Merge remote-tracking branch 'upstream/main' into rework-nix

* upstream/main: (57 commits)
  feat(mix): handle hex package aliases (renovatebot#32984)
  feat(preset): Add modules to Jackson monorepo group (renovatebot#32997)
  docs(nuget): add info about nested nuget ignorePaths (renovatebot#33020)
  chore(deps): update github/codeql-action action to v3.27.7 (renovatebot#33018)
  docs: remove app secrets deprecation date (renovatebot#33010)
  docs: added Renovate Version info to Mend-hosted Apps config page (renovatebot#32917)
  feat(deps): update ghcr.io/renovatebot/base-image docker tag to v9.18.0 (renovatebot#33002)
  chore(deps): update dependency type-fest to v4.30.0 (renovatebot#33001)
  refactor(maven): Unified result type for http fetch (renovatebot#32813)
  feat(deps): update ghcr.io/renovatebot/base-image docker tag to v9.17.0 (renovatebot#32993)
  refactor: Flatten package lookup queue (renovatebot#32930)
  chore(deps): update dependency pdm to v2.22.0 (renovatebot#32990)
  chore(deps): update ghcr.io/containerbase/devcontainer docker tag to v13.2.2 (renovatebot#32989)
  chore(deps): update dependency renovatebot/github-action to v41.0.6 (renovatebot#32986)
  fix(deps): update ghcr.io/containerbase/sidecar docker tag to v13.2.2 (renovatebot#32987)
  feat(managers/circleci): add registryAliases support to circleci manager (renovatebot#32945)
  refactor: Rename manager result type to `MaybePromise` (renovatebot#32977)
  chore(deps): lock file maintenance (renovatebot#32982)
  docs: update references to renovate/renovate (renovatebot#32981)
  chore(deps): update dependency type-fest to v4.29.1 (renovatebot#32980)
  ...

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:13.1.0
+FROM ghcr.io/containerbase/devcontainer:13.2.2

.github/actions/calculate-prefetch-matrix/action.yml

@@ -34,7 +34,7 @@ runs:
 
     - name: Check cache miss for MacOS
       id: macos-cache
-      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: node_modules
         key: ${{ env.MACOS_KEY }}
@@ -43,7 +43,7 @@ runs:
 
     - name: Check cache miss for Windows
       id: windows-cache
-      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: node_modules
         key: ${{ env.WINDOWS_KEY }}

.github/actions/setup-node/action.yml

@@ -34,7 +34,7 @@ runs:
 
     - name: Restore `node_modules`
       id: node-modules-restore
-      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: node_modules
         key: ${{ env.CACHE_KEY }}
@@ -64,7 +64,7 @@ runs:
 
     - name: Cache and restore `pnpm store`
       if: env.CACHE_HIT != 'true'
-      uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: ${{ env.PNPM_STORE }}
         key: |
@@ -87,7 +87,7 @@ runs:
 
     - name: Write `node_modules` cache
       if: inputs.save-cache == 'true' && env.CACHE_HIT != 'true'
-      uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: node_modules
         key: ${{ env.CACHE_KEY }}

.github/workflows/build.yml

@@ -31,7 +31,7 @@ concurrency:
 env:
   DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
   NODE_VERSION: 22
-  PDM_VERSION: 2.21.0 # renovate: datasource=pypi depName=pdm
+  PDM_VERSION: 2.22.0 # renovate: datasource=pypi depName=pdm
   DRY_RUN: true
   TEST_LEGACY_DECRYPTION: true
   SPARSE_CHECKOUT: |-
@@ -209,7 +209,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Restore eslint cache
-        uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: .cache/eslint
           key: eslint-main-cache
@@ -228,7 +228,7 @@ jobs:
 
       - name: Save eslint cache
         if: github.event_name == 'push'
-        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: .cache/eslint
           key: eslint-main-cache
@@ -255,7 +255,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Restore prettier cache
-        uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: .cache/prettier
           key: prettier-main-cache
@@ -280,7 +280,7 @@ jobs:
 
