From 2f0fa31bfdc98f6268a034d834b5531c2b9faac5 Mon Sep 17 00:00:00 2001
From: Guillaume Paris <guillaume.paris@filigran.io>
Date: Wed, 14 Jan 2026 14:06:23 +0100
Subject: [PATCH 1/3] [tool] chore(tooling): improve and sync renovate & gh
 actions

---
 .github/workflows/oaev_shared_auto_label.yml  | 14 +++++++
 .../oaev_shared_check_signed_commit.yml       | 13 +++++++
 .../oaev_shared_validate_pr_title.yml         | 20 ++++++++++
 .github/workflows/validate-pr-title.yml       | 32 ---------------
 renovate.json                                 | 39 +++++++++----------
 5 files changed, 65 insertions(+), 53 deletions(-)
 create mode 100644 .github/workflows/oaev_shared_auto_label.yml
 create mode 100644 .github/workflows/oaev_shared_check_signed_commit.yml
 create mode 100644 .github/workflows/oaev_shared_validate_pr_title.yml
 delete mode 100644 .github/workflows/validate-pr-title.yml

diff --git a/.github/workflows/oaev_shared_auto_label.yml b/.github/workflows/oaev_shared_auto_label.yml
new file mode 100644
index 00000000..83076752
--- /dev/null
+++ b/.github/workflows/oaev_shared_auto_label.yml
@@ -0,0 +1,14 @@
+name: "[OAEV Shared] Auto Label"
+on:
+  pull_request:
+    branches: [main, release/current]
+    types: [opened, reopened]
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  auto-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Auto Label"
+        uses: FiligranHQ/filigran-ci-tools/actions/auto-label@v1
diff --git a/.github/workflows/oaev_shared_check_signed_commit.yml b/.github/workflows/oaev_shared_check_signed_commit.yml
new file mode 100644
index 00000000..f75b9635
--- /dev/null
+++ b/.github/workflows/oaev_shared_check_signed_commit.yml
@@ -0,0 +1,13 @@
+name: "[OAEV Shared] Check Signed Commits in PR"
+on:
+  pull_request_target:
+    branches: [main, release/current]
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  check-signed-commits:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check signed commits in PR
+        uses: FiligranHQ/filigran-ci-tools/actions/check-signed-commit@v1
diff --git a/.github/workflows/oaev_shared_validate_pr_title.yml b/.github/workflows/oaev_shared_validate_pr_title.yml
new file mode 100644
index 00000000..0f976f81
--- /dev/null
+++ b/.github/workflows/oaev_shared_validate_pr_title.yml
@@ -0,0 +1,20 @@
+name: "[OAEV Shared] Validate PR title Worker"
+on:
+  pull_request:
+    branches: [main, release/current]
+    types: [opened, edited, reopened, ready_for_review, synchronize]
+jobs:
+  validate-pr-title:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate a token"
+        id: generate-token
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.OPENAEV_PR_CHECKS_APP_ID }}
+          private-key: ${{ secrets.OPENAEV_PR_CHECKS_PRIVATE_KEY }}
+      - name: "Validate PR title and create check"
+        uses: FiligranHQ/filigran-ci-tools/actions/pr-title-check@v1
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
diff --git a/.github/workflows/validate-pr-title.yml b/.github/workflows/validate-pr-title.yml
deleted file mode 100644
index f9160265..00000000
--- a/.github/workflows/validate-pr-title.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: "Validate PR Title"
-
-on:
-  pull_request:
-    types: [ opened, edited, reopened, ready_for_review, synchronize ]
-
-jobs:
-  validate-pr-title:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-      - name: Check PR title format
-        shell: bash
-        run: |
-          TITLE="${{ github.event.pull_request.title }}"
-          echo "PR title: $TITLE"
-          
-          # Regex for:
-          # [category/subcategory] type(scope?): description (#123?)
-          PATTERN='^\[([a-z]+(/[a-z]+)*)\] (feat|fix|chore|docs|style|refactor|perf|test|build|ci|revert)(\([a-z]+\))?: [a-z].*( \(#[0-9]+\))$'
-          
-          if [[ ! "$TITLE" =~ $PATTERN ]]; then
-            echo "❌ Invalid PR title."
-            echo "Required format:"
-            echo "[category] type(scope?): description (#123)"
-            exit 1
-          fi
-          
-          echo "✅ PR title is valid."
\ No newline at end of file
diff --git a/renovate.json b/renovate.json
index e1d1c913..32cfd97f 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,34 +1,31 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended"
+    "config:recommended",
+    "docker:enableMajor"
   ],
   "labels": [
     "dependencies",
     "filigran team"
   ],
-  "prConcurrentLimit": 2,
-  "baseBranches": ["release/current", "main"],
+  "minimumReleaseAge": "3 days",
+  "prHourlyLimit": 2,
+  "prConcurrentLimit": 20,
+  "timezone": "Europe/Paris",
+  "schedule": [
+    "* 0-4,22-23 * * 1-5",
+    "* * * * 0,6"
+  ],
+  "updateNotScheduled": false,
+  "rebaseWhen": "conflicted",
+  "commitMessageAction": "update",
+  "commitMessagePrefix": "[tool] chore(deps):",
   "packageRules": [
     {
-      "matchUpdateTypes": [
-        "minor"
+      "matchPaths": [
+        "*/**"
       ],
-      "prPriority": 5
-    },
-    {
-      "matchBaseBranches": ["release/current"],
-      "commitMessageSuffix": null
-    },
-    {
-      "matchJsonata": ["$exists(isVulnerabilityAlert)"],
-      "matchBaseBranches": ["release/current"],
-      "enabled": false
-    },
-    {
-      "matchJsonata": ["$not($exists(isVulnerabilityAlert))"],
-      "matchBaseBranches": ["main"],
-      "enabled": false
+      "commitMessagePrefix": "[injectors] chore(deps):"
     }
   ]
-}
+}
\ No newline at end of file

