ci: add self-hosted Renovate for cross-repo dependency sync

Scheduled Renovate bot (renovate.yml) + shared preset (renovate-config.json)
that every game/plaza repo extends, so dependency bumps land the same way
across repos. @played/* grouped together, third-party non-major batched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/renovate.yml

@@ -0,0 +1,65 @@
+name: Renovate
+run-name: Renovate dependency sync
+
+# Self-hosted Renovate bot for the played ecosystem. Runs on a schedule (and
+# on demand) against the game repos, opening grouped dependency-update PRs.
+# Every target repo extends the shared preset (renovate-config.json in this
+# repo) so versions stay aligned across repos — see RENOVATE_ONBOARDING_CONFIG.
+#
+# One-time setup (cannot be scripted here):
+#   1. Create a Gitea PAT (a `renovate` bot user is cleanest) with scopes:
+#      read:user, write:repository, write:issue. Add it as the Actions secret
+#      RENOVATE_TOKEN (org-level, or on this `workflows` repo).
+#   2. Ensure the existing NPMRC secret (registry + @played auth) is visible to
+#      this repo's Actions run (org-level secret recommended).
+#   3. Push this repo, then trigger once via "Run workflow" (workflow_dispatch).
+#      Renovate opens a "Configure Renovate" onboarding PR in each repo below;
+#      merge them and it's live.
+
+on:
+  schedule:
+    # Mondays 06:00 UTC. Gitea cron is UTC; the preset's `timezone` governs
+    # Renovate's own schedule strings.
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: Log level
+        type: choice
+        options: [info, debug]
+        default: info
+      dryRun:
+        description: Dry run (no branches/PRs)
+        type: boolean
+        default: false
+
+concurrency:
+  group: renovate
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Run Renovate
+        env:
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          # Reuse the build-time npmrc so Renovate can resolve @played/* from
+          # the Gitea registry.
+          RENOVATE_NPMRC: ${{ secrets.NPMRC }}
+          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
+          RENOVATE_DRY_RUN: ${{ inputs.dryRun && 'full' || '' }}
+        run: |
+          docker run --rm \
+            -e RENOVATE_TOKEN \
+            -e RENOVATE_NPMRC \
+            -e LOG_LEVEL \
+            -e RENOVATE_DRY_RUN \
+            -e RENOVATE_PLATFORM=gitea \
+            -e RENOVATE_ENDPOINT=https://git.unom.io/api/v1/ \
+            -e RENOVATE_GIT_AUTHOR='Renovate Bot <renovate@unom.io>' \
+            -e RENOVATE_AUTODISCOVER=false \
+            -e RENOVATE_ONBOARDING=true \
+            -e RENOVATE_ONBOARDING_CONFIG='{"$schema":"https://docs.renovatebot.com/renovate-schema.json","extends":["local>played/workflows:renovate-config"]}' \
+            -e RENOVATE_REPOSITORIES='played/relayer,played/rememed,played/remplir,played/resolu,played/rejouer,played/refaire,played/plaza' \
+            renovate/renovate:latest

README.md

@@ -45,3 +45,19 @@ jobs:
 - The VM working dir is `~/<game-id>` (the deploy step `cd`s there).
 - Secrets dir is `~/<game-id>-secrets/`.
 - `compose.production.yml` defines `api-core` and `web` services, both with `--env-file ~/<game-id>-secrets/.env`.
+
+## `renovate.yml` + `renovate-config.json`
+
+Self-hosted [Renovate](https://docs.renovatebot.com) that keeps dependencies aligned across the game repos. `renovate.yml` is a scheduled bot (Mondays 06:00 UTC, plus manual `workflow_dispatch`); `renovate-config.json` is the shared preset every repo extends, so a bump lands the same way everywhere. Updates are grouped (`@played/*` together; third-party non-major batched) to keep PR noise down.
+
+### One-time setup
+
+1. Create a Gitea PAT — a dedicated `renovate` bot user is cleanest — with scopes `read:user`, `write:repository`, `write:issue`. Add it as the `RENOVATE_TOKEN` Actions secret (org-level, or on this repo).
+2. Make sure the existing `NPMRC` secret (registry + `@played` auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up `@played/*` versions.
+3. Push, then run the workflow once (**Run workflow**). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does `extends: ["local>played/workflows:renovate-config"]`; merge them to go live.
+
+### Target repos
+
+Listed in `renovate.yml` under `RENOVATE_REPOSITORIES` (the six games + `plaza`). Add the shared packages (`app-ui`, `games-registry`, `api-core`, …) to that list to manage them too, or switch to `RENOVATE_AUTODISCOVER=true` with `RENOVATE_AUTODISCOVER_FILTER=played/*`.
+
+> The bot only keeps versions *current* together (it opens PRs). For hard parity — failing CI when any repo drifts — pair it with a [`syncpack`](https://github.com/JamieMason/syncpack) check.

renovate-config.json

@@ -0,0 +1,24 @@
+{
+	"$schema": "https://docs.renovatebot.com/renovate-schema.json",
+	"extends": ["config:recommended", ":dependencyDashboard", ":semanticCommits"],
+	"timezone": "Europe/Berlin",
+	"rangeStrategy": "bump",
+	"labels": ["dependencies"],
+	"packageRules": [
+		{
+			"description": "Bump the internal @played/* packages together, promptly.",
+			"matchPackageNames": ["/^@played//"],
+			"groupName": "@played packages"
+		},
+		{
+			"description": "Batch third-party non-major updates into one PR to cut noise.",
+			"matchUpdateTypes": ["minor", "patch"],
+			"matchPackageNames": ["!/^@played//"],
+			"groupName": "non-major dependencies"
+		}
+	],
+	"lockFileMaintenance": {
+		"enabled": true,
+		"schedule": ["before 9am on monday"]
+	}
+}