Merge branch 'main' into refactor/gitlab-types

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:13.0.11
+FROM ghcr.io/containerbase/devcontainer:13.0.21

.github/workflows/build.yml

@@ -31,12 +31,13 @@ concurrency:
 env:
   DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
   NODE_VERSION: 22
-  PDM_VERSION: 2.20.0.post1 # renovate: datasource=pypi depName=pdm
+  PDM_VERSION: 2.20.1 # renovate: datasource=pypi depName=pdm
   DRY_RUN: true
   TEST_LEGACY_DECRYPTION: true
   SPARSE_CHECKOUT: |-
     .github/actions/
     data/
+    patches/
     tools/
     package.json
     pnpm-lock.yaml
@@ -683,7 +684,7 @@ jobs:
           show-progress: false
 
       - name: docker-config
-        uses: containerbase/internal-tools@5da2b2ba4cbde318e17640f04c54306ddee36856 # v3.4.40
+        uses: containerbase/internal-tools@fd19a9e4e99f83adf8ec2529ef1276b626d6785f # v3.4.45
         with:
           command: docker-config
 

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5

.github/workflows/dependency-review.yml

@@ -14,4 +14,4 @@ jobs:
           show-progress: false
 
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/mend-slack.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Post to Slack
         id: slack
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
         with:
           channel-id: 'C05NLTMGCJC'
           # For posting a simple plain text message

.github/workflows/scorecard.yml

@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -25,13 +25,13 @@ jobs:
         with:
           show-progress: false
 
-      - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+      - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           image-ref: ghcr.io/renovatebot/renovate:${{ matrix.tag }}
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+      - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: trivy-results.sarif
           category: 'docker-image-${{ matrix.tag }}'

docs/usage/config-presets.md

@@ -176,7 +176,7 @@ To host your preset config on GitHub:
 
 - Create a new repository. Normally you'd call it `renovate-config` but it can be named anything
 - Add configuration files to this new repo for any presets you want to share. For the default preset, `default.json` will be checked. For named presets, `<preset-name>.json` will be loaded. For example, loading preset `library` would load `library.json`. No other files are necessary.
-- In other repos, reference it in an extends array like "github>owner/name", for example:
+- In other repos, reference it in an extends array like `"github>owner/name"`, for example:
 
   ```json
   {
@@ -195,7 +195,7 @@ To host your preset config on GitLab:
 
 - Create a new repository on GitLab. Normally you'd call it `renovate-config` but it can be named anything
 - Add a `default.json` to this new repo containing the preset config. No other files are necessary
-- In other repos, reference it in an extends array like "gitlab>owner/name", e.g. "gitlab>rarkins/renovate-config"
+- In other repos, reference it in an extends array like `"gitlab>owner/name"`, e.g. `"gitlab>rarkins/renovate-config"`
 
 ## Gitea-hosted Presets
 

docs/usage/configuration-options.md

@@ -122,7 +122,7 @@ If enabled Renovate tries to determine PR assignees by matching rules defined in
 Read the docs for your platform for details on syntax and allowed file locations:
 
 - [GitHub Docs, About code owners](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)
-- [GitLab, Code Owners](https://docs.gitlab.com/ee/user/project/code_owners.html)
+- [GitLab, Code Owners](https://docs.gitlab.com/ee/user/project/codeowners/)
 - [Bitbucket, Set up and use code owners](https://support.atlassian.com/bitbucket-cloud/docs/set-up-and-use-code-owners/)
 
 ## assigneesSampleSize

docs/usage/docker.md

@@ -307,7 +307,7 @@ Renovate will get the credentials with the [`google-auth-library`](https://www.n
     service_account: ${{ env.SERVICE_ACCOUNT }}
 
 - name: renovate
-  uses: renovatebot/github-action@v40.3.5
+  uses: renovatebot/github-action@v41.0.3
   env:
     RENOVATE_HOST_RULES: |
       [
@@ -478,7 +478,7 @@ Make sure to install the Google Cloud SDK into the custom image, as you need the
 For example:
 
 ```Dockerfile
-FROM renovate/renovate:38.142.5
+FROM renovate/renovate:39.19.1
 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
 # under "Installation" for "Debian/Ubuntu"
 RUN ...

docs/usage/examples/opentelemetry.md

@@ -13,13 +13,13 @@ version: '3'
 services:
   # Jaeger
   jaeger:
-    image: jaegertracing/all-in-one:1.62.0
+    image: jaegertracing/all-in-one:1.63.0
     ports:
       - '16686:16686'
       - '4317'
 
   otel-collector:
-    image: otel/opentelemetry-collector-contrib:0.113.0
+    image: otel/opentelemetry-collector-contrib:0.114.0
     command: ['--config=/etc/otel-collector-config.yml']
     volumes:
       - ./otel-collector-config.yml:/etc/otel-collector-config.yml

docs/usage/examples/self-hosting.md

@@ -24,9 +24,9 @@ It builds `latest` based on the `main` branch and all SemVer tags are published
 
 ```sh title="Example of valid tags"
 docker run --rm renovate/renovate
-docker run --rm renovate/renovate:38
-docker run --rm renovate/renovate:38.142
-docker run --rm renovate/renovate:38.142.5
+docker run --rm renovate/renovate:39
+docker run --rm renovate/renovate:39.19
+docker run --rm renovate/renovate:39.19.1
 ```
 
