feat(renovate): gate Expo SDK updates behind the dependency dashboard

expo, react, react-native and Expo-managed modules (expo-*, @expo/*) are pinned by the Expo SDK and must be upgraded together via `expo install --fix`. Individual Renovate update PRs for them risk broken builds, so group them as "Expo SDK" and require manual dashboard approval.
fix(renovate): resolve maven lookups and unnest misplaced config
2026-06-10 07:50:30 +01:00 · 2026-06-10 01:22:55 +02:00 · 2026-06-10 01:14:38 +02:00 · 2026-06-09 23:25:26 +02:00 · 2026-06-09 22:37:14 +02:00 · 2026-06-09 21:43:22 +02:00
10 changed files with 61 additions and 41 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -44,22 +44,42 @@
      ]
    }
  },
-  "lockFileMaintenance": {
-    "vulnerabilityAlerts": {
-      "enabled": true,
-      "addLabels": ["security", "vulnerability"],
-      "assigneesFromCodeOwners": true,
-      "commitMessageSuffix": " [SECURITY]"
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "addLabels": ["security", "vulnerability"],
+    "assigneesFromCodeOwners": true,
+    "commitMessageSuffix": " [SECURITY]"
+  },
+  "packageRules": [
+    {
+      "description": "Expo SDK coherence: expo, react, react-native and Expo-managed modules are pinned by the Expo SDK and must move together (via `expo install --fix`), so do not raise individual update PRs — group them and require manual approval from the Dependency Dashboard",
+      "matchPackageNames": [
+        "expo",
+        "react",
+        "react-dom",
+        "react-native",
+        "react-native-web",
+        "expo-*",
+        "@expo/*"
+      ],
+      "groupName": "Expo SDK",
+      "dependencyDashboardApproval": true
    },
-    "packageRules": [
-      {
-        "description": "Group minor and patch GitHub Action updates into a single PR",
-        "matchManagers": ["github-actions"],
-        "groupName": "CI dependencies",
-        "groupSlug": "ci-deps",
-        "matchUpdateTypes": ["minor", "patch", "digest", "pin"],
-        "automerge": true
-      }
-    ]
-  }
+    {
+      "description": "Group minor and patch GitHub Action updates into a single PR",
+      "matchManagers": ["github-actions"],
+      "groupName": "CI dependencies",
+      "groupSlug": "ci-deps",
+      "matchUpdateTypes": ["minor", "patch", "digest", "pin"],
+      "automerge": true
+    },
+    {
+      "description": "androidx and other Google-hosted Maven packages resolve from Google's Maven repository (not Maven Central)",
+      "matchDatasources": ["maven"],
+      "registryUrls": [
+        "https://dl.google.com/dl/android/maven2/",
+        "https://repo.maven.apache.org/maven2/"
+      ]
+    }
+  ]
 }
--- a/.github/workflows/build-apps.yml
+++ b/.github/workflows/build-apps.yml
@@ -33,7 +33,7 @@ jobs:
          swap-storage: false

      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
@@ -116,7 +116,7 @@ jobs:
          swap-storage: false

      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
@@ -187,7 +187,7 @@ jobs:

    steps:
      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
@@ -222,7 +222,7 @@ jobs:
          xcode-version: "26.5"

      - name: 🏗️ Setup EAS
-        uses: expo/expo-github-action@b184ff86a3c926240f1b6db41764c83a01c02eef # main
+        uses: expo/expo-github-action@eab7a230208c952974db8c3245cfd78402c7b385 # main
        with:
          eas-version: latest
          token: ${{ secrets.EXPO_TOKEN }}
@@ -252,7 +252,7 @@ jobs:

    steps:
      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
@@ -312,7 +312,7 @@ jobs:

    steps:
      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
@@ -347,7 +347,7 @@ jobs:
          xcode-version: "26.5"

      - name: 🏗️ Setup EAS
-        uses: expo/expo-github-action@b184ff86a3c926240f1b6db41764c83a01c02eef # main
+        uses: expo/expo-github-action@eab7a230208c952974db8c3245cfd78402c7b385 # main
        with:
          eas-version: latest
          token: ${{ secrets.EXPO_TOKEN }}
@@ -380,7 +380,7 @@ jobs:

    steps:
      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
--- a/.github/workflows/check-lockfile.yml
+++ b/.github/workflows/check-lockfile.yml
@@ -19,7 +19,7 @@ jobs:

    steps:
      - name: 📥 Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          show-progress: false
--- a/.github/workflows/ci-codeql.yml
+++ b/.github/workflows/ci-codeql.yml
@@ -24,16 +24,16 @@ jobs:

    steps:
      - name: 📥 Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: 🏁 Initialize CodeQL
-        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          languages: ${{ matrix.language }}
          queries: +security-extended,security-and-quality

      - name: 🛠️ Autobuild
-        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

      - name: 🧪 Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
--- a/.github/workflows/crowdin.yml
+++ b/.github/workflows/crowdin.yml
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: 📥 Checkout Repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0

