feat: deploy Renovate Bot via CronJob for automatic dependency updates

- CronJob every 6h, concurrencyPolicy: Forbid
- Platform gitea at git.chemavx.xyz, repos: researchowl, polymarket-bot, n8n
- packageRules: major=PR only, patch=automerge, private registry disabled
- Secret placeholder for Gitea token (fill in before applying ArgoCD app)
- ArgoCD Application with automated sync

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

renovate/argocd-app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://git.chemavx.xyz/chemavx/k8s-manifests
+    targetRevision: HEAD
+    path: renovate
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: renovate
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

renovate/configmap-renovate.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: renovate-config
+  namespace: renovate
+data:
+  config.js: |
+    module.exports = {
+      platform: 'gitea',
+      endpoint: 'https://git.chemavx.xyz',
+      repositories: [
+        'chemavx/researchowl',
+        'chemavx/polymarket-bot',
+        'chemavx/n8n',
+      ],
+      automerge: false,
+      assignees: ['chemavx'],
+      labels: ['renovate'],
+      prCreation: 'not-pending',
+      timezone: 'Europe/Madrid',
+      schedule: ['after 9am and before 6pm on weekdays'],
+      packageRules: [
+        {
+          // Major bumps: crear PR pero no automerge, requiere revisión manual
+          matchUpdateTypes: ['major'],
+          automerge: false,
+          labels: ['renovate', 'major-update'],
+        },
+        {
+          // Minor bumps: PR sin automerge
+          matchUpdateTypes: ['minor'],
+          automerge: false,
+        },
+        {
+          // Patch bumps: automerge automático
+          matchUpdateTypes: ['patch'],
+          automerge: true,
+          automergeType: 'pr',
+        },
+        {
+          // Imágenes del registry privado: nunca tocar (tags son commits SHA)
+          matchPackagePatterns: ['^git\\.chemavx\\.xyz/'],
+          enabled: false,
+        },
+      ],
+    };

renovate/cronjob-renovate.yaml

@@ -0,0 +1,45 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  schedule: "0 */6 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 0
+      template:
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: renovate
+            image: ghcr.io/renovatebot/renovate:latest
+            imagePullPolicy: Always
+            env:
+            - name: RENOVATE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: renovate-token
+                  key: RENOVATE_TOKEN
+            - name: RENOVATE_CONFIG_FILE
+              value: /opt/renovate/config.js
+            - name: LOG_LEVEL
+              value: info
+            resources:
+              requests:
+                cpu: 100m
+                memory: 256Mi
+              limits:
+                cpu: "1"
+                memory: 1Gi
+            volumeMounts:
+            - name: config
+              mountPath: /opt/renovate
+              readOnly: true
+          volumes:
+          - name: config
+            configMap:
+              name: renovate-config

renovate/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: renovate

renovate/secret-renovate.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: renovate-token
+  namespace: renovate
+type: Opaque
+stringData:
+  # Reemplazar con el token de Gitea que crees en:
+  # https://git.chemavx.xyz/user/settings/applications
+  RENOVATE_TOKEN: "PLACEHOLDER"