From aa5c6ed76a57625e22a43bb385907f911fb4111c Mon Sep 17 00:00:00 2001
From: bussyjd <145845+bussyjd@users.noreply.github.com>
Date: Wed, 17 Jun 2026 16:57:45 +0400
Subject: [PATCH] chore(renovate): enable gomod + OSV vuln alerts; automerge
 patches (not aztec)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three Renovate flow fixes surfaced while auditing why image pins drift:

- Enable the `gomod` manager. It was excluded by `enabledManagers`, so all
  ~121 direct Go dependencies got zero updates — the likely source of the
  open Dependabot vulnerabilities on the default branch.
- Turn on vulnerability-driven PRs via `osvVulnerabilityAlerts` (OSV database,
  works without the GitHub Dependabot-alerts permission the dashboard reports
  as missing) plus an explicit `vulnerabilityAlerts` block with security labels.
- Auto-merge `patch`-level updates once required checks pass
  (`automerge` + `platformAutomerge`), so low-risk bumps stop piling up as
  unmerged PRs. Aztec is explicitly excluded (fast-moving testnet — nightly
  tags / frequent majors), always reviewed.

No change to the existing custom managers or the major-update approval gates
(frontend / hermes / remote-signer stay dashboard-gated).
---
 renovate.json | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index 81ad5e39..159df602 100644
--- a/renovate.json
+++ b/renovate.json
@@ -5,8 +5,14 @@
   ],
   "enabledManagers": [
     "custom.regex",
-    "github-actions"
+    "github-actions",
+    "gomod"
   ],
+  "osvVulnerabilityAlerts": true,
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "labels": ["security", "renovate/security"]
+  },
   "customManagers": [
     {
       "customType": "regex",
@@ -434,6 +440,21 @@
       ],
       "groupName": "Aztec node updates",
       "groupSlug": "aztec-node"
+    },
+    {
+      "description": "Auto-merge patch-level updates (low risk) once CI passes. Platform auto-merge waits for required checks; aztec is excluded by the rule below.",
+      "matchUpdateTypes": [
+        "patch"
+      ],
+      "automerge": true,
+      "platformAutomerge": true
+    },
+    {
+      "description": "Never auto-merge Aztec — fast-moving testnet (nightly tags, frequent majors). Always review, even patches.",
+      "matchFileNames": [
+        "internal/embed/networks/aztec/**"
+      ],
+      "automerge": false
     }
   ]
 }