurrentVersion: "/^0\\./",
+      addLabels: ["merge: manual"],
+    },
+    {
+      description: "Label non-trusted GitHub Actions 0.x minor/patch as manual (trusted ones are auto-merged)",
       matchManagers: ["github-actions"],
-      matchUpdateTypes: ["pinDigest"],
-      addLabels: ["merge: auto"],
+      matchPackageNames: ["!/^actions\\//", "!/^docker\\//", "!/^github\\//"],
+      matchUpdateTypes: ["minor", "patch"],
+      matchCurrentVersion: "/^0\\./",
+      addLabels: ["merge: manual"],
     },
   ],
 }