feat: reusable Renovate workflow for org-wide self-hosted runs

.github/workflows/renovate.yml

@@ -0,0 +1,60 @@
+# Reusable Renovate workflow for the plugwerk org.
+#
+# Why reusable: every plugwerk repo runs the same Renovate binary
+# against its own renovate.json with the same SHA-pinned action and
+# the same logging conventions. Duplicating the 70-line trigger in
+# every consumer repo means three places to touch on every action
+# bump. This workflow holds the real logic; consumers add a 15-line
+# stub that wires their schedule + permissions in.
+#
+# Token model: this is single-repo. Each caller's GITHUB_TOKEN is
+# scoped to its own repo, so when the renovate binary opens branches
+# and PRs, it does so against the calling repo only. No PAT, no
+# GitHub App, no cross-repo write access.
+#
+# Trigger: callers decide when to fire. Recommended pattern is
+# `cron: "0 4 * * 1-5"` (Mon-Fri 04:00 UTC) plus workflow_dispatch
+# for on-demand runs from the Actions tab.
+
+name: Renovate (reusable)
+
+on:
+  workflow_call:
+    inputs:
+      logLevel:
+        description: "Renovate log level (info or debug)."
+        required: false
+        type: string
+        default: "info"
+      configurationFile:
+        description: "Path to the calling repo's renovate config."
+        required: false
+        type: string
+        default: ".github/renovate.json"
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    # Concurrency keyed by the calling repo so two Renovate runs
+    # against the same repo cannot race on branch creation. Different
+    # repos are independent and run in parallel without contention.
+    concurrency:
+      group: renovate-${{ github.repository }}-${{ github.ref }}
+      cancel-in-progress: false
+    # Lift the input into an env var so the run-step never interpolates
+    # workflow input straight into a shell field — defensive practice
+    # that satisfies hardened-runner injection-prevention guidance even
+    # though the input has limited shape (string from a workflow_call).
+    env:
+      RENOVATE_LOG_LEVEL: ${{ inputs.logLevel }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@79dc0ba74dc3de28db0a7aeb1d0b95d5bf5fde2a # v46.1.13
+        with:
+          configurationFile: ${{ inputs.configurationFile }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          LOG_LEVEL: ${{ env.RENOVATE_LOG_LEVEL }}

README.md

@@ -18,6 +18,7 @@ every repository under `plugwerk/*` that does not provide its own override.
 | `.github/ISSUE_TEMPLATE/` | YAML issue forms (bug, feature, config). |
 | `.github/PULL_REQUEST_TEMPLATE.md` | Default PR template. |
 | `.github/workflows/renovate-config-validator.yml` | Validates `default.json` on every PR. |
+| `.github/workflows/renovate.yml` | Reusable Renovate trigger; consumer repos call it via `uses:` with their own schedule. |
 
 ## Override Behavior
 
@@ -35,6 +36,42 @@ For Renovate, per-repo `renovate.json` files extend `github>plugwerk/.github`
 and add their own `packageRules` for project-specific stacks (e.g. Java/Kotlin
 groupings live in `plugwerk/plugwerk/.github/renovate.json`, not here).
 
+## Reusable Renovate Workflow
+
+Consumer repos call the reusable trigger from this repo so the
+`renovatebot/github-action` SHA pin and run conventions live in one
+place. Minimal stub for a consumer repo's
+`.github/workflows/renovate.yml`:
+
+```yaml
+name: Renovate
+
+on:
+  schedule:
+    - cron: "0 4 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Log level"
+        type: choice
+        default: info
+        options: [info, debug]
+
+jobs:
+  renovate:
+    uses: plugwerk/.github/.github/workflows/renovate.yml@main
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    with:
+      logLevel: ${{ inputs.logLevel || 'info' }}
+```
+
+Each caller's `GITHUB_TOKEN` is scoped to its own repo, so the call is
+single-repo by design — the reusable workflow does not add cross-repo
+write access.
+
 ## Maintenance
 
 Changes to `default.json` affect every repo in the org. Treat changes here as