From 53a1fe196a4c2906f625d76163720893477171e8 Mon Sep 17 00:00:00 2001
From: Maxim Kalina <bigpuritz@me.com>
Date: Sat, 9 May 2026 12:53:28 +0200
Subject: [PATCH] ci: adopt org-wide self-hosted Renovate workflow

Adds a thin Renovate trigger that delegates to the org-wide reusable
workflow at plugwerk/.github/.github/workflows/renovate.yml. The
reusable workflow holds the SHA-pinned renovatebot/github-action
call; this stub keeps only the per-repo schedule, permissions, and
workflow_dispatch input.

Adopting the self-hosted trigger here gives this repo the same
observable Actions-tab cadence that plugwerk/plugwerk has had since
PR #462, instead of relying purely on Mend-Hosted Renovate (which
runs in parallel and is not affected by this change).

Token model is single-repo: GITHUB_TOKEN in workflow_call resolves
to the caller's repo-scoped token. No PAT, no GitHub App.

See plugwerk/plugwerk ADR-0032 for the architecture rationale.

Refs plugwerk/.github#3
---
 .github/workflows/renovate.yml | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/renovate.yml

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 0000000..597b949
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,40 @@
+# Self-hosted Renovate trigger for this repo.
+#
+# Defines the schedule and permissions, then delegates the actual
+# Renovate run to the org-wide reusable workflow at
+# plugwerk/.github/.github/workflows/renovate.yml. The reusable
+# workflow holds the SHA-pinned `renovatebot/github-action` call;
+# this stub stays small so a future Renovate-binary bump is one
+# PR in plugwerk/.github, not three.
+#
+# See plugwerk/plugwerk/docs/adrs/0032-reusable-renovate-workflow.md
+# for the architecture rationale and trade-offs.
+#
+# Cron is Mon-Fri 04:00 UTC (~05:00-06:00 CET/CEST). workflow_dispatch
+# lets any maintainer trigger an on-demand run from the Actions tab
+# or via `gh workflow run renovate.yml`.
+
+name: Renovate
+
+on:
+  schedule:
+    - cron: "0 4 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Log level"
+        type: choice
+        default: "info"
+        options:
+          - info
+          - debug
+
+jobs:
+  renovate:
+    uses: plugwerk/.github/.github/workflows/renovate.yml@main
+    permissions:
+      contents: write       # branch + push
+      pull-requests: write  # open + label PRs
+      issues: write         # update Dependency Dashboard issue
+    with:
+      logLevel: ${{ inputs.logLevel || 'info' }}