fix(packageRules): evaluate confidence matcher first

[Gabriel-Ladzaretti]

Changes

Evaluate matchConfidence first when applying package rules.

applyPackageRules evaluates matchers in the order of insertion. It also returns early when any set matcher fails.
Therefore, when multiple matchers are set in a single packageRule, we might not check all set matchers, which can cause unwanted lookup and PR flip-flop.

Context

When scanning the following reproduction repository, we fail to abort run before performing lookup, although matchConfidence is used without credentials.
This in turn treated as LookupError as can be seen in the corresponding Dashboard.

Click to expand Logs

DEBUG: Found npm package files (repository=ladzaretti/pr-order-eval)
DEBUG: Found 1 package file(s) (repository=ladzaretti/pr-order-eval)
 INFO: Dependency extraction complete (repository=ladzaretti/pr-order-eval, baseBranch=main)
       "stats": {
         "managers": {"npm": {"fileCount": 1, "depCount": 1}},
         "total": {"fileCount": 1, "depCount": 1}
       }
ERROR: lookupUpdates error (repository=ladzaretti/pr-order-eval, packageFile=package.json)
       "currentDigest": undefined,
       "currentValue": "4.0.0",
       "datasource": "npm",
       "packageName": "lodash",
       "digestOneAndOnly": undefined,
       "followTag": null,
       "lockedVersion": undefined,
       "pinDigests": false,
       "rollbackPrs": false,
       "isVulnerabilityAlert": undefined,
       "updatePinnedDependencies": true,
       "unconstrainedValue": false,
       "err": {
         "validationMessage": "Missing credentials",
         "validationError": "The `matchConfidence` matcher in `packageRules` requires authentication. Please refer to the [documentation](https://docs.renovatebot.com
/configuration-options/#matchconfidence) and add the required host rule.",
         "message": "missing-api-credentials",
         "stack": "Error: missing-api-credentials\n    at MergeConfidenceMatcher.matches (C:\\projects\\ladzaretti-renovate\\lib\\util\\package-rules\\merge-confidenc
e.ts:20:21)\n    at matcherOR (C:\\projects\\ladzaretti-renovate\\lib\\util\\package-rules\\utils.ts:19:27)\n    at matchesRule (C:\\projects\\ladzaretti-renovate\\li
b\\util\\package-rules\\index.ts:17:30)\n    at applyPackageRules (C:\\projects\\ladzaretti-renovate\\lib\\util\\package-rules\\index.ts:74:9)\n    at filterInternalC
hecks (C:\\projects\\ladzaretti-renovate\\lib\\workers\\repository\\process\\lookup\\filter-checks.ts:54:40)\n    at lookupUpdates (C:\\projects\\ladzaretti-renovate\
\lib\\workers\\repository\\process\\lookup\\index.ts:276:37)\n    at async withLookupStats (C:\\projects\\ladzaretti-renovate\\lib\\workers\\repository\\process\\fetc
h.ts:29:18)\n    at async fetchDepUpdates (C:\\projects\\ladzaretti-renovate\\lib\\workers\\repository\\process\\fetch.ts:74:30)\n    at async C:\\projects\\ladzarett
i-renovate\\node_modules\\p-map\\index.js:57:22"
       }
DEBUG: PackageFiles.add() - Package file saved for base branch (repository=ladzaretti/pr-order-eval, baseBranch=main)

---

Expected Behavior

Raise a new warning issue whenever the matchConfidence PackageRules matcher is used without credentials.

As per:

• feat(config-error): raise a warning issue for misconfigured matchConfidence #22296

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

[renovate-release]

🎉 This PR is included in version 36.7.6 🎉

The release is available on:

• GitHub release
• 36.7.6

Your semantic-release bot 📦🚀