From 2569374c46676de87ca57d2ff0ec3fa42770d20c Mon Sep 17 00:00:00 2001
From: Maxim Kalina <bigpuritz@me.com>
Date: Sat, 9 May 2026 12:53:31 +0200
Subject: [PATCH 1/2] ci: adopt org-wide self-hosted Renovate workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a thin Renovate trigger that delegates to the org-wide reusable
workflow at plugwerk/.github/.github/workflows/renovate.yml. The
reusable workflow holds the SHA-pinned renovatebot/github-action
call; this stub keeps only the per-repo schedule, permissions, and
workflow_dispatch input.

This repo has been Renovate-silent (zero PRs ever) — adopting the
self-hosted trigger gives it the same observable Actions-tab cadence
plugwerk/plugwerk has used since PR #462, instead of relying solely
on Mend-Hosted Renovate.

Token model is single-repo: GITHUB_TOKEN in workflow_call resolves
to the caller's repo-scoped token. No PAT, no GitHub App.

See plugwerk/plugwerk ADR-0032 for the architecture rationale.

Refs plugwerk/.github#3
---
 .github/workflows/renovate.yml | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/renovate.yml

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 0000000..597b949
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,40 @@
+# Self-hosted Renovate trigger for this repo.
+#
+# Defines the schedule and permissions, then delegates the actual
+# Renovate run to the org-wide reusable workflow at
+# plugwerk/.github/.github/workflows/renovate.yml. The reusable
+# workflow holds the SHA-pinned `renovatebot/github-action` call;
+# this stub stays small so a future Renovate-binary bump is one
+# PR in plugwerk/.github, not three.
+#
+# See plugwerk/plugwerk/docs/adrs/0032-reusable-renovate-workflow.md
+# for the architecture rationale and trade-offs.
+#
+# Cron is Mon-Fri 04:00 UTC (~05:00-06:00 CET/CEST). workflow_dispatch
+# lets any maintainer trigger an on-demand run from the Actions tab
+# or via `gh workflow run renovate.yml`.
+
+name: Renovate
+
+on:
+  schedule:
+    - cron: "0 4 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Log level"
+        type: choice
+        default: "info"
+        options:
+          - info
+          - debug
+
+jobs:
+  renovate:
+    uses: plugwerk/.github/.github/workflows/renovate.yml@main
+    permissions:
+      contents: write       # branch + push
+      pull-requests: write  # open + label PRs
+      issues: write         # update Dependency Dashboard issue
+    with:
+      logLevel: ${{ inputs.logLevel || 'info' }}

From 2fa8c7c1f8f9e110f201eb5e3688fa7ee1d3fb1d Mon Sep 17 00:00:00 2001
From: Maxim Kalina <bigpuritz@me.com>
Date: Sat, 9 May 2026 13:11:38 +0200
Subject: [PATCH 2/2] style: prettier-format renovate workflow stub

---
 .github/workflows/renovate.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 597b949..524e703 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -33,8 +33,8 @@ jobs:
   renovate:
     uses: plugwerk/.github/.github/workflows/renovate.yml@main
     permissions:
-      contents: write       # branch + push
-      pull-requests: write  # open + label PRs
-      issues: write         # update Dependency Dashboard issue
+      contents: write # branch + push
+      pull-requests: write # open + label PRs
+      issues: write # update Dependency Dashboard issue
     with:
       logLevel: ${{ inputs.logLevel || 'info' }}