{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":dependencyDashboard",
    ":semanticCommits"
  ],
  "labels": ["dependencies"],
  "rebaseWhen": "behind-base-branch",
  "customManagers": [
    {
      "customType": "regex",
      "description": "Update version ARGs annotated with a `# renovate:` comment (the dockerfile manager only handles FROM/image lines, not ARG values).",
      "managerFilePatterns": ["/(^|/)Dockerfile$/"],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)(?:\\s+packageName=(?<packageName>\\S+))?(?:\\s+versioning=(?<versioning>\\S+))?\\s+ARG \\w+=(?<currentValue>\\S+)"
      ],
      "matchStringsStrategy": "any"
    }
  ],
  "packageRules": [
    {
      "matchManagers": ["dockerfile"],
      "description": "Keep base-image tags pinned to a digest.",
      "pinDigests": true
    },
    {
      "matchDatasources": ["github-releases"],
      "matchPackageNames": ["tailscale/tailscale"],
      "description": "TAILSCALE_VERSION ARG: only stable releases. Tailscale uses EVEN minor versions for stable (v1.98.x); ODD minors (v1.99.x) are unstable, so filter to even minors and ignore pre-releases.",
      "extractVersion": "^v(?<version>\\d+\\.\\d+\\.\\d+)$",
      "allowedVersions": "/^\\d+\\.\\d*[02468]\\.\\d+$/",
      "ignoreUnstable": true
    },
    {
      "matchDatasources": ["github-releases"],
      "matchPackageNames": ["tailscale/tailscale"],
      "description": "Automerge all stable Tailscale releases (patch AND minor) once the PR build passes.",
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    },
    {
      "matchManagers": ["dockerfile"],
      "matchPackageNames": ["golang", "alpine"],
      "description": "Automerge PATCH-only bumps of build components (Go/Alpine) once the PR build passes; review minor/major manually.",
      "matchUpdateTypes": ["patch"],
      "automerge": true
    },
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["busybox"],
      "description": "busybox ARG (custom manager): automerge PATCH bumps once the PR build passes; review minor/major manually.",
      "matchUpdateTypes": ["patch"],
      "automerge": true
    },
    {
      "matchManagers": ["dockerfile"],
      "matchUpdateTypes": ["digest", "pinDigest"],
      "description": "Automerge base-image digest refreshes (same tag, new sha256) once the PR build passes.",
      "automerge": true
    }
  ],
  "automergeType": "pr",
  "platformAutomerge": true
}