From cc5e55ef4c49edcd9e9ca40bdf31bd220b7adb11 Mon Sep 17 00:00:00 2001
From: edersonbrilhante <contato@edersonbrilhante.com.br>
Date: Mon, 24 Nov 2025 14:54:34 +0100
Subject: [PATCH 1/7] ci: add new rules in renovate config

---
 renovate.json | 112 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 110 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index 9ce9f9df..bb534b2e 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,7 +1,37 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended", ":semanticCommits"],
-  "enabledManagers": ["terraform", "regex"],
+  "extends": [
+    "config:recommended",
+    "config:base",
+    ":rebaseStalePrs",
+    ":semanticCommits",
+    ":semanticCommitScope(deps)"
+  ],
+
+  "pre-commit": {
+    "enabled": true
+  },
+
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "schedule": ["at any time"]
+  },
+  "osvVulnerabilityAlerts": true,
+  "automerge": false,
+  "platformAutomerge": true,
+  "stabilityDays": 0,
+  "separateMinorPatch": true,
+  "separateMajorMinor": true,
+
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": ["^*\\.tf$"],
+      "matchStrings": ["required_version\\s=\\s\">= (?<currentValue>.*?)\""],
+      "depNameTemplate": "opentofu/opentofu",
+      "datasourceTemplate": "github-releases"
+    }
+  ],
 
   "packageRules": [
     {
@@ -10,6 +40,84 @@
       "groupName": "terraform-aws-github-runner version",
       "separateMajorMinor": false,
       "separateMinorPatch": false
+    },
+    {
+      "description": "Security updates - immediate processing (override stability days)",
+      "matchPackagePatterns": ["*"],
+      "matchUpdateTypes": ["patch", "minor"],
+      "vulnerabilityAlerts": {"enabled": true},
+      "stabilityDays": 0,
+      "prPriority": 10,
+      "prCreation": "immediate",
+      "addLabels": ["security", "critical"]
+    },
+    {
+      "matchUpdateTypes": ["patch","pin","digest"],
+      "addLabels": ["simple-review"],
+      "automerge": true
+    },
+    {
+      "matchUpdateTypes": ["minor"],
+      "addLabels": ["simple-review"]
+    },
+    {
+      "matchPackagePatterns": ["aws","terraform-aws-modules"],
+      "groupName": "AWS providers and modules",
+      "addLabels": ["aws-updates"]
+    },
+    {
+      "description": "GitHub Actions - pin to commit SHA for security",
+      "matchManagers": ["github-actions"],
+      "pinDigests": true,
+      "groupName": "GitHub Actions",
+      "addLabels": ["github-actions", "ci-cd"]
+    },
+    {
+      "matchManagers": ["pre-commit"],
+      "groupName": "Pre-commit hooks",
+      "addLabels": ["pre-commit"]
+    },
+    {
+      "matchPackagePatterns": ["python","pip"],
+      "groupName": "Python dependencies",
+      "addLabels": ["python"]
+    },
+    {
+      "description": "Development dependencies - reduced stability days",
+      "matchDepTypes": ["devDependencies"],
+      "matchUpdateTypes": ["patch", "minor"],
+      "stabilityDays": 1,
+      "automerge": true,
+      "addLabels": ["dev-dependencies"]
+    },
+    {
+      "description": "Docker images - grouped with digest pinning",
+      "matchManagers": ["docker-compose", "dockerfile"],
+      "groupName": "Docker images",
+      "pinDigests": true,
+      "addLabels": ["docker", "containers"]
+    },
+    {
+      "description": "Terraform providers from public registry",
+      "matchDatasources": ["terraform-provider"],
+      "matchPackagePatterns": ["^hashicorp/.*"],
+      "registryUrls": ["https://registry.opentofu.org"]
+    },
+    {
+      "description": "Major version updates - extended stability period",
+      "matchUpdateTypes": ["major"],
+      "stabilityDays": 7,
+      "prPriority": 1,
+      "addLabels": ["major-update", "breaking-change"]
+    },
+    {
+      "description": "Critical security patches - auto-merge enabled",
+      "matchPackagePatterns": ["*"],
+      "matchUpdateTypes": ["patch"],
+      "vulnerabilityAlerts": {"enabled": true},
+      "automerge": true,
+      "automergeType": "pr",
+      "addLabels": ["security", "auto-merge"]
     }
   ],
 

From 84b3007ab0483d3a8ad5cc3c0477e1e5e14c15f6 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:34:11 +0100
Subject: [PATCH 2/7] chore(deps): update pre-commit hooks (#19)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .pre-commit-config.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0f9768dd..3dd6e734 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -83,7 +83,7 @@ repos:
   # Commit Message Hooks
   # ---------------------
   - repo: https://github.com/commitizen-tools/commitizen
-    rev: v4.1.0
+    rev: v4.1.1
     hooks:
       - id: commitizen
         name: Git · Validate commit message
@@ -230,7 +230,7 @@ repos:
         always_run: true
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.0
+    rev: v1.100.1
     hooks:
       - id: terraform_fmt
         name: Terraform · Formatter
@@ -276,7 +276,7 @@ repos:
   # Markdown Hooks
   # ---------------------
   - repo: https://github.com/hukkin/mdformat
-    rev: 0.7.21
+    rev: 0.7.22
     hooks:
       - id: mdformat
         name: Markdown · Format markdown

