Add Renovate for automated tool updates

.github/workflows/build.yml

@@ -1,7 +1,6 @@
 name: Build and Release
 
 on:
-  workflow_call:
   push:
     branches: [main]
   pull_request:
@@ -12,62 +11,40 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
 
   complete:
     if: always()
-    needs: [cargo, go]
+    needs: [prepare, cargo, go]
     runs-on: ubuntu-latest
     steps:
     - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
       run: exit 1
 
+  prepare:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      cargo: ${{ steps.matrix.outputs.cargo }}
+      go: ${{ steps.matrix.outputs.go }}
+    steps:
+    - uses: actions/checkout@v5
+    - id: matrix
+      run: |
+        echo "cargo=$(jq -c '.' tools-cargo.json)" >> "$GITHUB_OUTPUT"
+        echo "go=$(jq -c '.' tools-go.json)" >> "$GITHUB_OUTPUT"
+
   cargo:
+    needs: prepare
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
-        crate:
-        - name: cargo-expand
-          version: '1.0.116'
-        - name: cargo-workspaces
-          version: '0.2.35'
-        - name: cargo-workspaces
-          version: '0.3.6'
-        - name: cargo-hack
-          version: '0.6.44'
-        - name: cargo-set-rust-version
-          version: '0.5.0'
-        - name: cargo-edit
-          version: '0.11.6'
-        - name: cargo-fuzz
-          version: '0.13.1'
-        - name: cargo-deny
-          version: '0.14.19'
-          rust: '1.79.0'
-        - name: cargo-deny
-          version: '0.19.0'
-        - name: cargo-cache
-          version: '0.8.3'
-        - name: cargo-sweep
-          version: '0.7.0'
-        - name: cargo-readme
-          version: '3.3.1'
-        - name: cargo-semver-checks
-          version: '0.46.0'
-        - name: cargo-public-api
-          version: '0.33.1'
-        - name: cargo-nextest
-          version: '0.9.105'
-        - name: wasm-pack
-          version: '0.13.0'
-        - name: wasm-bindgen-cli
-          version: '0.2.92'
-        - name: check-lockfile-intersection
-          version: '0.1.0'
-        - name: wasm-cs
-          version: '1.0.0'
-        - name: sccache
-          version: '0.14.0'
+        crate: ${{ fromJSON(needs.prepare.outputs.cargo) }}
         runs-on:
         - ubuntu-latest # amd64
         - ubuntu-22.04-arm # arm64
@@ -111,13 +88,13 @@ jobs:
         path: '*.tar.gz'
 
   go:
+    needs: prepare
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
-        package:
-        - name: actionlint
-          import-path: github.com/rhysd/actionlint/cmd/actionlint
-          version: '1.7.1'
+        package: ${{ fromJSON(needs.prepare.outputs.go) }}
         runs-on:
         - ubuntu-latest # amd64
         - ubuntu-22.04-arm # arm64
@@ -158,6 +135,8 @@ jobs:
     if: github.ref_name == 'main'
     needs: complete
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - uses: actions/checkout@v6
       with:
@@ -174,6 +153,8 @@ jobs:
     if: github.ref_name == 'main'
     needs: release-create
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - uses: actions/download-artifact@v8
     - run: gh release -R ${{ github.repository }} upload --clobber "${{ needs.release-create.outputs.tag }}" **/*.tar.gz
@@ -183,6 +164,8 @@ jobs:
   release-test:
     if: github.ref_name == 'main'
     needs: [release-create, release-upload]
+    permissions:
+      contents: read
     strategy:
       matrix:
         runs-on:

