fix: validate renovate dependency rule coverage

.github/renovate-tracked-deps.json

@@ -1,63 +1,138 @@
 {
-  ".github/workflows/lint.yml": {
-    "regex": [
-      "mise"
-    ]
+  "meta": {
+    "actionlint": {
+      "packageName": "rhysd/actionlint",
+      "datasource": "github-releases"
+    },
+    "aqua:owenlamont/ryl": {
+      "packageName": "owenlamont/ryl",
+      "datasource": "github-tags"
+    },
+    "biome": {
+      "packageName": "biome"
+    },
+    "editorconfig-checker": {
+      "packageName": "editorconfig-checker/editorconfig-checker",
+      "datasource": "github-releases"
+    },
+    "github:google/google-java-format": {
+      "packageName": "google/google-java-format",
+      "datasource": "github-releases"
+    },
+    "github:jonwiggins/xmloxide": {
+      "packageName": "jonwiggins/xmloxide",
+      "datasource": "github-releases"
+    },
+    "github:koalaman/shellcheck": {
+      "packageName": "koalaman/shellcheck",
+      "datasource": "github-releases"
+    },
+    "golangci-lint": {
+      "packageName": "golangci/golangci-lint",
+      "datasource": "github-tags"
+    },
+    "hadolint": {
+      "packageName": "hadolint/hadolint",
+      "datasource": "github-tags"
+    },
+    "ktlint": {
+      "packageName": "pinterest/ktlint",
+      "datasource": "github-releases"
+    },
+    "lychee": {
+      "packageName": "lycheeverse/lychee",
+      "datasource": "github-releases"
+    },
+    "mise": {
+      "packageName": "jdx/mise",
+      "datasource": "github-release-attachments"
+    },
+    "npm:renovate": {
+      "packageName": "renovate",
+      "datasource": "npm"
+    },
+    "pipx:codespell": {
+      "packageName": "codespell",
+      "datasource": "pypi"
+    },
+    "ruff": {
+      "packageName": "astral-sh/ruff",
+      "datasource": "github-releases"
+    },
+    "rumdl": {
+      "packageName": "rvben/rumdl",
+      "datasource": "github-releases"
+    },
+    "shfmt": {
+      "packageName": "mvdan/sh",
+      "datasource": "github-releases"
+    },
+    "taplo": {
+      "packageName": "tamasfe/taplo",
+      "datasource": "github-releases"
+    }
   },
-  ".github/workflows/release-assets.yml": {
-    "regex": [
-      "mise"
-    ]
-  },
-  ".github/workflows/release-plz.yml": {
-    "regex": [
-      "mise"
-    ]
-  },
-  ".github/workflows/test.yml": {
-    "regex": [
-      "mise"
-    ]
-  },
-  "README.md": {
-    "regex": [
-      "koalaman/shellcheck",
-      "mvdan/sh",
-      "rhysd/actionlint"
-    ]
-  },
-  "mise.toml": {
-    "mise": [
-      "actionlint",
-      "aqua:owenlamont/ryl",
-      "biome",
-      "dotnet",
-      "editorconfig-checker",
-      "github:google/google-java-format",
-      "github:jonwiggins/xmloxide",
-      "github:koalaman/shellcheck",
-      "go",
-      "golangci-lint",
-      "hadolint",
-      "ktlint",
-      "lychee",
-      "node",
-      "npm:renovate",
-      "pipx:codespell",
-      "release-plz",
-      "ruff",
-      "rumdl",
-      "rust",
-      "shfmt",
-      "taplo"
-    ]
-  },
-  "src/init/scaffold.rs": {
-    "regex": [
-      "Swatinem/rust-cache",
-      "actions/checkout",
-      "jdx/mise-action",
-      "mise"
-    ]
+  "files": {
+    ".github/workflows/lint.yml": {
+      "regex": [
+        "mise"
+      ]
+    },
+    ".github/workflows/release-assets.yml": {
+      "regex": [
+        "mise"
+      ]
+    },
+    ".github/workflows/release-plz.yml": {
+      "regex": [
+        "mise"
+      ]
+    },
+    ".github/workflows/test.yml": {
+      "regex": [
+        "mise"
+      ]
+    },
+    "README.md": {
+      "regex": [
+        "actionlint",
+        "github:koalaman/shellcheck",
+        "shfmt"
+      ]
+    },
+    "mise.toml": {
+      "mise": [
+        "actionlint",
+        "aqua:owenlamont/ryl",
+        "biome",
+        "dotnet",
+        "editorconfig-checker",
+        "github:google/google-java-format",
+        "github:jonwiggins/xmloxide",
+        "github:koalaman/shellcheck",
+        "go",
+        "golangci-lint",
+        "hadolint",
+        "ktlint",
+        "lychee",
+        "node",
+        "npm:renovate",
+        "pipx:codespell",
+        "release-plz",
+        "ruff",
+        "rumdl",
+        "rust",
+        "shfmt",
+        "taplo"
+      ]
+    },
+    "src/init/scaffold.rs": {
+      "regex": [
+        "Swatinem/rust-cache",
+        "actions/checkout",
+        "jdx/mise-action",
+        "mise"
+      ]
+    }
   }
 }

