ci(renovate): automerge non-major + lockfile, document registry mapping

Automerge third-party minor/patch updates and lockfile maintenance via
Gitea auto-merge; @played/* and majors stay manual. Document the bunfig.toml
scope mapping and the no-PR-CI automerge caveat.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

README.md

@@ -61,4 +61,14 @@ Self-hosted [Renovate](https://docs.renovatebot.com) that keeps dependencies ali
 
 Listed in `renovate.yml` under `RENOVATE_REPOSITORIES` (the six games + `plaza`). Add the shared packages (`app-ui`, `games-registry`, `api-core`, …) to that list to manage them too, or switch to `RENOVATE_AUTODISCOVER=true` with `RENOVATE_AUTODISCOVER_FILTER=played/*`.
 
-> The bot only keeps versions *current* together (it opens PRs). For hard parity — failing CI when any repo drifts — pair it with a [`syncpack`](https://github.com/JamieMason/syncpack) check.
+### Automerge
+
+Third-party non-major (minor/patch) updates and weekly lockfile maintenance automerge (`platformAutomerge` → Gitea's "auto-merge"); `@played/*` bumps and majors stay manual (a `@played` minor can be breaking pre-1.0, and merging redeploys the game).
+
+> ⚠️ There's currently no PR-level build check, so an automerged PR isn't validated before it lands on `main` (and triggers the deploy). If a bump breaks the build you'll find out at deploy time, not at merge. To make automerge safe, add a lightweight "build on PR" workflow and a required status check — then Renovate only merges green PRs.
+
+### Registry resolution
+
+`@played`/`@unom`/etc. scopes are mapped to the Gitea registry via a committed `bunfig.toml` in each repo (token-free). Without it, Renovate's lockfile `bun install` falls back to `registry.npmjs.org` and 404s. Auth comes from `RENOVATE_NPMRC` (the `NPMRC` secret), the gitignored local `.npmrc`, and the mounted build secret.
+
+> Keeping versions *current* together isn't *hard parity*. For "every repo on the exact same version, CI red on drift", pair this with a [`syncpack`](https://github.com/JamieMason/syncpack) check.

renovate-config.json

@@ -4,17 +4,20 @@
 	"timezone": "Europe/Berlin",
 	"rangeStrategy": "bump",
 	"labels": ["dependencies"],
+	"platformAutomerge": true,
 	"packageRules": [
 		{
-			"description": "Bump the internal @played/* packages together, promptly.",
+			"description": "Bump the internal @played/* packages together. Manual merge — 0.x bumps can be breaking and merging redeploys the game.",
 			"matchPackageNames": ["/^@played//"],
-			"groupName": "@played packages"
+			"groupName": "@played packages",
+			"automerge": false
 		},
 		{
-			"description": "Batch third-party non-major updates into one PR to cut noise.",
+			"description": "Batch third-party non-major updates into one PR and automerge.",
 			"matchUpdateTypes": ["minor", "patch"],
 			"matchPackageNames": ["!/^@played//"],
-			"groupName": "non-major dependencies"
+			"groupName": "non-major dependencies",
+			"automerge": true
 		},
 		{
 			"description": "Internal Gitea reusable workflow (pinned @main) — not a github.com action, don't manage it.",
@@ -25,6 +28,7 @@
 	],
 	"lockFileMaintenance": {
 		"enabled": true,
+		"automerge": true,
 		"schedule": ["before 9am on monday"]
 	}
 }