From 901d1ccc46aef975070ebb410055f967708ee662 Mon Sep 17 00:00:00 2001
From: Guillaume Paris <guillaume.paris@filigran.io>
Date: Wed, 4 Feb 2026 11:01:07 +0100
Subject: [PATCH 2/3] update actions

---
 .github/workflows/oaev_shared_auto_label.yml          | 2 +-
 .github/workflows/oaev_shared_check_signed_commit.yml | 2 +-
 .github/workflows/oaev_shared_validate_pr_title.yml   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/oaev_shared_auto_label.yml b/.github/workflows/oaev_shared_auto_label.yml
index 83076752..4ad9d8aa 100644
--- a/.github/workflows/oaev_shared_auto_label.yml
+++ b/.github/workflows/oaev_shared_auto_label.yml
@@ -11,4 +11,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Auto Label"
-        uses: FiligranHQ/filigran-ci-tools/actions/auto-label@v1
+        uses: FiligranHQ/filigran-ci-tools/actions/auto-label@main
diff --git a/.github/workflows/oaev_shared_check_signed_commit.yml b/.github/workflows/oaev_shared_check_signed_commit.yml
index f75b9635..73da07f8 100644
--- a/.github/workflows/oaev_shared_check_signed_commit.yml
+++ b/.github/workflows/oaev_shared_check_signed_commit.yml
@@ -10,4 +10,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check signed commits in PR
-        uses: FiligranHQ/filigran-ci-tools/actions/check-signed-commit@v1
+        uses: FiligranHQ/filigran-ci-tools/actions/check-signed-commit@main
diff --git a/.github/workflows/oaev_shared_validate_pr_title.yml b/.github/workflows/oaev_shared_validate_pr_title.yml
index 0f976f81..7e2c5a77 100644
--- a/.github/workflows/oaev_shared_validate_pr_title.yml
+++ b/.github/workflows/oaev_shared_validate_pr_title.yml
@@ -15,6 +15,6 @@ jobs:
           app-id: ${{ secrets.OPENAEV_PR_CHECKS_APP_ID }}
           private-key: ${{ secrets.OPENAEV_PR_CHECKS_PRIVATE_KEY }}
       - name: "Validate PR title and create check"
-        uses: FiligranHQ/filigran-ci-tools/actions/pr-title-check@v1
+        uses: FiligranHQ/filigran-ci-tools/actions/pr-title-check@main
         with:
           token: ${{ steps.generate-token.outputs.token }}

From cc6cee48646c17294b932556d1d92fbcd7a3ec80 Mon Sep 17 00:00:00 2001
From: Guillaume Paris <guillaume.paris@filigran.io>
Date: Tue, 10 Feb 2026 23:24:55 +0100
Subject: [PATCH 3/3] update naming

