fix(renovate): unified automerge & trust

[JacobPEvans]

PR Summary

Overview

Unifies Renovate's trusted organization rules into a single manager-agnostic
configuration that applies trust across all update managers and update types.
Consolidates separate GitHub Actions and Nix flake input trust lists while
expanding coverage to 47 trusted organizations. Adds lock file maintenance
auto-merge.

Changes

• Removed matchManagers constraint — trusted orgs now apply to ALL managers
  (GitHub Actions, Nix flakes, pip, etc.)
• Removed matchUpdateTypes constraint — trusted orgs receive ALL update
  types (major, minor, patch, pin)
• Merged trust lists — GitHub Actions + Nix flake inputs consolidated into
  unified rule
• Added lock file maintenance auto-merge — lockFileMaintenance updates now
  auto-merge for all managers
• Removed redundant rules — deleted Nix flake inputs rule, HuggingFace
  custom.regex rule (superseded by unified rule)
• Expanded trusted orgs — from 28 to 47 organizations Added: ansible, aws-ia, bitwarden, codecov, criblio, DopplerHQ, huggingface,
  kubernetes, kubernetes-sigs, nix-darwin, nix-systems, obra, open-telemetry,
  ossf, pre-commit, pypa, renovatebot, semgrep, sigstore

Test Plan

• Verify auto-merge applies to all trusted orgs across all manager types
  (not just GitHub Actions)
• Confirm lock file maintenance updates auto-merge
• Validate no regression in existing trusted org behavior
• Fixes chore(deps): update dependency github/gh-aw to v0.65.0 (main) nix-ai#381 (github/gh-aw now auto-merges)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the Renovate configuration to centralize and simplify the management of trusted organizations. By removing manager-specific scoping, the configuration now provides a more consistent and maintainable approach to auto-merging dependencies across different ecosystems. Additionally, it improves automation efficiency by enabling auto-merge for lock file maintenance tasks.

Highlights

• Unified Trusted Orgs Rule: Removed the manager-specific constraint to allow trusted organization rules to apply globally across all Renovate managers.
• Lock File Maintenance: Enabled automatic merging for lock file maintenance pull requests using a squash strategy.
• Configuration Cleanup: Consolidated redundant rules for Nix flake inputs and HuggingFace packages into the unified trusted orgs rule and removed specific Terraform provider entries now covered by the global rule.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

The rules were scattered, wide and deep, With manager locks we had to keep. Now unified and clean they stand, With auto-merge across the land.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

Updates the org-wide Renovate preset to make “trusted org” auto-merge behavior independent of the Renovate manager that detected the dependency, and tweaks automerge behavior for maintenance PRs.

Changes:

• Expands the trusted-org packageRule to apply across managers (adds URL-prefixed patterns; removes github-actions-only scoping).
• Enables automerge for lockFileMaintenance PRs.
• Removes now-redundant per-ecosystem trusted rules (e.g., Nix flake inputs, HuggingFace custom.regex) and narrows Terraform provider trust to bpg/*.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.