Merge branch 'main' into renovate/typescript-4.x

Author: JamieMagee

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM containerbase/node:14.20.1@sha256:69979186fe785db329e04387b150a4853bda79653a452724384268b814cfd47c
+FROM containerbase/node:14.20.1@sha256:769f1bf127b2c180241cdf2c3cc3726972b7df3fa74bee42cf935cc4271b656c
 
 USER root
 

.github/workflows/build.yml

@@ -54,7 +54,7 @@ jobs:
       NODE_VERSION: ${{ matrix.node-version }}
 
     steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
         with:
           fetch-depth: 2
 
@@ -100,7 +100,7 @@ jobs:
     timeout-minutes: 15
 
     steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
         with:
           fetch-depth: 2
 
@@ -143,7 +143,7 @@ jobs:
 
   release:
     needs: [lint, test]
-    if: github.event_name != 'pull_request'
+    if: github.repository == 'renovatebot/renovate' && github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     # release shouldn't need more than 5 min
     timeout-minutes: 15
@@ -154,7 +154,7 @@ jobs:
 
     steps:
       # full checkout for semantic-release
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
         with:
           fetch-depth: 0
 

.github/workflows/codeql-analysis.yml

@@ -22,15 +22,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
 
       - name: Delete fixtures to suppress false positives
         run: |
           find ./lib -type d -name '__fixtures__' -exec rm -rf {} \; || true
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 # tag=v2.1.26
+        uses: github/codeql-action/init@807578363a7869ca324a79039e6db9c843e0e100 # tag=v2.1.27
         with:
           languages: javascript
 
@@ -40,7 +40,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 # tag=v2.1.26
+        uses: github/codeql-action/autobuild@807578363a7869ca324a79039e6db9c843e0e100 # tag=v2.1.27
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -54,4 +54,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 # tag=v2.1.26
+        uses: github/codeql-action/analyze@807578363a7869ca324a79039e6db9c843e0e100 # tag=v2.1.27

.github/workflows/dependency-review.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
 
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@375c5370086bfff256c37f8beec0f437e2e72ae1 # tag=v2.4.0

.github/workflows/release-npm.yml

@@ -38,7 +38,7 @@ jobs:
             echo "NPM_TAG=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
           fi
 
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
         with:
           ref: ${{ env.GIT_SHA }}
 

.github/workflows/update-data.yml

@@ -15,7 +15,7 @@ jobs:
   update-data:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
 
       - name: Set up Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@969bd2663942d722d85b6a8626225850c2f7be4b # tag=v3.5.0

.github/workflows/ws_scan.yaml

@@ -11,7 +11,7 @@ jobs:
   WS_SCAN:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
 
       - name: Download UA
         run: curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar

