From b7c51131b3586d523abc68d52335ea77c6e06e14 Mon Sep 17 00:00:00 2001
From: Malte Viering <malte.viering@sap.com>
Date: Wed, 10 Jun 2026 07:16:12 +0000
Subject: [PATCH 1/2] fix(renovate): pin python to 3.13 and harden config rules

- Revert python-version to 3.13 in setup-claude-code-action/action.yml
  for compatibility with upstream anthropics/claude-code-action.
- Revert constraints.python to 3.13 in renovate.json.
- Replace broken 'matchManagers: [tool-constraint]' rule (which never
  matched anything; tool-constraint is a depType, not a manager id)
  with 'matchDepTypes: [tool-constraint], enabled: false'. This is the
  actual root cause that allowed renovate to bump constraints.python
  from 3.13 to 3.14 in #908.
- Add 'matchPackageNames: [python], allowedVersions: 3.13.x' as a hard
  version cap.
- Add file-scoped 'automerge: false' rule for
  .github/actions/setup-claude-code-action/action.yml as a tripwire
  so any future bump in this file requires manual review.

Rules are placed after the 'External dependencies' catch-all so that
later-rule-wins semantics override the catch-all's automerge: true.
---
 .../setup-claude-code-action/action.yml       |  2 +-
 .github/renovate.json                         | 21 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/.github/actions/setup-claude-code-action/action.yml b/.github/actions/setup-claude-code-action/action.yml
index dbc832aba..de25bab99 100644
--- a/.github/actions/setup-claude-code-action/action.yml
+++ b/.github/actions/setup-claude-code-action/action.yml
@@ -41,7 +41,7 @@ runs:
     - name: Setup Python
       uses: actions/setup-python@v6
       with:
-        python-version: "3.14"
+        python-version: "3.13"
 
     - name: Install LiteLLM dependencies
       shell: bash
diff --git a/.github/renovate.json b/.github/renovate.json
index 3d6fb014a..bd8ee58e1 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -11,7 +11,7 @@
   "commitMessageAction": "Renovate: Update",
   "constraints": {
     "go": "1.26",
-    "python": "3.14"
+    "python": "3.13"
   },
   "dependencyDashboardOSVVulnerabilitySummary": "all",
   "osvVulnerabilityAlerts": true,
@@ -62,10 +62,6 @@
     }
   ],
   "packageRules": [
-    {
-      "matchManagers": ["tool-constraint"],
-      "enabled": false
-    },
     {
       "matchPackageNames": [
         "golang"
@@ -125,13 +121,16 @@
       "enabled": false
     },
     {
-      "matchPackageNames": [
-        "python"
-      ],
-      "matchFileNames": [
-        ".github/actions/setup-claude-code-action/**"
-      ],
+      "matchDepTypes": ["tool-constraint"],
       "enabled": false
+    },
+    {
+      "matchPackageNames": ["python"],
+      "allowedVersions": "3.13.x"
+    },
+    {
+      "matchFileNames": [".github/actions/setup-claude-code-action/action.yml"],
+      "automerge": false
     }
   ],
   "prHourlyLimit": 0,

From 990ae6159b8ab9a8a32159da00f7f962e0b1ab42 Mon Sep 17 00:00:00 2001
From: Malte Viering <malte.viering@sap.com>
Date: Wed, 10 Jun 2026 07:20:07 +0000
Subject: [PATCH 2/2] fix(renovate): disable automerge for renovate.json itself

Defense-in-depth: any Renovate-managed update touching the renovate
config (e.g. constraints, pinned presets) must be reviewed manually
rather than auto-merged.

Currently a no-op because tool-constraint deps are already fully
disabled by the matchDepTypes rule, but protects against future config
drift if those rules are weakened or if pinned presets are added.
---
 .github/renovate.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/renovate.json b/.github/renovate.json
index bd8ee58e1..3f92763da 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -131,6 +131,10 @@
     {
       "matchFileNames": [".github/actions/setup-claude-code-action/action.yml"],
       "automerge": false
+    },
+    {
+      "matchFileNames": [".github/renovate.json"],
+      "automerge": false
     }
   ],
   "prHourlyLimit": 0,