fix: add render-template workflow and deduplicate Renovate detection

.github/renovate.json

@@ -7,12 +7,6 @@
   "gitAuthor": "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>",
   "minimumReleaseAge": "14 days",
   "customManagers": [
-    {
-      "customType": "regex",
-      "managerFilePatterns": ["/\\.github/workflows/.*\\.yaml$/"],
-      "matchStrings": ["uses:\\s+(?<depName>[\\w-]+/[\\w-]+)@(?<currentDigest>[a-f0-9]+)\\s+#\\s+(?<currentValue>v[\\S]+)"],
-      "datasourceTemplate": "github-releases"
-    },
     {
       "customType": "regex",
       "description": "Update SHA-pinned actions in .jinja template files",
@@ -22,10 +16,9 @@
     },
     {
       "customType": "regex",
-      "description": "Update copier-flake ref in Nix flake inputs",
+      "description": "Update SHA-pinned Nix flake inputs in template files",
       "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"],
-      "matchStrings": ["github:gordon-code/copier-flake/(?<currentDigest>[a-f0-9]+).*#\\s*(?<currentValue>v[\\S]+)"],
-      "depNameTemplate": "gordon-code/copier-flake",
+      "matchStrings": ["github:(?<depName>[\\w-]+/[\\w-]+)/(?<currentDigest>[a-f0-9]+).*#\\s*(?<currentValue>v[\\S]+)"],
       "datasourceTemplate": "github-releases"
     }
   ],
@@ -39,6 +32,11 @@
       "matchUpdateTypes": ["major"],
       "groupName": "major dependencies",
       "groupSlug": "major"
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchFileNames": ["template/**"],
+      "enabled": false
     }
   ]
 }

.github/workflows/render-template.yaml

@@ -0,0 +1,53 @@
+# Template-repo only: re-renders root files after Renovate updates includes/template
+name: Render Template
+
+on:
+  push:
+    branches: ['renovate/**']
+    paths: ['includes/**', 'template/**']
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  render:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.ref }}
+          token: ${{ secrets.RENOVATE_TOKEN }}
+
+      - uses: ./.github/actions/nix-setup
+
+      - name: Set up Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Re-render from template
+        run: nix develop -c just render
+
+      - name: Update flake lock if inputs changed
+        run: |
+          if ! git diff --quiet flake.nix; then
+            nix flake lock
+          fi
+
+      - name: Restore copier answers
+        run: git restore .copier-answers.yaml
+
+      - name: Commit and push if changed
+        run: |
+          if [ -n "$(git status --porcelain)" ]; then
+            git add -A
+            git commit -m "chore: re-render root files from updated template"
+            git push
+          fi

includes/renovate-template.jinja

@@ -8,10 +8,9 @@
     },
     {
       "customType": "regex",
-      "description": "Update copier-flake ref in Nix flake inputs",
+      "description": "Update SHA-pinned Nix flake inputs in template files",
       "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"],
-      "matchStrings": ["github:gordon-code/copier-flake/(?<currentDigest>[a-f0-9]+).*#\\s*(?<currentValue>v[\\S]+)"],
-      "depNameTemplate": "gordon-code/copier-flake",
+      "matchStrings": ["github:(?<depName>[\\w-]+/[\\w-]+)/(?<currentDigest>[a-f0-9]+).*#\\s*(?<currentValue>v[\\S]+)"],
       "datasourceTemplate": "github-releases"
     }
 {% endif %}

justfile

@@ -24,6 +24,7 @@ render:
 	git show HEAD:lib/nix/project.nix > lib/nix/project.nix 2>/dev/null || true
 	git show HEAD:justfile > justfile 2>/dev/null || true
 	git show HEAD:.gitignore > .gitignore 2>/dev/null || true
+	git show HEAD:.github/workflows/render-template.yaml > .github/workflows/render-template.yaml 2>/dev/null || true
 
 # Run unit tests
 test:

template/.github/renovate.json.jinja

@@ -7,12 +7,6 @@
   "gitAuthor": "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>",
   "minimumReleaseAge": "14 days",
   "customManagers": [
-    {
-      "customType": "regex",
-      "managerFilePatterns": ["/\\.github/workflows/.*\\.yaml$/"],
-      "matchStrings": ["uses:\\s+(?<depName>[\\w-]+/[\\w-]+)@(?<currentDigest>[a-f0-9]+)\\s+#\\s+(?<currentValue>v[\\S]+)"],
-      "datasourceTemplate": "github-releases"
-    }{{ ',' if _is_template else '' }}
 {% include pathjoin("includes", "renovate-template.jinja") ignore missing %}
   ],
   "packageRules": [
@@ -25,6 +19,13 @@
       "matchUpdateTypes": ["major"],
       "groupName": "major dependencies",
       "groupSlug": "major"
+    }{{ ',' if _is_template else '' }}
+{% if _is_template %}
+    {
+      "matchManagers": ["github-actions"],
+      "matchFileNames": ["template/**"],
+      "enabled": false
     }
+{% endif %}
   ]
 }

tests/test_rendering.py

@@ -287,6 +287,16 @@ def test_renovate_has_template_config(generated_template_project):
     assert template_managers, "No template-specific customManagers found"
 
 
+def test_renovate_template_suppresses_builtin_gha(generated_template_project):
+    """Template repo disables built-in github-actions manager for template paths."""
+    data = parse_json(generated_template_project / ".github" / "renovate.json")
+    rules = data.get("packageRules", [])
+    gha_rule = [r for r in rules if r.get("matchManagers") == ["github-actions"]]
+    assert gha_rule, "No packageRule suppressing github-actions for template paths"
+    assert gha_rule[0].get("matchFileNames") == ["template/**"]
+    assert gha_rule[0].get("enabled") is False
+
+
 def test_no_consistency_job_default(generated_github_project):
     """Default projects have no consistency job in pr-checks."""
     assert "consistency" not in (generated_github_project / ".github" / "workflows" / "pr-checks.yaml").read_text()