chore: add renovate/dependabot configuration for updates and security…

… issues

.github/dependabot.yml

@@ -1,13 +1,22 @@
+# This file is only used for vulnerability alerts, not for automatic updates.
+# This is due to the fact that Renovate does not support patching lock files directly.
+# cf. https://docs.renovatebot.com/configuration-options/#transitiveremediation
+
 version: 2
 
 updates:
-
-  - package-ecosystem: "github-actions"
-    # Workflow files stored in the
-    # default location of `.github/workflows`
-    directory: "/"
+  - package-ecosystem: npm
+    directory: /
     schedule:
-      interval: weekly
-      day: sunday
-      time: "20:00"
-    open-pull-requests-limit: 10
+      interval: monthly
+    open-pull-requests-limit: 0  # only allow vulnerabilities
+    groups:
+      npm-vulnerabilities:
+        applies-to: security-updates
+        patterns:
+          - "*"
+    labels:
+      - "type: security"
+    reviewers:
+      - alma/squad-e-commerce-integrations
+      - alma/it-and-security-operation

.github/renovate.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "prHourlyLimit": 20,
+  "prConcurrentLimit": 20,
+  "recreateWhen": "always",
+  "enabledManagers": ["github-actions", "nvm", "npm"],
+  "reviewers": ["team:squad-e-commerce-integrations"],
+  "extends": [
+    "github>alma/renovate:github-actions",
+    "github>alma/renovate:vulnerabilities",
+    "github>alma/renovate:confidence-badges"
+  ],
+  "packageRules": [
+    {
+      "matchManagers": ["npm"],
+      "groupName": "NPM dependencies",
+      "reviewers": ["team:squad-e-commerce-integrations"]
+    },
+    {
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["major"],
+      "groupName": "major NPM dependencies",
+      "reviewers": ["team:squad-e-commerce-integrations"],
+      "draftPR": true
+    }
+  ]
+}

.nvmrc

@@ -0,0 +1 @@
+12