Merge branch 'main' into refactor/packagist-datasource

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM containerbase/node:14.18.3@sha256:bac890a8a240489b42b45cdde56268652a925e2e52f26e15142a44f42f444153
+FROM containerbase/node:14.19.0@sha256:6e01bce4be8264a98892ba8029536779d73f8d90da6f8d1a121bff0c58820131
 
 
 # renovate: datasource=npm

.github/codeql/codeql-config.yml

@@ -1,2 +1,3 @@
 paths-ignore:
-  - /__fixtures__/**
+  - '**/__fixtures__/'
+  - /opt/hostedtoolcache

.github/contributing.md

@@ -32,6 +32,8 @@ This makes it harder for us to review your work because we don't know what has c
 PRs will always be squashed by us when we merge your work.
 Commit as many times as you need in your pull request branch.
 
+If you are updating your PR branch from within the GitHub PR interface, then only use the default "Update branch" button.
+
 Force pushing a PR is OK when:
 
 - you need to make large changes on a PR which require a full review anyway

.github/workflows/codeql-analysis.yml

@@ -26,17 +26,18 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8b37404d562d866ad6a65d0ecb4fa5131e047ca4 # renovate: tag=v1.0.30
+        uses: github/codeql-action/init@1a927e9307bc11970b2c679922ebc4d03a5bd980 # renovate: tag=v1.0.31
         with:
           config-file: ./.github/codeql/codeql-config.yml
+          languages: javascript
 
         # Override language selection by uncommenting this and choosing your languages
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@8b37404d562d866ad6a65d0ecb4fa5131e047ca4 # renovate: tag=v1.0.30
+        uses: github/codeql-action/autobuild@1a927e9307bc11970b2c679922ebc4d03a5bd980 # renovate: tag=v1.0.31
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -50,4 +51,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8b37404d562d866ad6a65d0ecb4fa5131e047ca4 # renovate: tag=v1.0.30
+        uses: github/codeql-action/analyze@1a927e9307bc11970b2c679922ebc4d03a5bd980 # renovate: tag=v1.0.31

codecov.yml

@@ -1,4 +1,4 @@
-comment: off
+comment: false
 codecov:
   require_ci_to_pass: false
   notify:

docs/usage/configuration-options.md

@@ -466,6 +466,19 @@ If configured to `true`, then dependency extraction will be done using the relev
 
 This option applies only to the `gradle` manager.
 
+## defaultRegistryUrls
+
+Override a datasource's default registries with this config option.
+The datasources's `customRegistrySupport` value must be `true` for the config option to work.
+
+Default registries are only used when both:
+
+- The manager did not extract any `registryUrls` values, and
+- No `registryUrls` values have been applied via config, such as `packageRules`
+
+Think of `defaultRegistryUrls` as a way to specify the "fallback" registries for a datasource, for use when no `registryUrls` are extracted or configured.
+Compare that to `registryUrls`, which are a way to _override_ registries.
+
 ## dependencyDashboard
 
 Starting from version `v26.0.0` the "Dependency Dashboard" is enabled by default as part of the commonly-used `config:base` preset.
@@ -2042,6 +2055,7 @@ Behavior:
 - `replace` = Replace the range with a newer one if the new version falls outside it, and update nothing otherwise
 - `widen` = Widen the range with newer one, e.g. `^1.0.0` -> `^1.0.0 || ^2.0.0`
 - `update-lockfile` = Update the lock file when in-range updates are available, otherwise `replace` for updates out of range. Works for `bundler`, `composer`, `npm`, `yarn`, `terraform` and `poetry` so far
+- `in-range-only` = Update the lock file when in-range updates are available, ignore package file updates
 
 Renovate's `"auto"` strategy works like this for npm:
 
@@ -2059,6 +2073,11 @@ If instead you'd prefer to be updated to `^1.2.0` in cases like this, then confi
 
 This feature supports simple caret (`^`) and tilde (`~`) ranges only, like `^1.0.0` and `~1.0.0`.
 
