refactor(renovate): consolidate packageRules and fix major-grace ordering

[JacobPEvans-personal]

Summary

Five consolidations to renovate-presets.json. Line count drops 244 → 188 (-56 lines, -23%). One behavior fix included.

1. Merge the two major-update packageRules

Two rules with identical matchUpdateTypes: ["major"] selectors collapsed into one with both attributes (minimumReleaseAge: 30 days, automerge: false).

2. Fix the ordering — 30-day grace now actually applies to trusted-org majors

Previously the trusted-orgs rule appeared AFTER the major rule. Renovate's last-match-wins per-attribute merge meant trusted-org majors auto-merged at 1 day, silently bypassing the 30-day grace. New order:

1. gh-aw disable
2. Trusted orgs (1d, automerge=true)
3. Major default (30d, automerge=false) ← wins over trusted-orgs for majors
4. Own-orgs (0d, automerge=true) ← wins over major-default for own-orgs

Behavior matrix after:

Package	Update	Result
actions/checkout v5 (trusted, major)	30 days, manual review
actions/checkout v4.2.0 (trusted, minor)	1 day, auto-merge
JacobPEvans/something v2 (own, major)	0 days, auto-merge
requests v3 (external, major)	30 days, manual review
Any CVE-driven bump	0 days, auto-merge (via vulnerabilityAlerts)

3. Add dryvist/** to the own-orgs auto-merge

dryvist is your second org (11 public repos). Own deps should keep immediate merging for all update types including major.

4. Dedup the trusted-orgs matchPackageNames list

Every org was listed twice — actions/** AND https://github.com/actions/**. Renovate matches matchPackageNames against the resolved packageName, which is owner/repo for both GitHub Actions (github-tags datasource) and Nix flake github: inputs.

Verified the URL form was dead code:

```
$ gh search code 'depName=https://github.com/' org:JacobPEvans
(no results)
```

~54 dead entries removed.

5. Unify the two Python-manager rules' manager lists

The minor/patch auto-merge rule covered only pep621, pip_requirements. The major bump rule covers all five Python managers (pep621, pip_requirements, pip_setup, poetry, pipenv). Made the lists match — pip_setup, poetry, and pipenv minor/patch updates now auto-merge twice-weekly too (was an unintentional gap).

Test plan

• No JSON schema validation errors (jq . renovate-presets.json passes)
• Renovate dependency dashboard refreshes in a consumer repo within the next scheduled scan, no preset-fetch errors
• Next actions/** major Renovate PR observably waits ≥ 30 days from release before opening, does not auto-merge
• Next JacobPEvans/** or dryvist/** update (any type) auto-merges immediately
• Next CVE alert still opens a 0-day PR via vulnerabilityAlerts
• First poetry/pipenv minor/patch update post-merge auto-merges (previously gated on manual review)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the Renovate configuration to streamline package management rules and ensure consistent update behavior. By reordering rule precedence and unifying manager lists, the changes enforce a safer 30-day grace period for major updates while ensuring own-org dependencies and minor/patch updates remain auto-merged. The cleanup also removes significant dead configuration entries, improving maintainability.

Highlights

• Consolidation of Package Rules: Reduced the configuration file size by 23% by merging redundant major-update rules and cleaning up package match lists.
• Improved Major Update Ordering: Reordered rules to ensure the 30-day grace period for major updates is correctly applied, while maintaining immediate auto-merge for own-org dependencies.
• Python Manager Alignment: Unified the Python manager lists across minor/patch and major update rules to close an unintentional gap in auto-merge coverage for pip_setup, poetry, and pipenv.
• Dead Code Removal: Removed ~54 redundant URL-based package name entries, as Renovate matches against resolved owner/repo strings.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

Rules defined in JSON flow, / To keep our dependencies in tow. / Major bumps now wait their turn, / While minor patches quickly learn.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