.github/renovate.json5

@@ -31,7 +31,8 @@
         "# Add whichever linters apply to your repo:\\n[\\s\\S]*?\"github:koalaman/shellcheck\"\\s*=\\s*\"(?<currentValue>[^\"]+)\"[\\s\\S]*?\\n```",
       ],
       datasourceTemplate: "github-releases",
-      depNameTemplate: "koalaman/shellcheck",
+      depNameTemplate: "github:koalaman/shellcheck",
+      packageNameTemplate: "koalaman/shellcheck",
     },
     {
       customType: "regex",
@@ -41,7 +42,8 @@
         "# Add whichever linters apply to your repo:\\n[\\s\\S]*?shfmt\\s*=\\s*\"(?<currentValue>[^\"]+)\"[\\s\\S]*?\\n```",
       ],
       datasourceTemplate: "github-releases",
-      depNameTemplate: "mvdan/sh",
+      depNameTemplate: "shfmt",
+      packageNameTemplate: "mvdan/sh",
     },
     {
       customType: "regex",
@@ -51,7 +53,8 @@
         "# Add whichever linters apply to your repo:\\n[\\s\\S]*?actionlint\\s*=\\s*\"(?<currentValue>[^\"]+)\"[\\s\\S]*?\\n```",
       ],
       datasourceTemplate: "github-releases",
-      depNameTemplate: "rhysd/actionlint",
+      depNameTemplate: "actionlint",
+      packageNameTemplate: "rhysd/actionlint",
     },
     {
       customType: "regex",
@@ -92,7 +95,7 @@
   ],
   packageRules: [
     {
-      matchPackageNames: [
+      matchDepNames: [
         "actionlint",
         "aqua:owenlamont/ryl",
         "biome",

default.json

@@ -36,7 +36,7 @@
   ],
   "packageRules": [
     {
-      "matchPackageNames": [
+      "matchDepNames": [
         "actionlint",
         "aqua:owenlamont/ryl",
         "biome",

docs/linters.md

@@ -227,8 +227,13 @@ check_all_local = true
 | Patterns    | `renovate.json renovate.json5 .github/renovate.json .github/renovate.json5 .renovaterc .renovaterc.json .renovaterc.json5` |
 | Run policy  | adaptive — runs in `--fast-only` only when relevant                                                                        |
 
-Verifies `.github/renovate-tracked-deps.json` is up to date by running
-Renovate locally and comparing its output against the committed snapshot.
+Verifies `renovate-tracked-deps.json` next to the active Renovate
+config is up to date by running Renovate locally and comparing its
+output against the committed snapshot.
+It also checks that dependencies extracted from different files but
+resolving to the same upstream package match the same Renovate
+package rules. That catches config splits like `actionlint` vs
+`rhysd/actionlint` before Renovate stops grouping them consistently.
 Requires `renovate` in `[tools]`.
 
 In CI, `renovate-deps` requires `GITHUB_COM_TOKEN` or `GITHUB_TOKEN`
@@ -240,6 +245,10 @@ When `flint init` writes a new `flint.toml`, it includes this section if
 legacy `RENOVATE_TRACKED_DEPS_EXCLUDE` values into `exclude_managers`.
 
