From b81303cf07852b7ee27da672e863c1a495842a4d Mon Sep 17 00:00:00 2001
From: Marius van Niekerk <marius.v.niekerk@gmail.com>
Date: Thu, 11 Jun 2026 10:17:14 -0400
Subject: [PATCH] Add Renovate dependency updates

Renovate is now the dependency-update path used by roborev, and kit should follow the same workflow instead of relying on Dependabot-style configuration. Keeping the managers explicit limits automated PRs to the dependency surfaces this repo actually has today: pinned GitHub Actions and Go modules.

Go dependency updates are grouped and run through gomodTidy so generated PRs are easier to review and leave module metadata consistent. Vulnerability alerts stay immediate while normal updates retain the release-age buffer from the roborev config.

Validation: jq . renovate.json

Generated with Codex
Co-authored-by: Marius van Niekerk <mariusvniekerk@users.noreply.github.com>
---
 renovate.json | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..6212bb6
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "dependencyDashboard": true,
+  "enabledManagers": ["github-actions", "gomod"],
+  "osvVulnerabilityAlerts": true,
+  "minimumReleaseAge": "7 days",
+  "minimumReleaseAgeBehaviour": "timestamp-required",
+  "prCreation": "not-pending",
+  "internalChecksFilter": "strict",
+  "vulnerabilityAlerts": {
+    "minimumReleaseAge": null,
+    "prCreation": "immediate"
+  },
+  "packageRules": [
+    {
+      "matchManagers": ["gomod"],
+      "groupName": "Go dependencies",
+      "groupSlug": "go-dependencies",
+      "postUpdateOptions": ["gomodTidy"]
+    }
+  ]
+}