 <!-- prettier-ignore -->
@@ -62,7 +62,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:38.142.5
+              image: renovate/renovate:39.19.1
               args:
                 - user/repo
               # Environment Variables
@@ -121,7 +121,7 @@ spec:
       template:
         spec:
           containers:
-            - image: renovate/renovate:38.142.5
+            - image: renovate/renovate:39.19.1
               name: renovate-bot
               env: # For illustration purposes, please use secrets.
                 - name: RENOVATE_PLATFORM
@@ -367,7 +367,7 @@ spec:
           containers:
             - name: renovate
               # Update this to the latest available and then enable Renovate on the manifest
-              image: renovate/renovate:38.142.5
+              image: renovate/renovate:39.19.1
               volumeMounts:
                 - name: ssh-key-volume
                   readOnly: true

docs/usage/faq.md

@@ -51,7 +51,7 @@ Follow these steps to see which version the Mend Renovate app is on:
    ```
    INFO: Repository started
    {
-     "renovateVersion": "38.120.1"
+     "renovateVersion": "39.11.5"
    }
    ```
 

docs/usage/getting-started/private-packages.md

@@ -611,7 +611,7 @@ If you need to provide credentials to the Mend Renovate App, please do this:
    }
    ```
 
-For more details, see [Using Secrets with Mend Cloud Apps](../mend-hosted/app-secrets.md).
+For more details, see [Using Secrets with Mend Cloud Apps](../mend-hosted/credentials.md).
 
 ### Access to GitHub Actions Secrets
 

docs/usage/golang.md

@@ -67,16 +67,16 @@ By default, Renovate will keep up with the latest version of the `go` binary.
 
 You can force Renovate to use a specific version of Go by setting a constraint.
 
