From c308c0a85e57ac1da40319e7c7dbcf6a2e9ef251 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Fri, 5 Jun 2026 07:07:39 +0200 Subject: [PATCH 1/5] renovate: default-allow + codify ArgoCD auto-sync in git MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two coordinated changes — open PR only, do NOT merge until dry-run passes. 1) admin-system/renovate.yaml: flip packageRules from Tier 1 allowlist to default-allow with safety gates. Adds prHourlyLimit=8 + prConcurrentLimit=8 to throttle the first wave. New rules (7 total, order-sensitive): - "*" : 3-day stability gate (minimumReleaseAge) - minor/patch : automerge via platformAutomerge - major : dependencyDashboardApproval (manual gate) - k3s-bundled (3 images) : disabled (ride k3s upgrades) - critical-core (6 imgs) : automerge=false (Viktor merges manually) - gitea/gitea, ghcr.io/goauthentik/{server,ldap,proxy}, ghcr.io/cloudnative-pg/cloudnative-pg, quay.io/argoproj/argocd - ArgoCD + authentik /ldap and /proxy are no-ops (not pinned in repo) - termix : versioning=loose, extractVersion for "release-X.Y.Z" - wanderer-db + -web : groupName=wanderer (one PR, prevents file race) enabledManagers unchanged ([kubernetes, helm-values]) — keeps Helmfile- managed infra invisible. 2) argocd-apps/homelab.yaml: codify per-app auto-sync intent in git (currently lives only on live CRs via UI — DR risk). - 35 existing bare-AUTO apps: add `automated: {enabled: true}` (matches live). - jarr, version-checker: add `automated: {enabled: true, prune: true, selfHeal: true}` (flipping MANUAL -> AUTO so Renovate merges deploy). - Untouched: admin-tools, authentik, cnpg-operator, root-apps (already have strict automated in git); monitoring, infrastructure, felhom, gitea, pihole, database-system (explicitly kept MANUAL per Viktor). NOTE: root-apps does NOT enforce syncPolicy.automated drift between git and live, so jarr + version-checker will also need a one-off kubectl patch after merge to actually become AUTO live. Done in go-live step. Co-Authored-By: Claude Opus 4.7 (1M context) --- admin-system/renovate.yaml | 116 ++++++++++++++----------------------- argocd-apps/homelab.yaml | 78 +++++++++++++++++++++++++ 2 files changed, 121 insertions(+), 73 deletions(-) diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index 3934443..3e71dd9 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -44,92 +44,62 @@ data: "requireConfig": "optional", "dependencyDashboard": true, "dependencyDashboardTitle": "Renovate Dependency Dashboard", - "prHourlyLimit": 0, - "prConcurrentLimit": 0, + "prHourlyLimit": 8, + "prConcurrentLimit": 8, "enabledManagers": ["kubernetes", "helm-values"], "kubernetes": { "managerFilePatterns": ["/.+\\.ya?ml$/"] }, "packageRules": [ { - "description": "Default-deny everything", + "description": "All apps: 3-day stability gate before any PR opens", "matchPackageNames": ["*"], - "enabled": false - }, - { - "description": "Tier 1: enable updates for low-risk leaf apps", - "matchPackageNames": [ - "ghcr.io/thomiceli/opengist", - "louislam/uptime-kuma", - "f0rc3/gokapi", - "docker.io/calcom/cal.com", - "advplyr/audiobookshelf", - "arcadiatechnology/crafty-4", - "codercom/code-server", - "ghcr.io/gethomepage/homepage", - "ghcr.io/headlamp-k8s/headlamp", - "prom/node-exporter", - "rommapp/romm", - "ghcr.io/stakater/reloader", - "privatebin/nginx-fpm-alpine", - "flomp/wanderer-db", - "flomp/wanderer-web", - "registry.k8s.io/kube-state-metrics/kube-state-metrics", - "ghcr.io/lukegus/termix" - ], - "enabled": true - }, - { - "description": "Tier 1: automerge minor/patch after 3-day stability window", - "matchPackageNames": [ - "ghcr.io/thomiceli/opengist", - "louislam/uptime-kuma", - "f0rc3/gokapi", - "docker.io/calcom/cal.com", - "advplyr/audiobookshelf", - "arcadiatechnology/crafty-4", - "codercom/code-server", - "ghcr.io/gethomepage/homepage", - "ghcr.io/headlamp-k8s/headlamp", - "prom/node-exporter", - "rommapp/romm", - "ghcr.io/stakater/reloader", - "privatebin/nginx-fpm-alpine", - "flomp/wanderer-db", - "flomp/wanderer-web", - "registry.k8s.io/kube-state-metrics/kube-state-metrics", - "ghcr.io/lukegus/termix" - ], - "matchUpdateTypes": ["minor", "patch"], - "automerge": true, - "automergeType": "pr", - "platformAutomerge": true, "minimumReleaseAge": "3 