       - name: Save prettier cache
         if: github.event_name == 'push'
-        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: .cache/prettier
           key: prettier-main-cache
@@ -373,7 +373,7 @@ jobs:
           os: ${{ runner.os }}
 
       - name: Cache jest
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: .cache/jest
           key: |
@@ -438,7 +438,7 @@ jobs:
           merge-multiple: true
 
       - name: Codecov
-        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7
+        uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: coverage/lcov
@@ -684,7 +684,7 @@ jobs:
           show-progress: false
 
       - name: docker-config
-        uses: containerbase/internal-tools@fa96b70003f221771f8c015cd3f598818ebf4d78 # v3.5.4
+        uses: containerbase/internal-tools@16a59ac6156118c10fd17d3cfd3fc746e7069809 # v3.5.6
         with:
           command: docker-config
 

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/init@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/autobuild@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/analyze@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7

.github/workflows/scorecard.yml

@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -31,7 +31,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+      - uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
         with:
           sarif_file: trivy-results.sarif
           category: 'docker-image-${{ matrix.tag }}'

docs/usage/configuration-options.md

@@ -3613,7 +3613,7 @@ Behavior:
 - `bump` = e.g. bump the range even if the new version satisfies the existing range, e.g. `^1.0.0` -> `^1.1.0`
 - `replace` = Replace the range with a newer one if the new version falls outside it, and update nothing otherwise
 - `widen` = Widen the range with newer one, e.g. `^1.0.0` -> `^1.0.0 || ^2.0.0`
-- `update-lockfile` = Update the lock file when in-range updates are available, otherwise `replace` for updates out of range. Works for `bundler`, `cargo`, `composer`, `npm`, `yarn`, `pnpm`, `terraform` and `poetry` so far
+- `update-lockfile` = Update the lock file when in-range updates are available, otherwise `replace` for updates out of range. Works for `bundler`, `cargo`, `composer`, `gleam`, `npm`, `yarn`, `pnpm`, `terraform` and `poetry` so far
 - `in-range-only` = Update the lock file when in-range updates are available, ignore package file updates
 
 Renovate's `"auto"` strategy works like this for npm:
@@ -3691,6 +3691,7 @@ This feature works with the following managers:
 
 - [`ansible`](modules/manager/ansible/index.md)
 - [`bitbucket-pipelines`](modules/manager/bitbucket-pipelines/index.md)
+- [`circleci`](modules/manager/circleci/index.md)
 - [`docker-compose`](modules/manager/docker-compose/index.md)
 - [`dockerfile`](modules/manager/dockerfile/index.md)
 - [`droneci`](modules/manager/droneci/index.md)
@@ -3853,6 +3854,11 @@ You could then configure a schedule like this at the repository level:
 This would mean that Renovate can run for 7 hours each night, plus all the time on weekends.
 Note how the above example makes use of the "OR" logic of combining multiple schedules in the array.
 
+<!-- prettier-ignore -->
+!!! note
+    If both the day of the week _and_ the day of the month are restricted in the schedule, then Renovate only runs when both the day of the month _and_ day of the week match!
+    For example: `* * 1-7 * 4` means Renovate only runs on the _first_ Thursday of the month.
+
 It's common to use `schedule` in combination with [`timezone`](#timezone).
 You should configure [`updateNotScheduled=false`](#updatenotscheduled) if you want the schedule more strictly enforced so that _updates_ to existing branches aren't pushed out of schedule.
 You can also configure [`automergeSchedule`](#automergeschedule) to limit the hours in which branches/PRs are _automerged_ (if [`automerge`](#automerge) is configured).

docs/usage/docker.md

@@ -307,7 +307,7 @@ Renovate will get the credentials with the [`google-auth-library`](https://www.n
     service_account: ${{ env.SERVICE_ACCOUNT }}
 
