If this also doesnt work we need to revert it ig
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Syncs `type/*` and `pr/breaking` labels from the PR title (Conventional
Commits) and folds the existing title lint into the same workflow so
labeling only runs once the title is valid.
- `tools/pr-title.ts`: shared title parser and label mapping.
- `tools/set-pr-labels.ts`: adds/removes labels via the GitHub API.
`type/*` and `pr/breaking` are fully synced (added and removed);
`skip-changelog` (chore/ci) and `topic/build` (build) are only added,
never auto-removed, so manual labeling is preserved.
- `pull-labeler.yml` now hosts `lint-pr-title` and `set-pr-labels`
(`needs: lint-pr-title`) under `pull_request_target`, required so fork
PRs get a writable token. Base-branch checkout only; no PR-head code
runs in the elevated context.
- Removes the superseded `pull-pr-title.yml` and the CI-only
`lint-pr-title` Makefile target.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Replaces Dependabot with Renovate. The new setup:
- One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool
pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a
5-day release-age cooldown. Vulnerability PRs ship next-day via daily
cron + Renovate's `vulnerabilityAlerts` schedule bypass.
- All `uses:` action refs SHA-pinned with patch-level version comments
(same format as #36971, which this supersedes);
`helpers:pinGitHubActionDigests` keeps future bumps in that format.
- `renovatebot/github-action` runtime image pinned via the
upstream-recommended `RENOVATE_VERSION` env + magic comment +
`customManagers:githubActionsVersions` preset, so Renovate keeps the pin
updated.
- Custom regex manager tracks the `*_PACKAGE ?= <import-path>@<version>`
lines in `Makefile` (golangci-lint, swagger, actionlint, etc.) and
groups them into the same Go PR via `matchDatasources: ["go"]`.
- Post-upgrade tasks regenerate `assets/go-licenses.json` (`make tidy`)
and the SVG sprite (`make svg`), gated by an env-level command
allowlist.
- Replaces the standalone `cron-flake-updater` workflow — Renovate's nix
manager tracks `flake.nix` inputs and produces the same `flake.lock`
bump PRs on the regular weekly schedule.
- npm and gomod-replace pins live in `renovate.json5` only;
`updates@17.16.3` reads them from there too, so the standalone
`updates.config.ts` is gone and one source of truth covers both tools.
Fixes: https://github.com/go-gitea/gitea/issues/33386
Signed-off-by: silverwind <me@silverwind.io>
Signed-off-by: TheFox0x7 <thefox0x7@gmail.com>
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Updated to actions/labeler@v5
Updated labeler config accordingly, also improved the config and added
more labels.
---------
Co-authored-by: Giteabot <teabot@gitea.io>
Alternative to https://github.com/go-gitea/gitea/pull/27439. Removes a
few spammy labels, and disables `sync-labels` which make it never remove
labels (which is default behaviour).