data/kubernetes-api.json5

@@ -0,0 +1,113 @@
+{
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-16
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#networkpolicy-v116
+  NetworkPolicy: ['extensions/v1beta1', 'networking.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#daemonset-v116
+  DaemonSet: ['extensions/v1beta1', 'apps/v1beta2', 'apps/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#deployment-v116
+  Deployment: ['extensions/v1beta1', 'apps/v1beta1', 'apps/v1beta2', 'apps/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#statefulset-v116
+  StatefulSet: ['apps/v1beta1', 'apps/v1beta2', 'apps/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#replicaset-v116
+  ReplicaSet: ['extensions/v1beta1', 'apps/v1beta1', 'apps/v1beta2', 'apps/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#psp-v116
+  PodSecurityPolicy: ['extensions/v1beta1', 'policy/v1beta1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-22
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#webhook-resources-v122
+  MutatingWebhookConfiguration: [
+    'admissionregistration.k8s.io/v1beta1',
+    'admissionregistration.k8s.io/v1',
+  ],
+  ValidatingWebhookConfiguration: [
+    'admissionregistration.k8s.io/v1beta1',
+    'admissionregistration.k8s.io/v1',
+  ],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122
+  CustomResourceDefinition: [
+    'apiextensions.k8s.io/v1beta1',
+    'apiextensions.k8s.io/v1',
+  ],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#apiservice-v122
+  APIService: ['apiregistration.k8s.io/v1beta1', 'apiregistration.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#tokenreview-v122
+  TokenReview: ['authentication.k8s.io/v1beta1', 'authentication.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#subjectaccessreview-resources-v122
+  LocalSubjectAccessReview: [
+    'authorization.k8s.io/v1beta1',
+    'authorization.k8s.io/v1',
+  ],
+  SelfSubjectAccessReview: [
+    'authorization.k8s.io/v1beta1',
+    'authorization.k8s.io/v1',
+  ],
+  SubjectAccessReview: [
+    'authorization.k8s.io/v1beta1',
+    'authorization.k8s.io/v1',
+  ],
+  SelfSubjectRulesReview: [
+    'authorization.k8s.io/v1beta1',
+    'authorization.k8s.io/v1',
+  ],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#certificatesigningrequest-v122
+  CertificateSigningRequest: [
+    'certificates.k8s.io/v1beta1',
+    'certificates.k8s.io/v1',
+  ],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#lease-v122
+  Lease: ['coordination.k8s.io/v1beta1', 'coordination.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122
+  Ingress: [
+    'extensions/v1beta1',
+    'networking.k8s.io/v1beta1',
+    'networking.k8s.io/v1',
+  ],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingressclass-v122
+  IngressClass: ['networking.k8s.io/v1beta1', 'networking.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#rbac-resources-v122
+  ClusterRole: [
+    'rbac.authorization.k8s.io/v1beta1',
+    'rbac.authorization.k8s.io/v1',
+  ],
+  ClusterRoleBinding: [
+    'rbac.authorization.k8s.io/v1beta1',
+    'rbac.authorization.k8s.io/v1',
+  ],
+  Role: ['rbac.authorization.k8s.io/v1beta1', 'rbac.authorization.k8s.io/v1'],
+  RoleBinding: [
+    'rbac.authorization.k8s.io/v1beta1',
+    'rbac.authorization.k8s.io/v1',
+  ],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#priorityclass-v122
+  PriorityClass: ['scheduling.k8s.io/v1beta1', 'scheduling.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#storage-resources-v122
+  CSIDriver: ['storage.k8s.io/v1beta1', 'storage.k8s.io/v1'],
+  CSINode: ['storage.k8s.io/v1beta1', 'storage.k8s.io/v1'],
+  StorageClass: ['storage.k8s.io/v1beta1', 'storage.k8s.io/v1'],
+  VolumeAttachment: ['storage.k8s.io/v1beta1', 'storage.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-25
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#cronjob-v125
+  CronJob: ['batch/v1beta1', 'batch/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#endpointslice-v125
+  EndpointSlice: ['discovery.k8s.io/v1beta1', 'discovery.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#event-v125
+  Event: ['events.k8s.io/v1beta1', 'events.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#horizontalpodautoscaler-v125
+  HorizontalPodAutoscaler: ['autoscaling/v2beta1', 'autoscaling/v2'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#poddisruptionbudget-v125
+  PodDisruptionBudget: ['policy/v1beta1', 'policy/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#runtimeclass-v125
+  RuntimeClass: ['node.k8s.io/v1beta1', 'node.k8s.io/v1'],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-26
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v126
+  FlowSchema: [
+    'flowcontrol.apiserver.k8s.io/v1beta1',
+    'flowcontrol.apiserver.k8s.io/v1beta2',
+  ],
+  PriorityLevelConfiguration: [
+    'flowcontrol.apiserver.k8s.io/v1beta1',
+    'flowcontrol.apiserver.k8s.io/v1beta2',
+  ],
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27
+  // https://kubernetes.io/docs/reference/using-api/deprecation-guide/#csistoragecapacity-v127
+  CSIStorageCapacity: ['storage.k8s.io/v1beta1', 'storage.k8s.io/v1'],
+}

docs/development/best-practices.md

@@ -233,6 +233,7 @@ Use `UTC` to be time zone independent.
 
 ## Unit testing
 
+- Separate _Arrange_, _Act_ and _Assert_ phases with empty line
 - Use `it.each` rather than `test.each`
 - Prefer [Tagged Template Literal](https://jestjs.io/docs/api#2-testeachtablename-fn-timeout) style for `it.each`, Prettier will help with formatting
   - See [Example](https://github.com/renovatebot/renovate/blob/768e178419437a98f5ce4996bafd23f169e530b4/lib/modules/platform/util.spec.ts#L8-L18)

docs/development/issue-labeling.md

@@ -81,10 +81,10 @@ Add the `breaking` label for Issues or PRs which have changes that are not backw
 </details>
 
 Use these to assign a priority level to an issue.
-Incoming issues are labeled `priority-5-triage` by default, this label should be replaced with a proper priority (low/normal/important/critical).
+Incoming issues are labeled `priority-5-triage` by default, this label should be replaced with a proper priority (low/medium/high/critical).
 Try to select the proper priority.
 Nothing bad will happen if you select a "wrong" priority.
-At a high level: critical = needs immediate fix, important = to be prioritized ahead of others, normal = default priority, low = trivial issue, or impacts a very small % of the user base.
+At a high level: critical = needs immediate fix, high = to be prioritized ahead of others, medium = default priority, low = trivial issue, or impacts a very small percentage of the user base.
 
