Fix renovate-nix.json5 preset and validate presets in CI

[phisco]

Description of your changes

The renovate-nix.json5 preset had a stray single quote inside two matchBaseBranches regex strings: '/'^release-2\.([2-9]|..+)$/'. That extra quote terminated the JSON5 string early and made the preset unparseable, so every Renovate run fails during preset resolution with:

ERROR: config-presets-invalid
  "validationError": "Preset is invalid JSON (local>crossplane/crossplane-runtime//.github/renovate-nix.json5)"
FATAL: Unknown error

See run https://github.com/crossplane/crossplane-runtime/actions/runs/24445182474/job/71419602985.

Because preset resolution happens before any package is evaluated, Renovate has been unable to open, rebase, or close any PRs since the preset was introduced in f1a70c6 ("renovate: Use nix for v2.2 and newer release branches"). Fixing the string to '/^release-2\.([2-9]|..+)$/' restores the intended regex and matches the equivalent pattern in crossplane/crossplane's config.

The typo only exists on main; the release-2.2 copy of this preset does not yet have the release-branch regex, so no backport is needed.

Why CI didn't catch it

The existing renovate-config-validator pre-step has two gaps:

1. It only validates the top-level .github/renovate.json5 and does not recursively resolve local> presets, so JSON5 syntax errors in renovate-nix.json5, renovate-earthly.json5, or renovate-base.json5 are invisible to it.
2. It only runs inside the scheduled Renovate workflow, so a broken preset lands in main and is only caught 24h later by the cron.

This PR closes both gaps by adding a json5 CLI syntax check for every .github/renovate*.json5:

• In renovate.yml before starting the Renovate job, so the scheduled run fails fast instead of going through Docker pull + Earthly/Nix bootstrap only to die in preset resolution.
• In a new validate-renovate-config job in ci.yml, so preset parse errors are blocked at PR review time.

I reintroduced the typo locally to confirm the new json5 step exits non-zero on the broken file, and confirmed it exits zero after the fix.

The same gaps exist in crossplane/crossplane; I can follow up with an equivalent PR there if this approach looks right.

Fixes #

I have:

• Read and followed Crossplane's contribution process.
• Run ./nix.sh flake check to ensure this PR is ready for review.
• Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

Need help with this checklist? See the cheat sheet.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows receive updates to strengthen Renovate configuration validation. A new job is added to ci.yml to validate Renovate config files during CI runs, while renovate.yml receives an additional syntax-checking step and a formatting adjustment.

Changes

Cohort / File(s)	Summary
Renovate Configuration Validation .github/workflows/ci.yml, .github/workflows/renovate.yml	Both workflows enhanced with Renovate configuration validation: ci.yml introduces a new validate-renovate-config job that checks JSON5 syntax for all .github/renovate*.json5 files and validates the configuration using renovate-config-validator. renovate.yml adds a parallel JSON5 syntax-checking step and tidies up formatting in the existing validation step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: fixing a renovate preset syntax error and adding validation checks in CI.
Description check	✅ Passed	The description thoroughly explains the preset syntax error, why existing validation missed it, and how the PR addresses both gaps with json5 syntax checks.
Breaking Changes	✅ Passed	No breaking changes detected in public Go code; only workflow and configuration files modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

47-54: Consider DRYing the shared validation block.

The same preset-syntax + validator snippet now exists in both workflow files. Would you be open to moving it into a shared script or reusable workflow to prevent drift over time?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 47 - 54, The CI contains duplicated
steps "Validate Renovate preset syntax" and "Validate Renovate JSON" across
workflows; extract these into a single reusable unit by moving the two commands
(the json5 loop and the renovate-config-validator run) into either a shell
script (e.g., scripts/validate-renovate.sh) invoked from both workflows or into
a GitHub reusable workflow that exposes a job (e.g., reusable workflow name
"validate-renovate") and then replace the duplicated steps in each CI file with
a single call to that script or the reusable workflow; ensure the new
script/workflow preserves the exact commands and exit behavior and update both
workflow files to call the shared entry point ("Validate Renovate preset syntax"
/ "Validate Renovate JSON") to avoid drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 47-54: The CI contains duplicated steps "Validate Renovate preset
syntax" and "Validate Renovate JSON" across workflows; extract these into a
single reusable unit by moving the two commands (the json5 loop and the
renovate-config-validator run) into either a shell script (e.g.,
scripts/validate-renovate.sh) invoked from both workflows or into a GitHub
reusable workflow that exposes a job (e.g., reusable workflow name
"validate-renovate") and then replace the duplicated steps in each CI file with
a single call to that script or the reusable workflow; ensure the new
script/workflow preserves the exact commands and exit behavior and update both
workflow files to call the shared entry point ("Validate Renovate preset syntax"
/ "Validate Renovate JSON") to avoid drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 97aa7972-ec0b-40b5-af6f-747f34c1263d

📥 Commits

Reviewing files that changed from the base of the PR and between f32a0ba and 08a6b81.

⛔ Files ignored due to path filters (1)

• .github/renovate-nix.json5 is excluded by none and included by none

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/renovate.yml