From 167bd620dadf7be8a99b0e66f83e134433c5bd19 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:34:42 +0100
Subject: [PATCH 3/7] chore(deps): update terraform
 github.com/github-aws-runners/terraform-aws-github-runner to v6.10.0 (#24)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 modules/platform/ec2_deployment/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf
index a8c78bc0..ac660583 100644
--- a/modules/platform/ec2_deployment/main.tf
+++ b/modules/platform/ec2_deployment/main.tf
@@ -56,7 +56,7 @@ data "external" "download_lambdas" {
 }
 
 module "runners" {
-  source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v6.9.1"
+  source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v6.10.0"
 
   aws_region = var.aws_region
 

From f98cc0e6471a9d944c323fee0015a26419e853f9 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:35:02 +0100
Subject: [PATCH 4/7] chore(deps): pin dependencies (#25)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .docker/forge-github-app-register/Dockerfile | 2 +-
 .docker/pre-commit/Dockerfile                | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.docker/forge-github-app-register/Dockerfile b/.docker/forge-github-app-register/Dockerfile
index 0da6d427..a17a9b8a 100644
--- a/.docker/forge-github-app-register/Dockerfile
+++ b/.docker/forge-github-app-register/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.14-slim
+FROM python:3.14-slim@sha256:0aecac02dc3d4c5dbb024b753af084cafe41f5416e02193f1ce345d671ec966e
 
 RUN useradd --create-home appuser
 WORKDIR /home/appuser
diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile
index 0a9e6aa1..88487ddf 100644
--- a/.docker/pre-commit/Dockerfile
+++ b/.docker/pre-commit/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:24.04 AS build
+FROM ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 AS build
 
 WORKDIR /opt/build
 
@@ -124,7 +124,7 @@ RUN set -eux; \
     unzip -o ${TOFU_ARTIFACT} -d /usr/local/bin/; \
     chmod 755 /usr/local/bin/tofu
 
-FROM ubuntu:24.04 AS final
+FROM ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 AS final
 
 ENV DEBIAN_FRONTEND=noninteractive
 

From acf3c1810b9def6ebcaf445d12fb3c4902cb571f Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:35:40 +0100
Subject: [PATCH 5/7] chore(deps): update pre-commit hook
 python-jsonschema/check-jsonschema to v0.35.0 (#21)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 3dd6e734..1746f124 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -196,7 +196,7 @@ repos:
   # JSON Schema Hooks
   # ---------------------
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.33.3
+    rev: 0.35.0
     hooks:
       - id: check-github-workflows
         name: JSON Schema · GitHub workflows

From c97874feff114bd9556f13e6cab436a134215f74 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 27 Nov 2025 00:36:29 +0100
Subject: [PATCH 6/7] chore(deps): update pre-commit hooks (#22)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .pre-commit-config.yaml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1746f124..687fa308 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -83,7 +83,7 @@ repos:
   # Commit Message Hooks
   # ---------------------
   - repo: https://github.com/commitizen-tools/commitizen
-    rev: v4.1.1
+    rev: v4.10.0
     hooks:
       - id: commitizen
         name: Git · Validate commit message
@@ -135,7 +135,7 @@ repos:
   # Docker Hooks
   # ---------------------
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.13.1
+    rev: v2.14.0
     hooks:
       - id: hadolint
         name: Docker · Linter
@@ -159,7 +159,7 @@ repos:
         name: Python · autopep8
 
   - repo: https://github.com/PyCQA/isort
-    rev: 6.0.1
+    rev: 6.1.0
     hooks:
       - id: isort
         name: Python · Import sorter
@@ -178,14 +178,14 @@ repos:
         args: [--ignore=E501]
 
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.20.0
+    rev: v3.21.2
     hooks:
       - id: pyupgrade
         name: Python · Upgrade syntax
         always_run: true
 
   - repo: https://github.com/abravalheri/validate-pyproject
-    rev: v0.23
+    rev: v0.24.1
     hooks:
       - id: validate-pyproject
         name: Python · Validate pyproject.toml
@@ -230,7 +230,7 @@ repos:
         always_run: true
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.1
+    rev: v1.104.0
     hooks:
       - id: terraform_fmt
         name: Terraform · Formatter
@@ -256,7 +256,7 @@ repos:
   # Security Hooks
   # ---------------------
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.28.0
+    rev: v8.30.0
     hooks:
       - id: gitleaks
         name: Security · Gitleaks
@@ -266,7 +266,7 @@ repos:
   # Ansible Hooks
   # ---------------------
   - repo: https://github.com/ansible-community/ansible-lint.git
-    rev: v25.8.2
+    rev: v25.11.1
     hooks:
       - id: ansible-lint
         name: Ansible · Linter

From aea29e1d12ff15fa50558aeba576434c37f13719 Mon Sep 17 00:00:00 2001
From: edersonbrilhante <contato@edersonbrilhante.com.br>
Date: Thu, 27 Nov 2025 10:08:45 +0100
Subject: [PATCH 7/7] ci: fix pre-commit-config for ansible hook

---
 .pre-commit-config.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 687fa308..4bf0310c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -271,6 +271,7 @@ repos:
       - id: ansible-lint
         name: Ansible · Linter
         always_run: true
+        language_version: python3.12
 
   # ---------------------
   # Markdown Hooks