 - name: renovate
-  uses: renovatebot/github-action@v41.0.5
+  uses: renovatebot/github-action@v41.0.6
   env:
     RENOVATE_HOST_RULES: |
       [
@@ -478,7 +478,7 @@ Make sure to install the Google Cloud SDK into the custom image, as you need the
 For example:
 
 ```Dockerfile
-FROM renovate/renovate:39.42.4
+FROM renovate/renovate:39.57.4
 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
 # under "Installation" for "Debian/Ubuntu"
 RUN ...

docs/usage/examples/opentelemetry.md

@@ -13,7 +13,7 @@ version: '3'
 services:
   # Jaeger
   jaeger:
-    image: jaegertracing/all-in-one:1.63.0
+    image: jaegertracing/all-in-one:1.64.0
     ports:
       - '16686:16686'
       - '4317'

docs/usage/examples/self-hosting.md

@@ -25,8 +25,8 @@ It builds `latest` based on the `main` branch and all SemVer tags are published
 ```sh title="Example of valid tags"
 docker run --rm renovate/renovate
 docker run --rm renovate/renovate:39
-docker run --rm renovate/renovate:39.42
-docker run --rm renovate/renovate:39.42.4
+docker run --rm renovate/renovate:39.57
+docker run --rm renovate/renovate:39.57.4
 ```
 
 <!-- prettier-ignore -->
@@ -62,7 +62,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:39.42.4
+              image: renovate/renovate:39.57.4
               args:
                 - user/repo
               # Environment Variables
@@ -121,7 +121,7 @@ spec:
       template:
         spec:
           containers:
-            - image: renovate/renovate:39.42.4
+            - image: renovate/renovate:39.57.4
               name: renovate-bot
               env: # For illustration purposes, please use secrets.
                 - name: RENOVATE_PLATFORM
@@ -367,7 +367,7 @@ spec:
           containers:
             - name: renovate
               # Update this to the latest available and then enable Renovate on the manifest
-              image: renovate/renovate:39.42.4
+              image: renovate/renovate:39.57.4
               volumeMounts:
                 - name: ssh-key-volume
                   readOnly: true

docs/usage/faq.md

@@ -29,37 +29,6 @@ The Renovate team only fixes bugs in an older version if:
 If you're using the Mend Renovate App, you don't need to do anything, as the Renovate maintainers update it regularly.
 If you're self hosting Renovate, use the latest release if possible.
 
-## When is the Mend Renovate App updated with new Renovate versions?
-
-The Renovate maintainers manually update the app.
-The maintainers don't follow any release schedule or release cadence, but try to update at least once a week.
-This means the Mend Renovate App can lag a few hours to a week behind the open source version.
-
-Major releases of Renovate are held back until the maintainers are reasonably certain it works for most users.
-
-## How can I see which version the Mend Renovate app is using?
-
-Follow these steps to see which version the Mend Renovate app is on:
-
-1. Go to the [Mend Developer Portal](https://developer.mend.io/)
-1. Sign in to the Renovate app with your GitHub or Bitbucket account
-1. Select your organization
-1. Select a installed repository
-1. Select a job from the _Recent jobs_ overview
-1. Select the _Info_ Log Level from the dropdown menu
-1. You should see something like this:
-
-   ```
-   INFO: Repository started
-   {
-     "renovateVersion": "39.11.5"
-   }
-   ```
-
-<!-- prettier-ignore -->
-!!! tip
-    The PRs that Renovate creates have a link to the "repository job log" in the footer of the PR body text.
-
 ## Renovate core features not supported on all platforms
 
 | Feature               | Platforms which lack feature                    | See Renovate issue(s)                                        |

docs/usage/mend-hosted/credentials.md

@@ -4,12 +4,13 @@ The information on this page is for the Mend-hosted cloud apps:
 
 - Renovate App on GitHub
 - Mend App on Bitbucket
+- Mend App on Azure DevOps
 
 If you self-host, you can skip reading this page.
 