+The `in-range-only` strategy may be useful if you want to leave the package file unchanged and only do `update-lockfile` within the existing range.
+The `in-range-only` strategy behaves like `update-lockfile`, but discards any updates where the new version of the dependency is not equal to the current version.
+We recommend you avoid using the `in-range-only` strategy unless you strictly need it.
+Using the `in-range-only` strategy may result in you being multiple releases behind without knowing it.
+
 ## rebaseLabel
 
 On supported platforms it is possible to add a label to a PR to manually request Renovate to recreate/rebase it.

docs/usage/docker.md

@@ -229,7 +229,7 @@ To get access to the token a custom Renovate Docker image is needed that include
 The Dockerfile to create such an image can look like this:
 
 ```Dockerfile
-FROM renovate/renovate:31.49.0
+FROM renovate/renovate:31.63.2
 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
 # under "Installation" for "Debian/Ubuntu"
 RUN ...

docs/usage/getting-started/running.md

@@ -88,7 +88,7 @@ Because of how it works, it functions on public repositories only and additional
 
 ##### Benefits
 
-Forking Renovate needs only `read` level access to any repository it runs on.
+Forking Renovate needs only `read` level access to the code of any repository it runs on.
 
 ##### Drawbacks
 

docs/usage/self-hosted-configuration.md

@@ -135,6 +135,7 @@ This mode means that Renovate will dynamically install the version of tools avai
 Supported tools for dynamic install are:
 
 - `composer`
+- `flux`
 - `jb`
 - `npm`
 

lib/config/options/index.ts

@@ -774,6 +774,17 @@ const options: RenovateOptions[] = [
     },
     supportedManagers: ['helm-requirements', 'helmv3', 'helmfile'],
   },
+  {
+    name: 'defaultRegistryUrls',
+    description:
+      'List of registry URLs to use as the default for a datasource.',
+    type: 'array',
+    subType: 'string',
+    default: null,
+    stage: 'branch',
+    cli: false,
+    env: false,
+  },
   {
     name: 'registryUrls',
     description:
@@ -1158,6 +1169,7 @@ const options: RenovateOptions[] = [
       'replace',
       'widen',
       'update-lockfile',
+      'in-range-only',
     ],
     cli: false,
     env: false,

lib/config/presets/internal/workarounds.ts

@@ -8,6 +8,7 @@ export const presets: Record<string, Preset> = {
     extends: [
       'workarounds:mavenCommonsAncientVersion',
       'workarounds:ignoreSpringCloudNumeric',
+      'workarounds:ignoreWeb3jCoreWithOldReleaseTimestamp',
       'workarounds:ignoreHttp4sDigestMilestones',
       'workarounds:typesNodeVersioning',
       'workarounds:reduceRepologyServerLoad',
@@ -35,6 +36,16 @@ export const presets: Record<string, Preset> = {
       },
     ],
   },
+  ignoreWeb3jCoreWithOldReleaseTimestamp: {
+    description: 'Ignore web3j 5.0.0 release',
+    packageRules: [
+      {
+        matchDatasources: ['maven'],
+        matchPackageNames: ['org.web3j:core'],
+        allowedVersions: '!/^5\\.0\\.0/',
+      },
+    ],
+  },
   ignoreHttp4sDigestMilestones: {
     description: 'Ignore http4s digest-based 1.x milestones',
     packageRules: [

lib/config/secrets.spec.ts

@@ -133,5 +133,35 @@ describe('config/secrets', () => {
       });
       expect(Object.keys(res)).toContain('secrets');
     });
+    it('{} as secrets will result in an error', () => {
+      const config = {
+        secrets: { SECRET_MANAGER: 'npm' },
+        allowedManagers: ['{{ secrets.SECRET_MANAGER }}'],
+      };
+      expect(() => applySecretsToConfig(config, {}, false)).toThrow(
+        CONFIG_VALIDATION
+      );
+    });
+    it('undefined as secrets will result replace the secret', () => {
+      const config = {
+        secrets: { SECRET_MANAGER: 'npm' },
+        allowedManagers: ['{{ secrets.SECRET_MANAGER }}'],
+      };
+      const res = applySecretsToConfig(config, undefined, false);
