Michael Kriese

you can probably use an init container to create the token and pass it to the renovate container.

the version v2.1.0 on npmjs is build from wrong commit / source, it still has the `verbose` package dependency - https://github.com/containerbase/base/pull/4835#issuecomment-3188741425 - https://www.npmjs.com/package/bats-assert?activeTab=code

oh, i see. i was confused by github release page. it says 0 commits to ... 😕

Looks like you referring to https://docs.renovatebot.com/configuration-options/#lockfilemaintenance Which is currently not supported for gomod

it seems this git vulnerabillity is also wrongly classified: https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329 

Seeing similar issue here https://codeberg.org/forgejo/forgejo/pulls/6415 ``` DEBUG: syncBranchState() (repository=forgejo/forgejo, baseBranch=forgejo, branch=renovate/forgejo-lock-file-maintenance) DEBUG: branch.isUpToDate(): using cached result "true" (repository=forgejo/forgejo, baseBranch=forgejo, branch=renovate/forgejo-lock-file-maintenance) DEBUG: getBranchPr(renovate/forgejo-lock-file-maintenance) (repository=forgejo/forgejo, baseBranch=forgejo, branch=renovate/forgejo-lock-file-maintenance) DEBUG: findPr(renovate/forgejo-lock-file-maintenance, undefined, open) (repository=forgejo/forgejo,...

> > I recall you mentioning that buildpacks aren't normally on Docker Hub? But in your examples like these: > > > > ``` > > [[io.buildpacks.group]] > > uri...

We can use https://api.adoptium.net/v3/info/available_releases to know which versions are stable (lts) https://api.adoptium.net/q/swagger-ui/#/Release%20Info/getAvailableReleases

> Why not make the logic higher-level? > > In my opinion, if any `onboardingConfig` is set at all (even empty), then we shouldn't hunt for any default extends `onboardingConfig`...

that's why you should not use main branch as source for a PR. we've a precommit check which should error out and disallow main