chore(renovate): refresh config with explicit grouping + soak rules

[gofreight-jackyeh]

Summary

Switch renovate.json5 to an explicit, self-contained config. Resolves the Cannot find preset's package validation error that was blocking Renovate from opening PRs on this repo.

Same effective policy as before, just expressed locally:

• SHA-pinned GitHub Actions with pinDigests: true
• 3-day minimumReleaseAge soak on Python deps + GHA
• OSV vulnerability alerts (security PRs never batched)
• Per-ecosystem grouping (backend-non-major, gha-non-major)
• Major updates isolated to one PR per dep (groupName: null)
• Lockfile-maintenance bundled into one PR per cycle
• prConcurrentLimit: 4 + prHourlyLimit: 4 + Monday-only schedule

File renamed renovate.json → renovate.json5 so override rationale can live as inline comments. Old file deleted in the same commit (renovate.json has higher Renovate lookup precedence).

No behaviour change for the deps Renovate would have opened anyway — this just makes the run actually succeed.

Validation gate

Adds .github/workflows/validate-renovate.yml that runs renovate-config-validator --strict --no-global on PR + push. The paths: filter covers every Renovate config filename (renovate.json, renovate.json5, .renovaterc, .renovaterc.json, .github/renovate.json, .github/renovate.json5) so a PR can't bypass the gate by adding a higher-precedence file; the workflow also fails loudly at run time if any higher-precedence config is present, so a stray file can't silently override the chosen .json5.

Test plan

• renovate-config-validator --strict --no-global renovate.json5 passes locally (Node 24 + renovate@43, LOG_LEVEL=warn, exit 0)
• Validate Renovate Config workflow passes on this PR

Post-merge verification

Will confirm after merge:

• Renovate run on the default branch succeeds (no config-validation issue re-opened)
• Renovate opens any pending grouped PR(s) — backend-non-major / gha-non-major

[gitvelocity-reviewer]

Final Merge Review (Official Score)

This is the official score for PR #9, calculated on the final merged code.
Merge commit: e5c469e35cd813d9541ba323049eb84a5cef5c50

---

Summary

This PR migrates the Renovate configuration from renovate.json to renovate.json5 (comment-supporting format) and significantly expands the configuration with:

1. renovate.json5: A comprehensive Renovate config with volume controls (PR limits, scheduling), security baseline (OSV vulnerability alerts, CVE isolation), per-ecosystem grouping rules (Python pip, GitHub Actions), SHA-pinning, release soak windows, and well-documented rationale for non-obvious decisions.

2. .github/workflows/validate-renovate.yml: A CI workflow that validates the Renovate config on PRs/pushes, including a defensive check that refuses higher-precedence config files that would silently override renovate.json5.

IFC: Low-Medium — Renovate config expansion is a well-understood operational task.
IC: Low-Medium — The implementation is clean, well-commented, and defensively engineered.

---

Sub-Score Breakdown

S (Scope) — 5/20

• 2 files modified (3 total including deletion), contained within CI/config subsystem
• No new public APIs, endpoints, or external service integrations
• Affects dependency management behavior across the repo
• Small but meaningful operational footprint

A (Architecture) — 4/20

• Migrates config format to support comments (JSON → JSON5), improving maintainability
• Introduces a new CI validation workflow — a new guard rail pattern
• No service boundaries changed, no new dependencies introduced
• The "refuse higher-precedence files" guard is a defensive architectural decision worth noting

I (Implementation) — 6/20

• The Renovate config itself has moderate complexity: layered grouping rules, intentional groupName: null for security/major isolation, volume controls with documented rationale
• The bash script in the workflow is simple but purposeful (array iteration, conditional exit)
• Well-structured with clear comments explaining non-obvious decisions (e.g., why groupName: null for CVEs)
• No algorithmic complexity, but the configuration logic requires domain knowledge of Renovate's precedence rules

R (Risk) — 4/20

• Low operational risk: config change to dependency management tooling
• The migration from renovate.json to renovate.json5 could theoretically cause a brief gap if not atomic, but the validation workflow mitigates this
• The "refuse higher-precedence files" check actively reduces future risk
• Easily reversible

Q (Quality) — 8/15

• The validation workflow serves as a form of automated testing for the config
• Inline comments are thorough and explain the "why" behind non-obvious decisions (CVE grouping isolation, groupName: null rationale, volume control approach)
• The defensive check for higher-precedence files shows proactive quality thinking
• No formal test suite needed for config files; the CI validator is the appropriate quality mechanism
• Missing: explicit documentation of what changed from the old config and why

P (Performance/Security) — 3/5

• OSV vulnerability alerts enabled with proper CVE isolation (no batching)
• SHA-pinning for GitHub Actions (supply-chain attack mitigation)
• 3-day release soak window for security vetting
• The security rationale is explicitly documented in comments

---

Score Calculation

Base Score: S(5) + A(4) + I(6) + R(4) + Q(8) + P(3) = 30

ESF Tier Assessment:

• Effective Lines: 134 → Small tier (51-150 lines) → Base ESF = 0.4x
• File Count: 2 → Nano tier (≤2 files)
• Gap: Nano - Small = -1 tier (file tier is LOWER than line tier) → No bump
• Final ESF: 0.4x (pre-computed, confirmed)

Final Score: 30 × 0.4 = 12

---

Post-Merge Observations

• The groupName: null pattern for CVE/major isolation is a best practice that prevents one blocked update from holding up others — well-reasoned.
• The workflow's "refuse higher-precedence files" step is an elegant defensive measure that prevents silent config overrides — this kind of proactive guard is worth recognizing.
• The config:best-practices extension (vs. the old config:recommended) is a meaningful upgrade that wasn't called out explicitly in the PR but represents a substantive improvement.
• The weekly schedule + concurrent limit combination is a pragmatic workaround for Renovate's lack of prWeeklyLimit — the comment explaining this is valuable institutional knowledge.

Code Quality Data (JSON)

{
  "_schema": "code_quality_v5",
  "total_score": 12,
  "total_factors": "30 × 0.4 (Small ESF) = 12",
  "scope_score": 5,
  "scope_factors": "2 files, single CI/config subsystem, no new APIs or external integrations, affects repo-wide dependency management behavior",
  "architecture_score": 4,
  "architecture_factors": "JSON→JSON5 format migration for maintainability, new CI validation workflow as guard rail, defensive higher-precedence file check, no service boundary changes",
  "implementation_score": 6,
  "implementation_factors": "Layered Renovate grouping rules with intentional null groupName for CVE/major isolation, volume controls, bash script for precedence check, domain knowledge required but no algorithmic complexity",
  "risk_score": 4,
  "risk_factors": "Low operational risk, easily reversible config change, validation workflow mitigates migration gap risk, defensive checks reduce future risk",
  "quality_score": 8,
  "quality_factors": "CI validator as automated config testing, thorough inline comments explaining non-obvious decisions, defensive higher-precedence file check, missing explicit changelog of what changed from old config",
  "perf_security_score": 3,
  "perf_security_factors": "OSV vulnerability alerts with CVE isolation (no batching), SHA-pinning for GHA supply-chain protection, 3-day release soak window, security rationale documented in comments"
}