From c126b718527db7817d131eabe6227e7f18d140fc Mon Sep 17 00:00:00 2001
From: Micha <michideheld@gmx.de>
Date: Wed, 10 Jun 2026 16:21:57 +0200
Subject: [PATCH] renovate: Kritische Kerninfra aus minor-patch-Sammel-PR
 ausgliedern

Traefik (Public-Entrypoint), Unbound (DNS), n8n und Nextcloud bekommen eigene PRs statt im gruppierten minor-and-patch-updates-PR zu landen. Erzwingt kontrollierten, einzeln reviewbaren Merge pro kritischem Dienst (WORKFLOW.md: keine mehreren kritischen Dienste gleichzeitig migrieren).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 renovate.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/renovate.json b/renovate.json
index 9d1a2dd..73c6364 100644
--- a/renovate.json
+++ b/renovate.json
@@ -38,6 +38,19 @@
       "automerge": false,
       "labels": ["dependencies", "minor-patch"]
     },
+    {
+      "description": "Kritische Kerninfra (Traefik=Public-Entrypoint, Unbound=DNS, n8n, Nextcloud): nicht im Sammel-PR, eigene einzeln reviewbare PRs, kein Auto-Merge",
+      "matchManagers": ["docker-compose", "dockerfile"],
+      "matchPackageNames": [
+        "traefik",
+        "shaanmajid/unbound",
+        "docker.n8n.io/n8nio/n8n",
+        "nextcloud"
+      ],
+      "groupName": null,
+      "automerge": false,
+      "labels": ["dependencies", "core-critical"]
+    },
     {
       "description": "Stateful Tier-1 (Postgres, Mongo, Redis): keine Auto-Group, einzelne PRs, kein Auto-Merge",
       "matchPackageNames": [