chore(renovate): refresh config with explicit grouping + soak rules

[gofreight-jackyeh]

Summary

Switch renovate.json5 to an explicit, self-contained config. Resolves the Cannot find preset's package validation error that was blocking Renovate from opening PRs on this repo.

Same effective policy as before, just expressed locally:

• SHA-pinned GitHub Actions with pinDigests: true
• 3-day minimumReleaseAge soak on Python deps + GHA
• OSV vulnerability alerts (security PRs never batched)
• Per-ecosystem grouping (backend-non-major, gha-non-major)
• Major updates isolated to one PR per dep (groupName: null)
• Lockfile-maintenance bundled into one PR per cycle
• prConcurrentLimit: 4 + prHourlyLimit: 4 + Monday-only schedule

File renamed renovate.json → renovate.json5 so override rationale can live as inline comments. Old file deleted in the same commit (renovate.json has higher Renovate lookup precedence).

No behaviour change for the deps Renovate would have opened anyway — this just makes the run actually succeed.

Test plan

• renovate-config-validator --strict --no-global renovate.json5 passes locally (Node 24 + renovate@43, LOG_LEVEL=warn, exit 0)
• CI pre-commit runs the same gate on PR + push

Post-merge verification

Will confirm after merge:

• Renovate run on the default branch succeeds (no config-validation issue re-opened)
• Renovate opens any pending grouped PR(s) — backend-non-major / gha-non-major

[gitvelocity-reviewer]

Final Merge Review (Official Score)

This is the official score for PR #66, calculated on the final merged code.
Merge commit: 49aaff274978f5765a0ffef842ac87ecd527232d

---

Summary

This PR upgrades the Renovate dependency management configuration from a minimal renovate.json to a comprehensive renovate.json5 format. Key changes include:

1. Migration from renovate.json → renovate.json5: Enables comments and richer configuration syntax
2. Expanded configuration: From 17 lines to 94 lines with detailed package rules for Python (pep621 + pip_requirements) and GitHub Actions
3. Security hardening: SHA-pinned GHA, OSV vulnerability alerts, security-labeled CVE PRs never batched
4. Volume controls: Weekly schedule, concurrent PR limits, hourly limits
5. Ecosystem-specific grouping: Non-major bundling, major isolation per dependency
6. Pre-commit hook addition: renovate-config-validator with --strict --no-global flags for CI validation

---

Scoring Analysis

S — Scope (4/20)

• 2 files with meaningful changes (.pre-commit-config.yaml + renovate.json5; renovate.json is a whole-file deletion)
• Affects dependency management tooling only — single subsystem (CI/CD configuration)
• No new public APIs, endpoints, or cross-service changes
• Localized to DevOps/tooling layer

A — Architecture (3/20)

• Introduces a pre-commit validation hook for Renovate config — minor tooling improvement
• No new service dependencies, no design pattern changes
• Slight improvement: config validation now enforced at commit time
• Replaces one config format with another (JSON → JSON5), no structural architectural shift

I — Implementation (5/20)

• Configuration logic, not production code
• However, the Renovate JSON5 config demonstrates meaningful complexity: multi-rule package grouping, intentional groupName: null for security/major isolation, internalChecksFilter, lockFileMaintenance scheduling, dual-manager Python coverage
• Well-reasoned rule ordering with explicit anti-batching logic for CVEs and majors
• Comments explain non-obvious decisions (e.g., why groupName: null is intentional)

R — Risk (3/20)

• Easily reversible — config file change with no data migration
• Affects only automated dependency PR behavior, not production code
• Worst case: Renovate creates unexpected PRs or misses updates — low blast radius
• Pre-commit validator reduces risk of misconfiguration going undetected

Q — Quality (7/15)

• Inline comments are thorough and explain non-obvious decisions (e.g., groupName: null rationale, prWeeklyLimit absence explanation)
• Pre-commit validation hook adds automated correctness checking
• No formal tests (not applicable for config files)
• Good documentation of intent within the config itself
• Missing: no README update explaining the new Renovate strategy to contributors

P — Performance/Security (2/5)

• Security-conscious: SHA pinning for GHA, OSV vulnerability alerts, CVE PRs never batched
• Supply-chain attack mitigation explicitly called out in comments
• No performance considerations needed for this change type

---

Base Score Calculation

Sub-score	Score	Rationale
S (Scope)	4	2 files, single tooling subsystem
A (Architecture)	3	Minor tooling improvement, pre-commit hook addition
I (Implementation)	5	Config complexity with well-reasoned rule design
R (Risk)	3	Easily reversible, low blast radius
Q (Quality)	7	Good inline docs, pre-commit validation, no README update
P (Perf/Security)	2	SHA pinning, OSV alerts, supply-chain awareness
Base Score	24

---

Effort Scale Assessment

• Effective Lines: 91 (pre-computed)
• File Count: 2 (pre-computed)
• ESF Tier: Small (0.4x) — pre-computed and confirmed

Step 1: Lines = 91 → Small tier (51-150) → ESF = 0.4x
Step 2: Files = 2 → Nano tier (≤2)
Step 3: Gap = Nano - Small = -1 tier → No bump
Final ESF: 0.4x

---

Final Score

24 × 0.4 = 9.6 → rounded to 10

---

Post-Merge Observations

• The config is well-structured and the inline comments are genuinely useful for future maintainers — this is above-average quality for a Renovate config
• The groupName: null pattern for security/major isolation is a best practice correctly applied
• The pre-commit validator addition is a good defensive measure that prevents config drift
• Consider adding a brief README section explaining the Renovate strategy for new contributors

Code Quality Data (JSON)

{
  "_schema": "code_quality_v5",
  "total_score": 10,
  "total_factors": "24 × 0.4 (Small ESF) = 9.6, rounded to 10",
  "scope_score": 4,
  "scope_factors": "2 files, single tooling subsystem (CI/CD), no new APIs or cross-service changes",
  "architecture_score": 3,
  "architecture_factors": "Pre-commit hook addition, JSON to JSON5 format migration, no structural architectural changes",
  "implementation_score": 5,
  "implementation_factors": "Config complexity with multi-rule grouping, intentional null groupName for CVE/major isolation, dual-manager Python coverage, well-commented non-obvious decisions",
  "risk_score": 3,
  "risk_factors": "Easily reversible config change, affects only automated dependency PR behavior, pre-commit validator reduces misconfiguration risk",
  "quality_score": 7,
  "quality_factors": "Thorough inline comments explaining non-obvious decisions, pre-commit validation hook, missing README update for contributor guidance",
  "perf_security_score": 2,
  "perf_security_factors": "SHA pinning for GHA supply-chain protection, OSV vulnerability alerts, CVE PRs explicitly never batched"
}