diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 0000000..a42c7f2
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,29 @@
+name: "Renovate"
+on:
+ workflow_dispatch:
+ inputs:
+ debug:
+ description: "Enable debug logging"
+ type: boolean
+ required: false
+ default: false
+ schedule:
+ - cron: "0 0 * * 1" # Triggers the workflow every Monday at midnight
+jobs:
+ renovate:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v5.0.0
+ - name: Self-hosted Renovate
+ uses: renovatebot/github-action@v43.0.15
+ with:
+ token: ${{ secrets.RENOVATE_TOKEN }}
+ env:
+ LOG_LEVEL: ${{ inputs.DEBUG == 'true' && 'debug' || 'info' }}
+ RENOVATE_REPOSITORIES: "['${{ github.repository }}']"
+ RENOVATE_COMMIT_MESSAGE_SUFFIX: '{{#unless groupName}}{{#if (equals updateType "digest")}}(from {{currentDigestShort}}){{else}}(from {{currentVersion}}){{/if}}{{/unless}}'
+ RENOVATE_LABELS: "['dependencies']"
+ RENOVATE_DEPENDENCY_DASHBOARD_LABELS: "['dependencies']"
+ RENOVATE_EXTENDS: '["config:best-practices","mergeConfidence:all-badges",":pinVersions","security:openssf-scorecard",":prHourlyLimitNone",":separateMultipleMajorReleases",":configMigration","customManagers:dockerfileVersions"]'
+ RENOVATE_PLATFORM: "github"
diff --git a/Dockerfile b/Dockerfile
index acb8b3c..df737d0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,42 @@
+# syntax=docker/dockerfile:1.19.0@sha256:b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6
+
+# renovate: datasource=deb depName=build-essential
+ARG BUILD_ESSENTIAL_VERSION=12.12
+# renovate: datasource=deb depName=libpq-dev
+ARG LIBPQ_DEV_VERSION=17.6-0+deb13u1
+# renovate: datasource=deb depName=libcurl4-openssl-dev
+ARG LIBCURL4_OPENSSL_DEV_VERSION=8.14.1-2
+# renovate: datasource=deb depName=libssl-dev
+ARG LIBSSL_DEV_VERSION=3.5.1-1
+# renovate: datasource=deb depName=pkg-config
+ARG PKG_CONFIG_VERSION=1.8.1-4
+# renovate: datasource=deb depName=nginx
+ARG NGINX_VERSION=1.26.3-3+deb13u1
+# renovate: datasource=deb depName=supervisor
+ARG SUPERVISOR_VERSION=4.2.5-3
+# renovate: datasource=deb depName=postgresql-client
+ARG POSTGRESQL_CLIENT_VERSION=15.10-0+deb13u1
+# renovate: datasource=deb depName=gettext-base
+ARG GETTEXT_BASE_VERSION=0.23.1-2
+# renovate: datasource=deb depName=curl
+ARG CURL_VERSION=8.14.1-2
+# renovate: datasource=deb depName=ca-certificates
+ARG CA_CERTIFICATES_VERSION=20250419
+# renovate: datasource=deb depName=libpq5
+ARG LIBPQ5_VERSION=17.6-0+deb13u1
+# renovate: datasource=deb depName=libssl3t64
+ARG LIBSSL3T64_VERSION=3.5.1-1
FROM python:3.13-slim-trixie AS builder
# Install build tools (only in builder stage)
RUN apt-get update && \
apt-get install -y --no-install-recommends \
- build-essential \
- libpq-dev \
- libcurl4-openssl-dev \
- libssl-dev \
- pkg-config && \
+ build-essential=${BUILD_ESSENTIAL_VERSION} \
+ libpq-dev=${LIBPQ_DEV_VERSION} \
+ libcurl4-openssl-dev=${LIBCURL4_OPENSSL_DEV_VERSION} \
+ libssl-dev=${LIBSSL_DEV_VERSION} \
+ pkg-config=${PKG_CONFIG_VERSION} && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -29,15 +57,15 @@ LABEL org.opencontainers.image.description="Warracker - Warranty Tracker"
# Install runtime dependencies only
RUN apt-get update && \
apt-get install -y --no-install-recommends \
- nginx \
- supervisor \
- postgresql-client \
- gettext-base \
- curl \
- ca-certificates \
- libpq5 \
- libcurl4 \
- libssl3 && \
+ nginx=${NGINX_VERSION} \
+ supervisor=${SUPERVISOR_VERSION} \
+ postgresql-client=${POSTGRESQL_CLIENT_VERSION} \
+ gettext-base=${GETTEXT_BASE_VERSION} \
+ curl=${CURL_VERSION} \
+ ca-certificates=${CA_CERTIFICATES_VERSION} \
+ libpq5=${LIBPQ5_VERSION} \
+ libcurl4=${LIBCURL4_OPENSSL_DEV_VERSION} \
+ libssl3t64=${LIBSSL3_VERSION} && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
diff --git a/frontend/about.html b/frontend/about.html
index 84ec07f..155bcdb 100644
--- a/frontend/about.html
+++ b/frontend/about.html
@@ -16,7 +16,7 @@
-
+
diff --git a/frontend/index.html b/frontend/index.html
index 9e87722..965f30f 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -26,7 +26,7 @@
-
+
diff --git a/frontend/login.html b/frontend/login.html
index 6732a18..91f5231 100644
--- a/frontend/login.html
+++ b/frontend/login.html
@@ -21,7 +21,7 @@
}
} catch (_) {}
-
+
diff --git a/frontend/register.html b/frontend/register.html
index ce3c1b5..cf1f886 100644
--- a/frontend/register.html
+++ b/frontend/register.html
@@ -16,7 +16,7 @@
-
+
diff --git a/frontend/reset-password-request.html b/frontend/reset-password-request.html
index 8871392..f99f59c 100644
--- a/frontend/reset-password-request.html
+++ b/frontend/reset-password-request.html
@@ -13,7 +13,7 @@
-
+
diff --git a/frontend/reset-password.html b/frontend/reset-password.html
index 4fe6e9b..13c85af 100644
--- a/frontend/reset-password.html
+++ b/frontend/reset-password.html
@@ -13,7 +13,7 @@
-
+
diff --git a/frontend/settings-new.html b/frontend/settings-new.html
index 1ba7661..6cc30f7 100644
--- a/frontend/settings-new.html
+++ b/frontend/settings-new.html
@@ -19,7 +19,7 @@
-
+
diff --git a/frontend/status.html b/frontend/status.html
index afe3243..3d1d7f4 100644
--- a/frontend/status.html
+++ b/frontend/status.html
@@ -22,7 +22,7 @@
-
+
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..27ea5cb
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,23 @@
+{
+ "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+ "packageRules": [
+ {
+ "matchDatasources": ["deb"],
+ "registryUrls": ["https://deb.debian.org/debian?suite=trixie&components=main,contrib,non-free&binaryArch=amd64"],
+ "groupName": "Debian packages"
+ },
+ {
+ "matchManagers": ["pip_requirements"],
+ "groupName": "Python packages"
+ },
+ {
+ "matchDatasources": ["github-actions"],
+ "groupName": "GitHub Actions"
+ },
+ {
+ "matchManagers": ["docker-compose"],
+ "pinDigests": false,
+ "enabled": false
+ }
+ ]
+}