feat(renovate): distinguish library and app npm dependency strategies

[nexus49]

Summary

• Replace the single bump range strategy for npm production dependencies with two explicit rules using matchJsonata:
  • Libraries (publishConfig present): replace strategy — preserves semver ranges (^/~), preventing forced exact versions for downstream consumers
  • Applications (private: true): pin strategy — exact versions for reproducible production builds
• Skip digest pinning for openmfp/gha and openmfp/.github GitHub Actions, since we trust our own shared workflow repos

Aligns with the platform-mesh shared Renovate configuration.

Summary by CodeRabbit

• Chores
  • Refined dependency update automation configuration to optimize version handling across different package types for improved build consistency.
  • Adjusted GitHub Actions update settings for enhanced stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c65463a-981c-4ca6-9af5-138fc208346c

📥 Commits

Reviewing files that changed from the base of the PR and between 70024f2 and a5dacb4.

📒 Files selected for processing (1)

• renovate-config.json

---

📝 Walkthrough

Walkthrough

Updated Renovate configuration to apply different dependency version strategies based on project type: rangeStrategy: "replace" for published packages with publishConfig, rangeStrategy: "pin" for private packages without publishConfig, and disabled digest pinning for specific GitHub Actions repositories.

Changes

Cohort / File(s)	Summary
Renovate Configuration renovate-config.json	Replaced production-oriented bump strategy with conditional packageRules applying different rangeStrategy options based on publishConfig presence and private package status; added GitHub Actions rule disabling digest pinning for openmfp repositories.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• feat(renovate): pin Docker base images to digests #15: Modifies Renovate digest-pinning behavior for Docker images, complementing this change's handling of digest pinning for GitHub Actions updates.

Suggested reviewers

• aaronschweig
• gkrajniak

Poem

🐰 A config so neat, with strategies clear,
Published or private? Each rule brings good cheer!
Digest pins disabled where needed they're not,
Renovate runs smoother—what a fine plot! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: distinguishing npm dependency update strategies between libraries and applications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/improve-renovate-npm-strategy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}