From a5dacb444c729a8a9edd88c6f0ab16a2dad068a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastian=20Echterh=C3=B6lter?=
 <bastian.echterhoelter@sap.com>
Date: Wed, 1 Apr 2026 08:54:15 +0200
Subject: [PATCH] feat(renovate): distinguish library and app npm dependency
 strategies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the single `bump` range strategy for npm production dependencies
with two explicit rules using matchJsonata:

- Libraries (publishConfig present): use `replace` to preserve semver
  ranges, avoiding forced exact versions for downstream consumers.
- Applications (private: true): use `pin` for reproducible builds.

Also skip digest pinning for openmfp/gha and openmfp/.github actions,
since we trust our own shared workflow repos.

Aligns with the platform-mesh shared Renovate configuration.

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>
---
 renovate-config.json | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/renovate-config.json b/renovate-config.json
index 14d7c87..b020141 100644
--- a/renovate-config.json
+++ b/renovate-config.json
@@ -21,10 +21,19 @@
   ],
   "packageRules": [
     {
-      "description": "Use bump strategy for production dependencies to maintain existing range types",
+      "description": "Use replace strategy for library dependencies to preserve version ranges",
       "matchDepTypes": ["dependencies"],
       "matchManagers": ["npm"],
-      "rangeStrategy": "bump"
+      "matchFileNames": ["package.json"],
+      "matchJsonata": ["$.publishConfig"],
+      "rangeStrategy": "replace"
+    },
+    {
+      "description": "Pin application dependencies for reproducible production builds",
+      "matchDepTypes": ["dependencies"],
+      "matchManagers": ["npm"],
+      "matchJsonata": ["$.private = true and not($.publishConfig)"],
+      "rangeStrategy": "pin"
     },
     {
       "description": "Widen peer dependency ranges to support multiple versions",
@@ -86,6 +95,12 @@
       "automerge": false,
       "platformAutomerge": false
     },
+    {
+      "description": "Trust our own shared actions repos — follow version tags without digest pinning",
+      "matchPackageNames": ["openmfp/gha", "openmfp/.github"],
+      "matchManagers": ["github-actions"],
+      "pinDigests": false
+    },
     {
       "groupName": "Github Actions",
       "matchPackagePrefixes": [