From ae6df4752dee80268f46592cdcfe4b0b812a6326 Mon Sep 17 00:00:00 2001
From: Levente Balogh <balogh.levente.hu@gmail.com>
Date: Wed, 27 May 2026 14:36:06 +0200
Subject: [PATCH 1/3] ci: replace stale dependabot bot guards with renovate

The repo uses Renovate (see .github/renovate.json), so the `github.actor != 'dependabot[bot]'` guards in our workflows no longer match the bot opening PRs. Update ci.yml to skip the sign-plugin, Knip report, and release steps for `renovate[bot]` instead, and drop the dependabot guard from check-labels.yml so the action runs on Renovate PRs (its JS already handles `renovate[bot]` internally).
---
 .github/workflows/check-labels.yml | 1 -
 .github/workflows/ci.yml           | 6 +++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/check-labels.yml b/.github/workflows/check-labels.yml
index 1074893555..c7ab1d26e4 100644
--- a/.github/workflows/check-labels.yml
+++ b/.github/workflows/check-labels.yml
@@ -16,7 +16,6 @@ permissions:
 
 jobs:
   check-labels:
-    if: ${{ github.actor != 'dependabot[bot]' }}
     runs-on: ubuntu-x64
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 034b9d078f..6b329d382e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -475,14 +475,14 @@ jobs:
         working-directory: ./${{ matrix.workingDir }}
 
       - name: '@grafana/sign-plugin - use GRAFANA_ACCESS_POLICY_TOKEN to sign generate-panel plugin'
-        if: ${{ matrix.workingDir == 'myorg-nobackend-panel' && github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.fork != true }}
+        if: ${{ matrix.workingDir == 'myorg-nobackend-panel' && github.actor != 'renovate[bot]' && github.event.pull_request.head.repo.fork != true }}
         env:
           GRAFANA_ACCESS_POLICY_TOKEN: ${{ fromJSON(steps.get-secrets.outputs.secrets).GRAFANA_ACCESS_POLICY_TOKEN }}
         run: sign-plugin --rootUrls http://www.example.com --signatureType private
         working-directory: ./${{ matrix.workingDir }}
 
       - name: Frontend Knip Report
-        if: ${{ github.actor != 'dependabot[bot]' }}
+        if: ${{ github.actor != 'renovate[bot]' }}
         # Knip uses the scaffolded plugin .gitignore file for ignore paths.
         # github workflows use paths like home/runner/work/plugin-tools/plugin-tools
         # so we need to remove /work otherwise knip returns false positives
@@ -516,7 +516,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: [test, generate-plugins]
-    if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci') && github.actor != 'dependabot[bot]'"
+    if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci') && github.actor != 'renovate[bot]'"
     name: Release packages
     env:
       NX_BRANCH: ${{ github.event.number || github.ref_name }}

From 1445d98e3d4454dcb9df1736bf9fb587db90ac39 Mon Sep 17 00:00:00 2001
From: Levente Balogh <balogh.levente.hu@gmail.com>
Date: Wed, 27 May 2026 14:50:24 +0200
Subject: [PATCH 2/3] ci: also match renovate-sh-app[bot] in actor guards

The active Renovate identity in this repo is `renovate-sh-app[bot]` (verified against recent PRs #2634, #2625, #2623); `renovate[bot]` only appears in older history. The previous patch using `renovate[bot]` alone would have been a no-op for current Renovate PRs. Match both identities in the sign-plugin, Frontend Knip Report, and release-job guards in ci.yml so the original protective intent works for the active bot while staying backward-compatible with the legacy identity.
---
 .github/workflows/ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6b329d382e..1dbdfcfc30 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -475,14 +475,14 @@ jobs:
         working-directory: ./${{ matrix.workingDir }}
 
       - name: '@grafana/sign-plugin - use GRAFANA_ACCESS_POLICY_TOKEN to sign generate-panel plugin'
-        if: ${{ matrix.workingDir == 'myorg-nobackend-panel' && github.actor != 'renovate[bot]' && github.event.pull_request.head.repo.fork != true }}
+        if: ${{ matrix.workingDir == 'myorg-nobackend-panel' && github.actor != 'renovate[bot]' && github.actor != 'renovate-sh-app[bot]' && github.event.pull_request.head.repo.fork != true }}
         env:
           GRAFANA_ACCESS_POLICY_TOKEN: ${{ fromJSON(steps.get-secrets.outputs.secrets).GRAFANA_ACCESS_POLICY_TOKEN }}
         run: sign-plugin --rootUrls http://www.example.com --signatureType private
         working-directory: ./${{ matrix.workingDir }}
 
       - name: Frontend Knip Report
-        if: ${{ github.actor != 'renovate[bot]' }}
+        if: ${{ github.actor != 'renovate[bot]' && github.actor != 'renovate-sh-app[bot]' }}
         # Knip uses the scaffolded plugin .gitignore file for ignore paths.
         # github workflows use paths like home/runner/work/plugin-tools/plugin-tools
         # so we need to remove /work otherwise knip returns false positives
@@ -516,7 +516,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: [test, generate-plugins]
-    if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci') && github.actor != 'renovate[bot]'"
+    if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci') && github.actor != 'renovate[bot]' && github.actor != 'renovate-sh-app[bot]'"
     name: Release packages
     env:
       NX_BRANCH: ${{ github.event.number || github.ref_name }}

From a52be1b6b954aef92e606a3766aaa55fea7883d7 Mon Sep 17 00:00:00 2001
From: Levente Balogh <balogh.levente.hu@gmail.com>
Date: Wed, 27 May 2026 15:02:18 +0200
Subject: [PATCH 3/3] ci(check-labels): handle renovate-sh-app[bot] identity

The active Renovate bot in this repo is `renovate-sh-app[bot]`, so the existing `userName === 'renovate[bot]'` fast-path never matched and Renovate PRs were falling through to the missing-semver-label error path. Match both identities so the auto-labelling logic (no-changelog for lock-only changes, patch otherwise) actually runs for current Renovate PRs while remaining backward-compatible with the legacy `renovate[bot]` identity. Required follow-up to PR #2661, which dropped the workflow-level dependabot guard and exposed this pre-existing bug.
---
 .github/actions/check-labels/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/check-labels/index.js b/.github/actions/check-labels/index.js
index 9dabacf12b..98d3c8a4b0 100644
--- a/.github/actions/check-labels/index.js
+++ b/.github/actions/check-labels/index.js
@@ -21,7 +21,7 @@ async function run() {
     const hasReleaseLabel = labelNames.includes('release');
     const userName = pull_request?.user.login;
 
-    if (userName === 'renovate[bot]') {
+    if (userName === 'renovate[bot]' || userName === 'renovate-sh-app[bot]') {
       if (isMissingSemverLabel) {
         const files = await getPullRequestFiles({ octokit });