---
 .../oaev_shared_validate_pr_title.yml         | 20 -------------------
 ..._auto_label.yml => openaev-auto-label.yml} |  2 +-
 ...it.yml => openaev-check-signed-commit.yml} |  2 +-
 .../workflows/openaev-validate-pr-title.yml   | 20 +++++++++++++++++++
 4 files changed, 22 insertions(+), 22 deletions(-)
 delete mode 100644 .github/workflows/oaev_shared_validate_pr_title.yml
 rename .github/workflows/{oaev_shared_auto_label.yml => openaev-auto-label.yml} (89%)
 rename .github/workflows/{oaev_shared_check_signed_commit.yml => openaev-check-signed-commit.yml} (86%)
 create mode 100644 .github/workflows/openaev-validate-pr-title.yml

diff --git a/.github/workflows/oaev_shared_validate_pr_title.yml b/.github/workflows/oaev_shared_validate_pr_title.yml
deleted file mode 100644
index 7e2c5a77..00000000
--- a/.github/workflows/oaev_shared_validate_pr_title.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: "[OAEV Shared] Validate PR title Worker"
-on:
-  pull_request:
-    branches: [main, release/current]
-    types: [opened, edited, reopened, ready_for_review, synchronize]
-jobs:
-  validate-pr-title:
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Generate a token"
-        id: generate-token
-        if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.OPENAEV_PR_CHECKS_APP_ID }}
-          private-key: ${{ secrets.OPENAEV_PR_CHECKS_PRIVATE_KEY }}
-      - name: "Validate PR title and create check"
-        uses: FiligranHQ/filigran-ci-tools/actions/pr-title-check@main
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
diff --git a/.github/workflows/oaev_shared_auto_label.yml b/.github/workflows/openaev-auto-label.yml
similarity index 89%
rename from .github/workflows/oaev_shared_auto_label.yml
rename to .github/workflows/openaev-auto-label.yml
index 4ad9d8aa..b20f7aae 100644
--- a/.github/workflows/oaev_shared_auto_label.yml
+++ b/.github/workflows/openaev-auto-label.yml
@@ -1,4 +1,4 @@
-name: "[OAEV Shared] Auto Label"
+name: "[OpenAEV] Auto Label"
 on:
   pull_request:
     branches: [main, release/current]
diff --git a/.github/workflows/oaev_shared_check_signed_commit.yml b/.github/workflows/openaev-check-signed-commit.yml
similarity index 86%
rename from .github/workflows/oaev_shared_check_signed_commit.yml
rename to .github/workflows/openaev-check-signed-commit.yml
index 73da07f8..4903484e 100644
--- a/.github/workflows/oaev_shared_check_signed_commit.yml
+++ b/.github/workflows/openaev-check-signed-commit.yml
@@ -1,4 +1,4 @@
-name: "[OAEV Shared] Check Signed Commits in PR"
+name: "[OpenAEV] Check Signed Commits in PR"
 on:
   pull_request_target:
     branches: [main, release/current]
diff --git a/.github/workflows/openaev-validate-pr-title.yml b/.github/workflows/openaev-validate-pr-title.yml
new file mode 100644
index 00000000..b6cc0d01
--- /dev/null
+++ b/.github/workflows/openaev-validate-pr-title.yml
@@ -0,0 +1,20 @@
+ name: "[OpenAEV] Validate PR title Worker"
+ on:
+   pull_request:
+     branches: [main, release/current]
+     types: [opened, edited, reopened, ready_for_review, synchronize]
+ jobs:
+   validate-pr-title:
+     runs-on: ubuntu-latest
+     steps:
+       - name: "Generate a token"
+         id: generate-token
+         if: github.event.pull_request.head.repo.full_name == github.repository
+         uses: actions/create-github-app-token@v2
+         with:
+           app-id: ${{ secrets.OPENAEV_PR_CHECKS_APP_ID }}
+           private-key: ${{ secrets.OPENAEV_PR_CHECKS_PRIVATE_KEY }}
+       - name: "Validate PR title and create check"
+         uses: FiligranHQ/filigran-ci-tools/actions/pr-title-check@main
+         with:
+           token: ${{ steps.generate-token.outputs.token }}