days" }, { - "description": "Tier 1: major bumps require dashboard approval (no automerge)", - "matchPackageNames": [ - "ghcr.io/thomiceli/opengist", - "louislam/uptime-kuma", - "f0rc3/gokapi", - "docker.io/calcom/cal.com", - "advplyr/audiobookshelf", - "arcadiatechnology/crafty-4", - "codercom/code-server", - "ghcr.io/gethomepage/homepage", - "ghcr.io/headlamp-k8s/headlamp", - "prom/node-exporter", - "rommapp/romm", - "ghcr.io/stakater/reloader", - "privatebin/nginx-fpm-alpine", - "flomp/wanderer-db", - "flomp/wanderer-web", - "registry.k8s.io/kube-state-metrics/kube-state-metrics", - "ghcr.io/lukegus/termix" - ], + "description": "Auto-merge minor/patch after the stability window", + "matchUpdateTypes": ["minor", "patch"], + "automerge": true, + "automergeType": "pr", + "platformAutomerge": true + }, + { + "description": "Major bumps wait for dashboard approval (catches breaking/schema migrations)", "matchUpdateTypes": ["major"], "automerge": false, "dependencyDashboardApproval": true + }, + { + "description": "k3s-bundled components: never touch, they ride k3s upgrades", + "matchPackageNames": [ + "rancher/local-path-provisioner", + "rancher/mirrored-coredns/coredns", + "rancher/mirrored-metrics-server" + ], + "enabled": false + }, + { + "description": "Critical core: PR opens with changelog but Viktor merges manually (deploy pipeline + SSO + DB operator). Some entries are no-ops if the image isn't pinned in this repo (ArgoCD bootstrap, authentik outpost images inherit chart defaults).", + "matchPackageNames": [ + "gitea/gitea", + "quay.io/argoproj/argocd", + "ghcr.io/goauthentik/server", + "ghcr.io/goauthentik/ldap", + "ghcr.io/goauthentik/proxy", + "ghcr.io/cloudnative-pg/cloudnative-pg" + ], + "automerge": false + }, + { + "description": "termix: non-semver release- tag", + "matchPackageNames": ["ghcr.io/lukegus/termix"], + "versioning": "loose", + "extractVersion": "^release-(?.+)$" + }, + { + "description": "wanderer: db + web update together in one PR", + "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"], + "groupName": "wanderer" } ], "labels": ["renovate"] diff --git a/argocd-apps/homelab.yaml b/argocd-apps/homelab.yaml index df0df2a..56cad1d 100644 --- a/argocd-apps/homelab.yaml +++ b/argocd-apps/homelab.yaml @@ -47,6 +47,8 @@ spec: server: https://kubernetes.default.svc namespace: servarr-system syncPolicy: + automated: + enabled: true # Start with manual sync until you're comfortable # automated: # prune: true @@ -82,6 +84,8 @@ spec: server: https://kubernetes.default.svc namespace: paperless-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -104,6 +108,8 @@ spec: server: https://kubernetes.default.svc namespace: actualbudget-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -126,6 +132,8 @@ spec: server: https://kubernetes.default.svc namespace: audiobookshelf-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -148,6 +156,8 @@ spec: server: https://kubernetes.default.svc namespace: bookstack-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -170,6 +180,8 @@ spec: server: https://kubernetes.default.svc namespace: immich-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -214,6 +226,8 @@ spec: server: https://kubernetes.default.svc namespace: nextcloud-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -236,6 +250,8 @@ spec: server: https://kubernetes.default.svc namespace: outline-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -258,6 +274,8 @@ spec: server: https://kubernetes.default.svc namespace: tandoor-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -280,6 +298,8 @@ spec: server: https://kubernetes.default.svc namespace: uptimekuma-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -302,6 +322,8 @@ spec: server: https://kubernetes.default.svc namespace: vaultwarden-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -369,6 +391,8 @@ spec: server: https://kubernetes.default.svc namespace: pihole-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true @@ -397,6 +421,8 @@ spec: server: https://kubernetes.default.svc namespace: mediaserver-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true --- @@ -418,6 +444,8 @@ spec: server: https://kubernetes.default.svc namespace: calibre-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -440,6 +468,8 @@ spec: server: https://kubernetes.default.svc namespace: adventurelog-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -592,6 +622,8 @@ spec: server: https://kubernetes.default.svc namespace: termix-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -614,6 +646,8 @@ spec: server: https://kubernetes.default.svc namespace: privatebin-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -636,6 +670,8 @@ spec: server: https://kubernetes.default.svc namespace: headlamp-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -658,6 +694,8 @@ spec: server: https://kubernetes.default.svc namespace: homepage-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -680,6 +718,8 @@ spec: server: https://kubernetes.default.svc namespace: code-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -702,6 +742,8 @@ spec: server: https://kubernetes.default.svc namespace: plantit-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -724,6 +766,8 @@ spec: server: https://kubernetes.default.svc namespace: fileshare-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -746,6 +790,8 @@ spec: server: https://kubernetes.default.svc namespace: arcade-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -768,6 +814,8 @@ spec: server: https://kubernetes.default.svc namespace: workout-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -790,6 +838,8 @@ spec: server: https://kubernetes.default.svc namespace: wanderer-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -812,6 +862,8 @@ spec: server: https://kubernetes.default.svc namespace: opengist-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -834,6 +886,8 @@ spec: server: https://kubernetes.default.svc namespace: zipline-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -856,6 +910,8 @@ spec: server: https://kubernetes.default.svc namespace: crafty-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -878,6 +934,8 @@ spec: server: https://kubernetes.default.svc namespace: booking-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -900,6 +958,8 @@ spec: server: https://kubernetes.default.svc namespace: web-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -922,6 +982,8 @@ spec: server: https://kubernetes.default.svc namespace: control-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -944,6 +1006,8 @@ spec: server: https://kubernetes.default.svc namespace: glance-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -967,6 +1031,10 @@ spec: server: https://kubernetes.default.svc namespace: version-checker-system syncPolicy: + automated: + enabled: true + prune: true + selfHeal: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1033,6 +1101,8 @@ spec: server: https://kubernetes.default.svc namespace: orsi-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1075,6 +1145,8 @@ spec: server: https://kubernetes.default.svc namespace: kisfenyo-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1096,6 +1168,8 @@ spec: server: https://kubernetes.default.svc namespace: office-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1118,6 +1192,10 @@ spec: server: https://kubernetes.default.svc namespace: jarrs-system syncPolicy: + automated: + enabled: true + prune: true + selfHeal: true syncOptions: - CreateNamespace=true - PruneLast=true -- 2.52.0 From 69db2c609fb311f500b4f9b31008fabc80cd0e94 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Fri, 5 Jun 2026 07:27:15 +0200 Subject: [PATCH 2/5] renovate: switch termix rule to regex versioning (loose+extractVersion silently skipped it) Debug-level dry-run showed: Dependency ghcr.io/lukegus/termix has unsupported/unversioned value release-1.11.0 (versioning=loose) Skipping ghcr.io/lukegus/termix because no currentDigest or pinDigests `versioning: loose + extractVersion` doesn't work as intended here: Renovate evaluates the currentValue (`release-1.11.0`) against the loose parser BEFORE extractVersion is applied. loose can't parse a prefixed value, so Renovate falls back to digest-based comparison; we don't pin digests, so it silently skips and no PRs are ever opened. (Upstream has v1.11.1, v1.11.2, and a major bump to release-2.3.2 since we deployed.) Fix: use `versioning: regex:^release-(?