+      expect(res).toStrictEqual({
+        secrets: { SECRET_MANAGER: 'npm' },
+        allowedManagers: ['npm'],
+      });
+      expect(Object.keys(res)).toContain('secrets');
+    });
+    it('null as secrets will result in an error', () => {
+      const config = {
+        secrets: { SECRET_MANAGER: 'npm' },
+        allowedManagers: ['{{ secrets.SECRET_MANAGER }}'],
+      };
+      expect(() => applySecretsToConfig(config, null, false)).toThrow(
+        CONFIG_VALIDATION
+      );
+    });
   });
 });

lib/config/types.ts

@@ -204,6 +204,7 @@ export interface RenovateConfig
   prConcurrentLimit?: number;
   prHourlyLimit?: number;
 
+  defaultRegistryUrls?: string[];
   registryUrls?: string[];
 
   repoIsOnboarded?: boolean;

lib/constants/platform.spec.ts

@@ -5,6 +5,8 @@ import { GitlabPackagesDatasource } from '../datasource/gitlab-packages';
 import { GitlabReleasesDatasource } from '../datasource/gitlab-releases';
 import { id as GL_TAGS_DS } from '../datasource/gitlab-tags';
 import { id as POD_DS } from '../datasource/pod';
+import { id as GITHUB_CHANGELOG_ID } from '../workers/pr/changelog/github';
+import { id as GITLAB_CHANGELOG_ID } from '../workers/pr/changelog/gitlab';
 import {
   BITBUCKET_API_USING_HOST_TYPES,
   GITHUB_API_USING_HOST_TYPES,
@@ -21,6 +23,9 @@ describe('constants/platform', () => {
     expect(
       GITLAB_API_USING_HOST_TYPES.includes(GitlabPackagesDatasource.id)
     ).toBeTrue();
+    expect(
+      GITLAB_API_USING_HOST_TYPES.includes(GITLAB_CHANGELOG_ID)
+    ).toBeTrue();
     expect(GITLAB_API_USING_HOST_TYPES.includes(PlatformId.Gitlab)).toBeTrue();
   });
 
@@ -32,6 +37,9 @@ describe('constants/platform', () => {
     expect(GITHUB_API_USING_HOST_TYPES.includes(GH_TAGS_DS)).toBeTrue();
     expect(GITHUB_API_USING_HOST_TYPES.includes(GH_RELEASES_DS)).toBeTrue();
     expect(GITHUB_API_USING_HOST_TYPES.includes(POD_DS)).toBeTrue();
+    expect(
+      GITHUB_API_USING_HOST_TYPES.includes(GITHUB_CHANGELOG_ID)
+    ).toBeTrue();
     expect(GITHUB_API_USING_HOST_TYPES.includes(PlatformId.Github)).toBeTrue();
   });
 

lib/constants/platforms.ts

@@ -13,13 +13,15 @@ export const GITHUB_API_USING_HOST_TYPES = [
   'github-releases',
   'github-tags',
   'pod',
+  'github-changelog',
 ];
 
 export const GITLAB_API_USING_HOST_TYPES = [
   PlatformId.Gitlab,
   'gitlab-releases',
   'gitlab-tags',
   'gitlab-packages',
+  'gitlab-changelog',
 ];
 
 export const BITBUCKET_API_USING_HOST_TYPES = [

lib/datasource/api.ts

@@ -16,7 +16,8 @@ import * as githubTags from './github-tags';
 import { GitlabPackagesDatasource } from './gitlab-packages';
 import { GitlabReleasesDatasource } from './gitlab-releases';
 import * as gitlabTags from './gitlab-tags';
-import * as go from './go';
+import { GoDatasource } from './go';
+import { GolangVersionDatasource } from './golang-version';
 import { GradleVersionDatasource } from './gradle-version';
 import { HelmDatasource } from './helm';
 import { HexDatasource } from './hex';
@@ -57,16 +58,17 @@ api.set('git-tags', new GitTagsDatasource());
 api.set('github-releases', githubReleases);
 api.set('github-tags', githubTags);
 api.set('gitlab-packages', new GitlabPackagesDatasource());
-api.set('gitlab-tags', gitlabTags);
 api.set(GitlabReleasesDatasource.id, new GitlabReleasesDatasource());
-api.set('go', go);
+api.set('gitlab-tags', gitlabTags);
+api.set('go', new GoDatasource());
+api.set('golang-version', new GolangVersionDatasource());
 api.set('gradle-version', new GradleVersionDatasource());
 api.set('helm', new HelmDatasource());
 api.set('hex', new HexDatasource());
 api.set('jenkins-plugins', new JenkinsPluginsDatasource());
 api.set('maven', maven);
-api.set('npm', npm);
 api.set(NodeDatasource.id, new NodeDatasource());
+api.set('npm', npm);
 api.set('nuget', nuget);
 api.set('orb', new OrbDatasource());
 api.set('packagist', new PackagistDatasource());