--- a/.github/workflows/detect-duplicate.yml
+++ b/.github/workflows/detect-duplicate.yml
@@ -21,7 +21,7 @@ jobs:
      contents: read
    steps:
      - name: 📥 Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: 🍞 Setup Bun
        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -51,7 +51,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
@@ -69,7 +69,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: 🛒 Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          submodules: recursive
@@ -101,7 +101,7 @@ jobs:

    steps:
      - name: "📥 Checkout PR code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          submodules: recursive
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -63,7 +63,7 @@ jobs:

    steps:
      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0
          submodules: recursive
@@ -88,7 +88,7 @@ jobs:
          bun run submodule-reload

      - name: 🏗️ Setup EAS
-        uses: expo/expo-github-action@b184ff86a3c926240f1b6db41764c83a01c02eef # main
+        uses: expo/expo-github-action@eab7a230208c952974db8c3245cfd78402c7b385 # main
        with:
          eas-version: latest
          token: ${{ secrets.EXPO_TOKEN }}
@@ -182,7 +182,7 @@ jobs:
      actions: read # required for `gh run download` to list/fetch this run's artifacts
    steps:
      - name: 📥 Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0
          show-progress: false
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -27,7 +27,7 @@ jobs:
      security-events: write # upload SARIF to code scanning
    steps:
      - name: 📥 Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week
      # instead of a fresh immutable entry per run, still refreshing the DB every week.
@@ -54,7 +54,7 @@ jobs:
          output: trivy-results.sarif

      - name: 📤 Upload results to code scanning
-        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          sarif_file: trivy-results.sarif
          category: trivy-fs
--- a/.github/workflows/update-issue-form.yml
+++ b/.github/workflows/update-issue-form.yml
@@ -18,7 +18,7 @@ jobs:

    steps:
      - name: 📥 Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: "🟢 Setup Node.js"
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Author	SHA1	Message	Date
Gauvain	4f8a4a0ab9	feat(renovate): gate Expo SDK updates behind the dependency dashboard expo, react, react-native and Expo-managed modules (expo-, @expo/) are pinned by the Expo SDK and must be upgraded together via `expo install --fix`. Individual Renovate update PRs for them risk broken builds, so group them as "Expo SDK" and require manual dashboard approval.	2026-06-10 01:22:55 +02:00
Gauvain	960563f66a	fix(renovate): resolve maven lookups and unnest misplaced config - Add a packageRule routing the maven datasource through Google's Maven repo so androidx packages (androidx.tvprovider, androidx.core-ktx) in modules/tv-recommendations resolve instead of failing with no-result. - Move vulnerabilityAlerts and the GitHub-Actions grouping packageRule out of lockFileMaintenance (where they were dead) to the top level so they take effect. lockFileMaintenance stays enabled via the config:best-practices preset (:maintainLockFilesWeekly) — unchanged. Addresses the package-lookup warnings in the Dependency Dashboard (#724).	2026-06-10 01:14:38 +02:00
renovate[bot]	168bf2e54e	chore(deps): Update github/codeql-action action to v4.36.2 (#1687 ) Some checks are pending 🏗️ Build Apps / 🍎 Build tvOS IPA (Unsigned) (push) Waiting to run Details 🏗️ Build Apps / 🤖 Build Android APK (Phone) (push) Waiting to run Details 🏗️ Build Apps / 🤖 Build Android APK (TV) (push) Waiting to run Details 🏗️ Build Apps / 🍎 Build iOS IPA (Phone) (push) Waiting to run Details 🏗️ Build Apps / 🍎 Build iOS IPA (Phone - Unsigned) (push) Waiting to run Details 🏗️ Build Apps / 🍎 Build tvOS IPA (push) Waiting to run Details 🔒 Lockfile Consistency Check / 🔍 Check bun.lock and package.json consistency (push) Waiting to run Details 🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (actions) (push) Waiting to run Details 🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (javascript-typescript) (push) Waiting to run Details 🏷️🔀Merge Conflict Labeler / 🏷️ Labeling Merge Conflicts (push) Waiting to run Details 🌐 Translation Sync / sync-translations (push) Waiting to run Details 🚦 Security & Quality Gate / 🚑 Expo Doctor Check (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (check) (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (format) (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (i18n:check) (push) Waiting to run Details 🚦 Security & Quality Gate / 📝 Validate PR Title (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Vulnerable Dependencies (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (lint) (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (typecheck) (push) Waiting to run Details 🛡️ Trivy Security Scan / 🔎 Filesystem scan (push) Waiting to run Details	2026-06-09 23:25:26 +02:00
renovate[bot]	6f0230c2ca	chore(deps): Update expo/expo-github-action digest to eab7a23 (#1685 )	2026-06-09 22:37:14 +02:00
renovate[bot]	d12beee529	chore(deps): Update actions/checkout action to v6.0.3 (#1686 )	2026-06-09 21:43:22 +02:00