-```json title="Getting Renovate to use the latest patch version of the 1.16 Go binary"
+```json title="Getting Renovate to use the latest patch version of the 1.23 Go binary"
 {
   "constraints": {
-    "go": "1.16"
+    "go": "1.23"
   }
 }
 ```
 
 We do not support patch level versions for the minimum `go` version.
-This means you cannot use `go 1.16.6`, but you can use `go 1.16` as a constraint.
+This means you cannot use `go 1.23.3`, but you can use `go 1.23` as a constraint.
 
 ### Custom registry support, and authentication
 

docs/usage/mend-hosted/.pages

@@ -1,5 +1,5 @@
 title: Mend-hosted Apps
 nav:
   - 'Configuration': 'hosted-apps-config.md'
-  - 'App Secrets': 'app-secrets.md'
+  - 'Credentials': 'credentials.md'
   - 'Migrating Secrets': 'migrating-secrets.md'

docs/usage/mend-hosted/app-secrets.md → docs/usage/mend-hosted/credentials.md

@@ -31,6 +31,7 @@ To add a secret for the Mend cloud app:
    ![Credentials settings page](../assets/images/app-settings/app-credentials.png)
 
 4. Reference the secret from Renovate config files inside the repo.
+   Alternatively, you can use the Host Rules UI (see below).
 
    ```json
    {
@@ -43,6 +44,21 @@ To add a secret for the Mend cloud app:
    }
    ```
 
+### Adding a host rule through the UI
+
+You can centrally add/configure Host Rules through the Mend UI as an alternative to including them in Renovate presets.
+
+1. Open the _Credentials_ section of the settings page for the relevant Org or Repo.
+2. Select `ADD HOST RULE` to open the "Add a Host Rule" dialog box.
+
+   ![Add Host Rule](../assets/images/app-settings/add-host-rule.png)
+
+3. Fill out the details for your host rule.
+
+   As an example, if you are a Bitbucket or Azure DevOps user, and you want to specify a github.com token to fetch release notes and enable github-based datasources, you could create a host rule like this:
+
+   ![Host Rules dialog box](../assets/images/app-settings/host-rules.png)
+
 ## Organization secrets vs repository secrets
 
 ### Secret scope

docs/usage/mend-hosted/migrating-secrets.md

@@ -1,6 +1,6 @@
 # Migrating Secrets from Repo Config to App Settings
 
-On 01-Oct-2024 the Mend Renovate cloud apps will stop reading any encrypted secrets from the Renovate configuration file on your repository.
+Use of encrypted secrets in the Mend Renovate cloud apps has been deprecated and soon the apps will stop reading any encrypted secrets from the Renovate configuration file on your repository.
 Previously, you could encrypt a secret with the [Renovate encryption tool](https://app.renovatebot.com/encrypt) and then put it in your Renovate config file.
 
 Going forward, all secrets must be stored in the App settings on the cloud.
@@ -102,4 +102,4 @@ If you were expecting to import a secret originally encrypted by Renovate:
 
 ## Related links
 
-- [Using Secrets with Mend Cloud Apps](app-secrets.md)
+- [Using Secrets with Mend Cloud Apps](credentials.md)

docs/usage/release-notes-for-major-versions.md

@@ -7,6 +7,71 @@ The most recent versions are always at the top of the page.
 This is because recent versions may revert changes made in an older version.
 You also don't have to scroll to the bottom of the page to find the latest release notes.
 
+## Version 39
+
+### Breaking changes for 39
+
+#### New tools for all Docker images
+
+All our Docker images now use:
+
+- Node.js v22 as base, was Node.js v20
+- Ubuntu 24.04 as base, was 20.04
+
+#### New Docker user ID for all Docker images
+
+All our Docker images now set the Docker user ID to `12021`, the old ID was `1001`.
+
+After updating your Renovate Docker image to the new v39 release, you must:
+
+- Delete your old Docker cache, _or_
+- Ensure the new user ID has write permissions to any existing cache
+
+#### Updated version of Python, and new default behavior for the `-full` Docker image
+
+On top of the changes listed above, the `-full` image now:
+
+- Uses Python 3.13
+- Defaults to [`binarySource=global`](self-hosted-configuration.md#binarysource) (note: this was previously the case in v36 onwards but regressed sometime in v38)
+
+If you want to keep the old behavior, where Renovate dynamically installs the needed tools: set the environment variable `RENOVATE_BINARY_SOURCE` to `"install"`.
+
+#### Renovate tries squash merges first when automerging on GitHub
+
+Due to technical reasons, GitHub will only sign commits coming from a squash merge.
+To help those who want Renovate to sign its commits, Renovate now tries the squash merge first.
+
+Of course, Renovate only uses the merge method(s) that you allow in your GitHub repository config.
+
+##### How you can allow squash merges on your GitHub repository
+
+If you want to allow squash merges on your GitHub repository, follow the steps in the [GitHub Docs, configuring commit squashing for pull requests](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/configuring-commit-squashing-for-pull-requests).
+
+#### Branch names with multiple slashes
+
+If you set `branchNameStrict=true`, then branch names with multiple forward slashes (`/`) will change.
+
+The problem was that even if you set `branchNameStrict=true`, in some cases special characters could still end up in Renovate's branch names.
+We fixed this problem, by letting Renovate convert multiple forward slashes (`/`) to hyphens (`-`) in its branch names, if `branchNameStrict=true`.
+
+### Commentary for 39
+
+#### Technical reasons for trying the squash merge first on GitHub
+
+Renovate has changed its GitHub merge preference to "squash" because this way results in signed commits, while "rebase" merges do not.
+
+Read the [GitHub Docs, Signature verification for rebase and merge](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-rebase-and-merge) to learn more about commit signing.
+
+#### Why we change branch names with multiple slashes
+
+Branches with mutiple slashes (`/`) are not wanted, this was a bug.
+We are changing it in a major release out of politeness to all our users.
+If you enabled `branchNameStrict`, you can expect some branch names to change.
+
+### Link to release notes for 39
+
+[Release notes for `v39` on GitHub](https://github.com/renovatebot/renovate/releases/tag/39.0.0).
+
 ## Version 38
 
 ### Breaking changes for 38
@@ -130,7 +195,7 @@ If you're on a version of Lerna before v7, you should prioritize upgrading to v7
 - **automerge:** Platform automerge will now be chosen by default whenever automerge is enabled
 - Post upgrade templating is now allowed by default, as long as the post upgrade task command is itself already allowed
 - Official Renovate Docker images now use the "slim" approach with `binarySource=install` by default. e.g. `renovate/renovate:latest` is the slim image, not full
-- The "full" image is now available via the tag `full`, e.g. `renovate/renovate:38-full`, and defaults to `binarySource=global` (no dynamic installs)
+- The "full" image is now available via the tag `full`, e.g. `renovate/renovate:39-full`, and defaults to `binarySource=global` (no dynamic installs)
 - Third party tools in the full image have been updated to latest/LTS major version
 
 ### Commentary for 36

docs/usage/rust.md

@@ -34,7 +34,7 @@ Read the [Rust environment variables docs](https://doc.rust-lang.org/cargo/refer
 You as user can set authentication for private crates by adding a `hostRules` configuration to your `renovate.json` file.
 
 All token `hostRules` with a `hostType` (e.g. `github`, `gitlab`, `bitbucket`, etc.) and host rules without a `hostType` will be automatically setup for authentication.
-You can also configure a `hostRules` that's only for Cargo authentication (e.g. `hostType: 'cargo'`).
+You can also configure a `hostRules` that's only for Cargo authentication (e.g. `hostType: 'crate'`).
 
 ```js title="Example of authentication for a private GitHub and Cargo registry:"
 module.exports = {
@@ -47,7 +47,7 @@ module.exports = {
     {
       matchHost: 'someGitHost.enterprise.com',
       token: process.env.CARGO_GIT_TOKEN,
-      hostType: 'cargo',
+      hostType: 'crate',
     },
   ],
 };

lib/config-validator.ts

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 // istanbul ignore file
 import 'source-map-support/register';
+import './punycode.cjs';
 import { dequal } from 'dequal';
 import { pathExists, readFile } from 'fs-extra';
 import { configFileNames } from './config/app-strings';