 With `--fix`, automatically regenerates and commits the snapshot.
+For custom/regex managers, prefer canonical `depNameTemplate` values
+for grouping and explicit `packageNameTemplate` values for datasource
+lookups when those identities differ.
+See [the renovate-deps guide](linters/renovate-deps.md) for examples.
 
 Configure via `flint.toml`:
 

docs/linters/renovate-deps.md

@@ -0,0 +1,116 @@
+# `renovate-deps`
+
+`renovate-deps` does two related checks:
+
+1. It verifies that `renovate-tracked-deps.json` next to the active Renovate
+   config matches what Renovate currently extracts from the repo.
+2. It checks that extracted dependencies which resolve to the same upstream
+   package are covered consistently by Renovate package rules.
+
+The second check is there to catch configuration mistakes before they show up as
+separate Renovate PRs or README drift.
+
+## What it catches
+
+Goal: `mise.toml` and `README.md` both refer to actionlint, so you want
+Renovate to treat them as the same dependency and keep them in the same group.
+
+A setup can fail that goal by extracting different dependency names for the
+same upstream package:
+
+```json5
+{
+  packageRules: [
+    {
+      groupName: "linters",
+      matchDepNames: ["actionlint"],
+    },
+  ],
+  customManagers: [
+    {
+      customType: "regex",
+      managerFilePatterns: ["/^README\\.md$/"],
+      datasourceTemplate: "github-releases",
+      depNameTemplate: "rhysd/actionlint",
+    },
+  ],
+}
+```
+
+Where it fails:
+
+- `mise.toml` extracts `actionlint`
+- `README.md` extracts `rhysd/actionlint`
+- the `linters` rule matches only `actionlint`
+
+Renovate can now stop grouping those occurrences consistently and update them
+separately.
+
+`renovate-deps` reports that mismatch earlier, at config-check time.
+
+## Preferred pattern
+
+When a custom manager needs a different lookup identity than the grouping name,
+set both values explicitly:
+
+```json5
+{
+  customType: "regex",
+  datasourceTemplate: "github-releases",
+  depNameTemplate: "actionlint",
+  packageNameTemplate: "rhysd/actionlint",
+}
+```
+
+Why:
+
+- `depNameTemplate` controls the extracted dependency name Flint uses for rule
+  matching comparisons
+- `packageNameTemplate` keeps the datasource lookup pointed at the real upstream
+  package
+
+The same pattern applies to entries like:
+
+```json5
+depNameTemplate: "github:koalaman/shellcheck",
+packageNameTemplate: "koalaman/shellcheck",
+```
+
+## Snapshot shape
+
+The committed `renovate-tracked-deps.json` snapshot lives next to the active
+Renovate config:
+
+- `.github/renovate-tracked-deps.json` for `.github/renovate.json5`
+- `renovate-tracked-deps.json` for root-level configs such as `.renovaterc.json`
+
+It stores only the metadata Flint needs for these checks:
+
+- `files`: extracted dependency names by file and manager
+- `meta`: package metadata for deps relevant to rule-coverage validation
+
+This is intentionally narrower than full Renovate output so steady-state
+`renovate-deps --fix` stays cheap.
+
+## Fixing failures
+
+If the snapshot is stale:
+
+```bash
+flint run --fix renovate-deps
+```
+
+If you want to force a fresh metadata rebuild instead of reusing any existing
+committed metadata for the same dependency names, for example after changing Renovate
+grouping config or while debugging suspicious `meta` entries:
+
+```bash
+FLINT_RENOVATE_DEPS_REFRESH_META=1 flint run --fix renovate-deps
+```
+
+If rule coverage is inconsistent:
+
+- normalize equivalent deps to one canonical `depNameTemplate`
+- keep `packageNameTemplate` explicit when datasource lookup needs a different
+  identifier
+- make sure the intended `packageRules` matcher covers that canonical dependency name

src/config.rs

@@ -56,6 +56,8 @@ pub struct LycheeConfig {
 pub struct RenovateDepsConfig {
     // Env var: FLINT_RENOVATE_DEPS_EXCLUDE_MANAGERS (JSON array, e.g. '["npm"]')
     pub exclude_managers: Vec<String>,
+    // Env var: FLINT_RENOVATE_DEPS_REFRESH_META
+    pub refresh_meta: bool,
 }
 
 #[derive(Debug, Deserialize, Clone)]