\d+)\.(?\d+)\.(?\d+)$` which parses the whole tag including the `release-` prefix. The named major/minor/patch groups let Renovate categorize bumps correctly so the existing minor/patch automerge and major dashboard-approval rules apply normally. Co-Authored-By: Claude Opus 4.7 (1M context) --- admin-system/renovate.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index 3e71dd9..d612f31 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -91,10 +91,9 @@ data: "automerge": false }, { - "description": "termix: non-semver release- tag", + "description": "termix: non-semver release-X.Y.Z tag (regex versioning parses the whole tag incl. prefix; loose+extractVersion silently skips because currentValue fails the loose parser before extractVersion is applied)", "matchPackageNames": ["ghcr.io/lukegus/termix"], - "versioning": "loose", - "extractVersion": "^release-(?.+)$" + "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$" }, { "description": "wanderer: db + web update together in one PR", -- 2.52.0 From 6ee7d83f66f8ffbdda920e0564fac51e35d92bcc Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Fri, 5 Jun 2026 07:37:40 +0200 Subject: [PATCH 3/5] renovate: set minimumReleaseAgeBehaviour=timestamp-optional Debug dry-run revealed why termix (and reloader/homepage/headlamp 8d ago) sit in "Pending Status Checks" indefinitely: Marking 2 release(s) as pending, as they do not have a releaseTimestamp and we're running with minimumReleaseAgeBehaviour=timestamp-required "depName": "ghcr.io/lukegus/termix" "versions": ["release-1.11.2", "release-1.11.1"] "check": "minimumReleaseAge" ghcr.io OCI manifests for these images don't expose a release timestamp Renovate can read, so the default `timestamp-required` mode turns the 3-day stability gate into an INFINITE hold for ghcr.io packages -- silently. PRs are never opened. Switching to `timestamp-optional` (other supported value per Renovate source: lib/config/options/index.ts) makes the gate best-effort: the 3-day window is still enforced for any package the datasource gives a timestamp for; packages without a timestamp are allowed through. Restores intended behavior. Co-Authored-By: Claude Opus 4.7 (1M context) --- admin-system/renovate.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index d612f31..e2e7dd2 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -46,6 +46,7 @@ data: "dependencyDashboardTitle": "Renovate Dependency Dashboard", "prHourlyLimit": 8, "prConcurrentLimit": 8, + "minimumReleaseAgeBehaviour": "timestamp-optional", "enabledManagers": ["kubernetes", "helm-values"], "kubernetes": { "managerFilePatterns": ["/.+\\.ya?ml$/"] -- 2.52.0 From 628a63da83ed4c7f1be7db73eabffd27fc35695f Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Fri, 5 Jun 2026 07:43:37 +0200 Subject: [PATCH 4/5] renovate: revert global timestamp-optional; narrowly bypass age gate for termix Last commit's global `minimumReleaseAgeBehaviour: timestamp-optional` did two unwanted things: 1) Dry-run showed 0 "Would commit" branches (was 33 before). The flag appears to alter Renovate's filtering more broadly than expected and is not the right knob here. 2) Automated security review correctly flagged the global form as fail-open: a missing timestamp on ANY package would bypass the stability gate, weakening supply-chain protection across the fleet. Narrow fix instead: - Revert the global setting (back to default `timestamp-required`). - Add `minimumReleaseAge: "0 days"` ONLY to the termix packageRule. ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a release timestamp Renovate can read, so the global 3-day gate would otherwise hold updates indefinitely (this is the same class of issue that's been keeping reloader/homepage/headlamp on "Pending Status Checks" for 8+ days). Major bumps still gated by the global major rule (`dependencyDashboardApproval: true`). Other ghcr.io packages with the same issue (reloader, homepage, headlamp) remain on the dashboard's "Pending Status Checks" list and can be force-approved per-update via the checkbox UX. That's a slower but safer manual-approval path that preserves the supply-chain gate's intent. Co-Authored-By: Claude Opus 4.7 (1M context) --- admin-system/renovate.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index e2e7dd2..e395b5c 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -46,7 +46,6 @@ data: "dependencyDashboardTitle": "Renovate Dependency Dashboard", "prHourlyLimit": 8, "prConcurrentLimit": 8, - "minimumReleaseAgeBehaviour": "timestamp-optional", "enabledManagers": ["kubernetes", "helm-values"], "kubernetes": { "managerFilePatterns": ["/.+\\.ya?ml$/"] @@ -92,9 +91,10 @@ data: "automerge": false }, { - "description": "termix: non-semver release-X.Y.Z tag (regex versioning parses the whole tag incl. prefix; loose+extractVersion silently skips because currentValue fails the loose parser before extractVersion is applied)", + "description": "termix: regex versioning parses the release-X.Y.Z prefix; minimumReleaseAge:0 bypasses the stability gate because ghcr.io OCI manifests for this image don't expose a release timestamp (timestamp-required mode otherwise holds it forever). Major bumps still queue for dashboard approval via the global major rule.", "matchPackageNames": ["ghcr.io/lukegus/termix"], - "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$" + "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$", + "minimumReleaseAge": "0 days" }, { "description": "wanderer: db + web update together in one PR", -- 2.52.0 From 24be0b45fdaafc898c3ce9adb8dcaf76fa52f4a0 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Fri, 5 Jun 2026 07:53:50 +0200 Subject: [PATCH 5/5] renovate: termix uses github-releases datasource (restores 3-day gate) Replaces the security-flagged `minimumReleaseAge: 0` bypass with a proper datasource swap. Why: ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a release timestamp, so Renovate's default `timestamp-required` mode holds updates indefinitely. The previous fix (zeroing the gate) was flagged as a supply-chain control regression -- correctly, since it weakens the stability protection for that package. Cleaner fix: point Renovate's version lookup at the upstream GitHub Releases (Termix-SSH/Termix per the OCI source label) where timestamps ARE published. The 3-day gate then works for termix the same way it works for other packages with intact timestamps. Renovate still updates the same image -- the manager extracts ghcr.io/lukegus/termix from termix.yaml and writes the new tag back; only the version-source lookup is redirected. The ghcr.io registry hosts every release-X.Y.Z tag (verified release-2.3.2 present), so the writeback target stays valid. Major bumps (1.x -> 2.x) continue to queue for dashboard approval via the global major rule. Co-Authored-By: Claude Opus 4.7 (1M context) --- admin-system/renovate.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index e395b5c..49f099c 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -91,10 +91,11 @@ data: "automerge": false }, { - "description": "termix: regex versioning parses the release-X.Y.Z prefix; minimumReleaseAge:0 bypasses the stability gate because ghcr.io OCI manifests for this image don't expose a release timestamp (timestamp-required mode otherwise holds it forever). Major bumps still queue for dashboard approval via the global major rule.", + "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).", "matchPackageNames": ["ghcr.io/lukegus/termix"], - "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$", - "minimumReleaseAge": "0 days" + "datasource": "github-releases", + "packageName": "Termix-SSH/Termix", + "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$" }, { "description": "wanderer: db + web update together in one PR", -- 2.52.0