From a70883c1535c5a804fe75bb1476da6a62e478404 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erwan=20Herv=C3=A9?= <erwan.herve@outlook.fr>
Date: Tue, 7 Oct 2025 20:44:19 +0200
Subject: [PATCH 1/2] Add Renovate workflow configuration

---
 .github/workflows/renovate.yml | 29 +++++++++++++++++++++++++++++
 renovate.json                  |  3 +++
 2 files changed, 32 insertions(+)
 create mode 100644 .github/workflows/renovate.yml
 create mode 100644 renovate.json

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 0000000..a42c7f2
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,29 @@
+name: "Renovate"
+on:
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: "Enable debug logging"
+        type: boolean
+        required: false
+        default: false
+  schedule:
+    - cron: "0 0 * * 1" # Triggers the workflow every Monday at midnight
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5.0.0
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v43.0.15
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+        env:
+          LOG_LEVEL: ${{ inputs.DEBUG == 'true' && 'debug' || 'info' }}
+          RENOVATE_REPOSITORIES: "['${{ github.repository }}']"
+          RENOVATE_COMMIT_MESSAGE_SUFFIX: '{{#unless groupName}}{{#if (equals updateType "digest")}}(from {{currentDigestShort}}){{else}}(from {{currentVersion}}){{/if}}{{/unless}}'
+          RENOVATE_LABELS: "['dependencies']"
+          RENOVATE_DEPENDENCY_DASHBOARD_LABELS: "['dependencies']"
+          RENOVATE_EXTENDS: '["config:best-practices","mergeConfidence:all-badges",":pinVersions","security:openssf-scorecard",":prHourlyLimitNone",":separateMultipleMajorReleases",":configMigration","customManagers:dockerfileVersions"]'
+          RENOVATE_PLATFORM: "github"
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..7190a60
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

From d5f077f42cfddbe32787ddce4d7b243e0cca8f3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erwan=20Herv=C3=A9?= <erwan.herve@outlook.fr>
Date: Thu, 9 Oct 2025 20:34:14 +0200
Subject: [PATCH 2/2] Update Dockerfile to use specific versions for
 dependencies and enhance renovate.json with package rules

---
 .github/workflows/renovate.yml |  4 +--
 Dockerfile                     | 60 +++++++++++++++++++++++++---------
 renovate.json                  | 22 ++++++++++++-
 3 files changed, 67 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index a42c7f2..9f01291 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v43.0.15
+        uses: renovatebot/github-action@e2421a9a80287bba9997b41a15ea1e5585d96925 # v43.0.16
         with:
           token: ${{ secrets.RENOVATE_TOKEN }}
         env:
diff --git a/Dockerfile b/Dockerfile
index acb8b3c..7b23b63 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,42 @@
+# syntax=docker/dockerfile:1.19.0@sha256:b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6
 
-FROM python:3.13-slim-trixie AS builder
+# renovate: datasource=deb depName=build-essential
+ARG BUILD_ESSENTIAL_VERSION=12.12
+# renovate: datasource=deb depName=libpq-dev
+ARG LIBPQ_DEV_VERSION=17.6-0+deb13u1
+# renovate: datasource=deb depName=libcurl4-openssl-dev
+ARG LIBCURL4_OPENSSL_DEV_VERSION=8.14.1-2
+# renovate: datasource=deb depName=libssl-dev
+ARG LIBSSL_DEV_VERSION=3.5.1-1
+# renovate: datasource=deb depName=pkg-config
+ARG PKG_CONFIG_VERSION=1.8.1-4
+# renovate: datasource=deb depName=nginx
+ARG NGINX_VERSION=1.26.3-3+deb13u1
+# renovate: datasource=deb depName=supervisor
+ARG SUPERVISOR_VERSION=4.2.5-3
+# renovate: datasource=deb depName=postgresql-client
+ARG POSTGRESQL_CLIENT_VERSION=15.10-0+deb13u1
+# renovate: datasource=deb depName=gettext-base
+ARG GETTEXT_BASE_VERSION=0.23.1-2
+# renovate: datasource=deb depName=curl
+ARG CURL_VERSION=8.14.1-2
+# renovate: datasource=deb depName=ca-certificates
+ARG CA_CERTIFICATES_VERSION=20250419
+# renovate: datasource=deb depName=libpq5
+ARG LIBPQ5_VERSION=17.6-0+deb13u1
+# renovate: datasource=deb depName=libssl3t64
+ARG LIBSSL3T64_VERSION=3.5.1-1
+
+FROM python:3.13-slim-trixie@sha256:087a9f3b880e8b2c7688debb9df2a5106e060225ebd18c264d5f1d7a73399db0 AS builder
 
 # Install build tools (only in builder stage)
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        build-essential \
-        libpq-dev \
-        libcurl4-openssl-dev \
-        libssl-dev \
-        pkg-config && \
+        build-essential=${BUILD_ESSENTIAL_VERSION} \
+        libpq-dev=${LIBPQ_DEV_VERSION} \
+        libcurl4-openssl-dev=${LIBCURL4_OPENSSL_DEV_VERSION} \
+        libssl-dev=${LIBSSL_DEV_VERSION} \
+        pkg-config=${PKG_CONFIG_VERSION} && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -20,7 +48,7 @@ COPY backend/requirements.txt /tmp/requirements.txt
 RUN pip install --no-cache-dir -r /tmp/requirements.txt
 
 
-FROM python:3.13-slim-trixie AS runtime
+FROM python:3.13-slim-trixie@sha256:087a9f3b880e8b2c7688debb9df2a5106e060225ebd18c264d5f1d7a73399db0 AS runtime
 
 # Metadata for final image
 LABEL org.opencontainers.image.source="https://github.com/sassanix/Warracker"
@@ -29,15 +57,15 @@ LABEL org.opencontainers.image.description="Warracker - Warranty Tracker"
 # Install runtime dependencies only
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        nginx \
-        supervisor \
-        postgresql-client \
-        gettext-base \
-        curl \
-        ca-certificates \
-        libpq5 \
-        libcurl4 \
-        libssl3 && \
+        nginx=${NGINX_VERSION} \
+        supervisor=${SUPERVISOR_VERSION} \
+        postgresql-client=${POSTGRESQL_CLIENT_VERSION} \
+        gettext-base=${GETTEXT_BASE_VERSION} \
+        curl=${CURL_VERSION} \
+        ca-certificates=${CA_CERTIFICATES_VERSION} \
+        libpq5=${LIBPQ5_VERSION} \
+        libcurl4=${LIBCURL4_OPENSSL_DEV_VERSION} \
+        libssl3t64=${LIBSSL3_VERSION} && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
diff --git a/renovate.json b/renovate.json
index 7190a60..27ea5cb 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,3 +1,23 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "matchDatasources": ["deb"],
+      "registryUrls": ["https://deb.debian.org/debian?suite=trixie&components=main,contrib,non-free&binaryArch=amd64"],
+      "groupName": "Debian packages"
+    },
+    {
+      "matchManagers": ["pip_requirements"],
+      "groupName": "Python packages"
+    },
+    {
+      "matchDatasources": ["github-actions"],
+      "groupName": "GitHub Actions"
+    },
+    {
+      "matchManagers": ["docker-compose"],
+      "pinDigests": false,
+      "enabled": false
+    }
+  ]
 }