chore(config): migrate Renovate config (#10)

Auto-merge: Renovate config migration (matchPackagePrefixes -> matchPackageNames).

.gitea/workflows/security.yml

@@ -0,0 +1,21 @@
+name: Security
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+  schedule:
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+jobs:
+  scan:
+    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
+    with:
+      # MessageStore.cs uses string-interpolation in CommandText for table
+      # names and clause-joins that come from internal code constants, not
+      # user input. Values are bound via SqlParameter, the SQL surface is
+      # local-only inside a Dalamud plugin. Semgrep matches the pattern
+      # without dataflow, so it flags those eight call sites; CodeQL
+      # would not. Suppressed for this repo only.
+      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'
+

renovate.json

@@ -0,0 +1,97 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":dependencyDashboard",
+    ":semanticCommits",
+    ":timezone(Europe/Berlin)",
+    "schedule:weekly"
+  ],
+  "labels": [
+    "dependencies",
+    "renovate"
+  ],
+  "assignees": [
+    "JonKazama-Hellion"
+  ],
+  "prHourlyLimit": 10,
+  "prConcurrentLimit": 20,
+  "rebaseWhen": "behind-base-branch",
+  "ignoreDeps": [
+    "actions/release-action",
+    "https://gitea.com/actions/release-action"
+  ],
+  "packageRules": [
+    {
+      "description": "Group all minor and patch updates per ecosystem in one PR",
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "groupName": "minor and patch updates ({{manager}})"
+    },
+    {
+      "description": "Major updates always get their own PR with breaking-change label",
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "labels": [
+        "dependencies",
+        "major-update",
+        "breaking-change"
+      ],
+      "addLabels": [
+        "needs-review"
+      ]
+    },
+    {
+      "description": "TypeScript type definitions stay grouped with each other",
+      "groupName": "type definitions",
+      "matchPackageNames": [
+        "@types/{/,}**"
+      ]
+    },
+    {
+      "description": "Dev dependencies in their own group",
+      "matchDepTypes": [
+        "devDependencies"
+      ],
+      "groupName": "dev dependencies"
+    },
+    {
+      "description": "Pin GitHub Action versions by SHA for supply-chain hygiene",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "pinDigests": true
+    },
+    {
+      "description": "Branch-ref refs (e.g. @main) cannot be tag-resolved — disable lookups for our known offenders",
+      "matchManagers": [
+        "gitea-tags"
+      ],
+      "matchPackageNames": [
+        "actions/release-action"
+      ],
+      "enabled": false
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "labels": [
+      "security",
+      "vulnerability"
+    ],
+    "schedule": [
+      "at any time"
+    ],
+    "prPriority": 10
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": [
+      "before 6am on monday"
+    ],
+    "commitMessageAction": "Refresh"
+  },
+  "osvVulnerabilityAlerts": true
+}