From 628a63da83ed4c7f1be7db73eabffd27fc35695f Mon Sep 17 00:00:00 2001
From: kisfenyo <nagyfenyvesi.viktor@gmail.com>
Date: Fri, 5 Jun 2026 07:43:37 +0200
Subject: [PATCH] renovate: revert global timestamp-optional; narrowly bypass
 age gate for termix

Last commit's global `minimumReleaseAgeBehaviour: timestamp-optional` did
two unwanted things:

  1) Dry-run showed 0 "Would commit" branches (was 33 before). The flag
     appears to alter Renovate's filtering more broadly than expected and
     is not the right knob here.
  2) Automated security review correctly flagged the global form as
     fail-open: a missing timestamp on ANY package would bypass the
     stability gate, weakening supply-chain protection across the fleet.

Narrow fix instead:
  - Revert the global setting (back to default `timestamp-required`).
  - Add `minimumReleaseAge: "0 days"` ONLY to the termix packageRule.
    ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a
    release timestamp Renovate can read, so the global 3-day gate would
    otherwise hold updates indefinitely (this is the same class of issue
    that's been keeping reloader/homepage/headlamp on "Pending Status
    Checks" for 8+ days). Major bumps still gated by the global major
    rule (`dependencyDashboardApproval: true`).

Other ghcr.io packages with the same issue (reloader, homepage, headlamp)
remain on the dashboard's "Pending Status Checks" list and can be
force-approved per-update via the checkbox UX. That's a slower but safer
manual-approval path that preserves the supply-chain gate's intent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 admin-system/renovate.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml
index e2e7dd2..e395b5c 100644
--- a/admin-system/renovate.yaml
+++ b/admin-system/renovate.yaml
@@ -46,7 +46,6 @@ data:
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
       "prHourlyLimit": 8,
       "prConcurrentLimit": 8,
-      "minimumReleaseAgeBehaviour": "timestamp-optional",
       "enabledManagers": ["kubernetes", "helm-values"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
@@ -92,9 +91,10 @@ data:
           "automerge": false
         },
         {
-          "description": "termix: non-semver release-X.Y.Z tag (regex versioning parses the whole tag incl. prefix; loose+extractVersion silently skips because currentValue fails the loose parser before extractVersion is applied)",
+          "description": "termix: regex versioning parses the release-X.Y.Z prefix; minimumReleaseAge:0 bypasses the stability gate because ghcr.io OCI manifests for this image don't expose a release timestamp (timestamp-required mode otherwise holds it forever). Major bumps still queue for dashboard approval via the global major rule.",
           "matchPackageNames": ["ghcr.io/lukegus/termix"],
-          "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
+          "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
+          "minimumReleaseAge": "0 days"
         },
         {
           "description": "wanderer: db + web update together in one PR",