.github/workflows/renovate.yml

@@ -0,0 +1,34 @@
+name: Renovate
+
+on:
+  schedule:
+  - cron: '0 6 * * *' # daily, 06:00 UTC
+  workflow_dispatch:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+
+  renovate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+    - uses: actions/checkout@v5
+    - uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 #v46.1.14
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        configurationFile: renovate.json5
+      env:
+        RENOVATE_REPOSITORIES: ${{ github.repository }}
+        RENOVATE_BASE_BRANCH_PATTERNS: '["${{ github.head_ref || github.ref_name }}"]'
+        RENOVATE_REQUIRE_CONFIG: optional
+        RENOVATE_ONBOARDING: 'false'
+        RENOVATE_DRY_RUN: ${{ github.event_name == 'pull_request' && 'full' || '' }}
+        LOG_LEVEL: ${{ github.event_name == 'pull_request' && 'debug' || 'info' }}

renovate.json5

@@ -0,0 +1,52 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: ['config:recommended'],
+
+  // Only manage the tool versions in tools/tools.json. Action `uses:` pins are
+  // handled by Dependabot (.github/dependabot.yml), so leave every other
+  // manager off to avoid the two bots fighting.
+  enabledManagers: ['custom.jsonata'],
+
+  // Hold every update until the release is at least 1 month old, and always
+  // target the newest version that passes that age check rather than the
+  // absolute latest (so we never jump onto a brand-new release).
+  minimumReleaseAge: '1 month',
+  internalChecksFilter: 'strict',
+
+  customManagers: [
+    {
+      // cargo tools built via `cargo install`. Parsed as structured JSON, so an
+      // optional `auto-update` flag anywhere in the entry is captured as the
+      // depType (see packageRules below) regardless of field order.
+      customType: 'jsonata',
+      fileFormat: 'json',
+      managerFilePatterns: ['/^tools-cargo\\.json$/'],
+      matchStrings: [
+        '$.{ "depName": name, "currentValue": version, "depType": $string(`auto-update`) }',
+      ],
+      datasourceTemplate: 'crate',
+    },
+    {
+      // go tools built via `go install`. depName is the module root (first three
+      // path segments of import-path); version is stored without a leading `v`.
+      customType: 'jsonata',
+      fileFormat: 'json',
+      managerFilePatterns: ['/^tools-go\\.json$/'],
+      matchStrings: [
+        '$.{ "depName": $join($split(`import-path`, "/")[[0..2]], "/"), "currentValue": version, "depType": $string(`auto-update`) }',
+      ],
+      datasourceTemplate: 'go',
+      extractVersionTemplate: '^v?(?<version>.+)$',
+    },
+  ],
+
+  packageRules: [
+    {
+      // Freeze a tool by setting "auto-update": false on its entry in
+      // tools/tools.json; that flag is captured as the depType above and
+      // disabled here, so Renovate never proposes updates for it.
+      matchDepTypes: ['false'],
+      enabled: false,
+    },
+  ],
+}

tools-cargo.json

@@ -0,0 +1,22 @@
+[
+  { "name": "cargo-expand", "version": "1.0.116" },
+  { "name": "cargo-workspaces", "version": "0.2.35", "auto-update": false },
+  { "name": "cargo-workspaces", "version": "0.3.6" },
+  { "name": "cargo-hack", "version": "0.6.44" },
+  { "name": "cargo-set-rust-version", "version": "0.5.0" },
+  { "name": "cargo-edit", "version": "0.11.6" },
+  { "name": "cargo-fuzz", "version": "0.13.1" },
+  { "name": "cargo-deny", "version": "0.14.19", "rust": "1.79.0", "auto-update": false },
+  { "name": "cargo-deny", "version": "0.19.0" },
+  { "name": "cargo-cache", "version": "0.8.3" },
+  { "name": "cargo-sweep", "version": "0.7.0" },
+  { "name": "cargo-readme", "version": "3.3.1" },
+  { "name": "cargo-semver-checks", "version": "0.46.0" },
+  { "name": "cargo-public-api", "version": "0.33.1" },
+  { "name": "cargo-nextest", "version": "0.9.105" },
+  { "name": "wasm-pack", "version": "0.13.0" },
+  { "name": "wasm-bindgen-cli", "version": "0.2.92" },
+  { "name": "check-lockfile-intersection", "version": "0.1.0" },
+  { "name": "wasm-cs", "version": "1.0.0", "auto-update": false },
+  { "name": "sccache", "version": "0.14.0" }
+]

tools-go.json

@@ -0,0 +1,3 @@
+[
+  { "name": "actionlint", "import-path": "github.com/rhysd/actionlint/cmd/actionlint", "version": "1.7.1" }
+]