 ## :warning: Migrate secrets in your Renovate config file :warning:
 
-The Mend-hosted cloud app will stop reading secrets from the Renovate config file in your repository on 01-Oct-2024.
+Use of encrypted secrets in the Mend Renovate cloud apps has been deprecated and soon the apps will stop reading secrets from the Renovate config file in your repository.
 You must migrate any secrets you currently keep in the Renovate config file, and put them in the app settings page on [developer.mend.io](https://developer.mend.io).
 To add secrets you must have admin-level rights.
 

docs/usage/mend-hosted/hosted-apps-config.md

@@ -17,6 +17,36 @@ The Renovate logs for the Mend-hosted apps are on the [Mend Developer Portal](ht
 
 Reading the logs can help you understand the configuration that Renovate used.
 
+## Renovate Version
+
+The Renovate version used by the Mend-hosted apps is updated manually by the maintainers of the app.
+The maintainers don't follow any release schedule or release cadence, but try to update at least once a week.
+This means the Mend Renovate App can lag a few hours to a week behind the open source version.
+
+Major releases of Renovate are held back until the maintainers are reasonably certain it works for most users.
+
+### Which version is the Mend Renovate app using?
+
+Follow these steps to see which version the Mend Renovate app used for a specific job:
+
+1. Sign in to the [Mend Developer Portal](https://developer.mend.io/) with your GitHub or Bitbucket account
+1. Select your organization
+1. Select a installed repository
+1. Select a job from the _Recent jobs_ overview
+1. Select the _Info_ Log Level from the dropdown menu
+1. You should see something like this:
+
+   ```
+   INFO: Repository started
+   {
+     "renovateVersion": "39.11.5"
+   }
+   ```
+
+<!-- prettier-ignore -->
+!!! tip
+    The PRs that Renovate creates have a link to the "repository job log" in the footer of the PR body text.
+
 ## Onboarding behavior
 
 ### Installing Renovate into all repositories leads to silent mode

docs/usage/nuget.md

@@ -130,6 +130,23 @@ If you use Azure DevOps:
     The username of the PAT must match the username of the _user of the PAT_.
     The generated `nuget.config` forces the basic authentication, which cannot be overridden externally!
 
+## Ignoring package files when using presets
+
+Because `nuget` manager has a dedicated `ignorePaths` entry in the `:ignoreModulesAndTests` preset, if you're using any presets that extend it (like `config:recommended`), you need to put your `ignorePaths` inside the `nuget` section for it to be merged.
+For example:
+
+```json
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "nuget": {
+    "ignorePaths": ["IgnoreThisPackage/**"]
+  }
+}
+```
+
+Otherwise, all `nuget.ignorePaths` values in `:ignoreModulesAndTests` will override values you put inside `ignorePaths` at the top-level config.
+
 ## Future work
 
 We welcome contributions or feature requests to support more patterns or use cases.

lib/config/massage.spec.ts

@@ -17,15 +17,6 @@ describe('config/massage', () => {
       expect(Array.isArray(res.schedule)).toBeTrue();
     });
 
-    it('massages npmToken', () => {
-      const config: RenovateConfig = {
-        npmToken: 'some-token',
-      };
-      expect(massage.massageConfig(config)).toEqual({
-        npmrc: '//registry.npmjs.org/:_authToken=some-token\n',
-      });
-    });
-
     it('massages packageRules matchUpdateTypes', () => {
       const config: RenovateConfig = {
         packageRules: [

lib/config/massage.ts

@@ -21,9 +21,6 @@ export function massageConfig(config: RenovateConfig): RenovateConfig {
   for (const [key, val] of Object.entries(config)) {
     if (allowedStrings.includes(key) && is.string(val)) {
       massagedConfig[key] = [val];
-    } else if (key === 'npmToken' && is.string(val) && val.length < 50) {
-      massagedConfig.npmrc = `//registry.npmjs.org/:_authToken=${val}\n`;
-      delete massagedConfig.npmToken;
     } else if (is.array(val)) {
       massagedConfig[key] = [];
       val.forEach((item) => {