 Use [this search](https://github.com/renovatebot/renovate/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+-label%3Apriority-1-critical+-label%3Apriority-2-high+-label%3Apriority-3-medium+-label%3Apriority-4-low++-label%3Apriority-5-triage) to find any issues which are missing a priority label.
 

docs/usage/java.md

@@ -8,6 +8,20 @@ description: Java versions support in Renovate
 Renovate can update Gradle and Maven dependencies.
 This includes libraries and plugins as well as the Gradle Wrapper.
 
+## LTS releases
+
+The `config:base` preset includes the `workarounds:javaLTSVersions` preset.
+The workaround limits Renovate to upgrade to LTS versions of the Java runtime only.
+
+If you want Renovate to offer all `major` Java updates then add `workarounds:javaLTSVersions` to the `ignorePreset` array:
+
+```json
+{
+  "extends": ["config:base"],
+  "ignorePresets": ["workarounds:javaLTSVersions"]
+}
+```
+
 ## Gradle
 
 Renovate detects versions that are specified in a string `'group:artifact:version'` and those specified in a map `(group:groupName, name:ArtifactName, version:Version)`.

docs/usage/key-concepts/pull-requests.md

@@ -0,0 +1,85 @@
+---
+title: Pull requests
+description: Learn about Renovate pull requests
+---
+
+This page describes how Renovate pull requests work.
+
+## How Renovate finds existing PRs
+
+Renovate does not keep any kind of database/state of its own about open or closed Pull Requests.
+Instead, it uses the code platform's APIs to search and find such PRs.
+
+Locating of existing PRs - whether open or closed - is done by matching both the branch name (e.g. `renovate/lodash-4.x`) and Pull Request title (e.g. `Update lodash to v4.17.21`).
+
+In cases like the above, there is typically at most one existing PR with the desired branch + title combination.
+When grouping is enabled by users, and PRs have titles like "All non-major updates", then there may be multiple past PRs which match.
+
+## Normal PRs
+
+As described above, Renovate PRs normally have some uniqueness in their title relating to the version in the upgrade.
+In such cases, if a user closes such a PR, it can be inferred that they don't want to see it again in future.
+For example, they wish to ignore `[email protected]`.
+
+In such cases, new PRs won't be created until the branch+title uniqueness exists again, such as if there is a `[email protected]`.
+
+Similarly in the case of major updates (such as "Update lodash to v4") then it can be inferred that the user wishes to ignore all of v4 of `lodash`, even when newer v4 versions are available.
+
+## Immortal PRs
+
+Some Renovate pull requests have a section like this:
+
+> 👻 **Immortal:** This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.
+
+A **immortal** PRs keeps popping up again after you close it.
+
+This document explains why we have immortal PRs, and how you can fix them.
+
+### Why we have immortal PRs
+
+First off, we don't have immortal PRs for some philosphical reason like: "don't ignore this update, it's good for you!".
+We just have no way to ignore some PRs after they're closed.
+
+#### Branch name and PR title are cache keys
+
+Renovate uses the branch name and PR title like a cache key.
+If the same key exists _and_ the PR was closed, then we ignore the PR.
+
+##### Cache keys can cause problems
+
+Let's say you have an "All non-major updates" PR.
+If you close the PR, and Renovate ignores it based on the PR title, then you would never get a non-major update again.
+
+#### Only unique version PRs can be ignored
+
+Renovate can only ignore PRs if they have a unique version, like "to v16.1.2" or "to v16" in the title.
+
+#### Grouped updates with different versions
+
+The problem comes when there are groups of updates which have different versions.
+Then the update becomes "Update react (major)", which is not safely ignorable, instead of "Update react to v16".
+
+### Future plans for immortal PRs
+
+In the future we may embed metadata in each PR identifying the exact files and packages + versions that PR contains.
+Then we could allow such PRs to be closed/ignored but then as soon as there's any chance to files/packages/versions being updated then we'd be cached busted and create a new PR.
+If you regularly wish to close immortal PRs, it's an indication that you may be grouping too widely.
+
+### How to fix immortal PRs
+
+Avoid grouping dependencies together which have different versions, or which you have a high chance of wanting to ignore.
+
+#### Major updates require Dependency Dashboard approval
+
+Avoid grouping major upgrades together unless they are related dependencies.
+Instead, set `"dependencyDashboardApproval": true` for major updates so that you have control about when they are created.
+
+## Ignoring PRs
+
+To ignore a PR you just close it unmerged.
+
+<!-- prettier-ignore -->
+!!! note
+    Renovate will re-create any PRs that is marked "immortal".
+    What this means is that any immortal PR you close, will pop up again the next time Renovate runs.
+    To ignore immortal PRs, follow the advice in the [How to fix immortal PRs](#how-to-fix-immortal-prs) section.

lib/config/options/index.ts

@@ -382,6 +382,7 @@ const options: RenovateOptions[] = [
     globalOnly: true,
     type: 'string',
     default: null,
+    stage: 'global',
   },
   // Onboarding
   {