Improve Renovate configuration (#26306)

.github/renovate.json5

@@ -1,20 +1,21 @@
 {
   $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   extends: [
-    'config:base',
+    'config:recommended',
-    ':dependencyDashboard',
     ':labels(dependencies)',
     ':maintainLockFilesMonthly', // update non-direct dependencies monthly
-    ':prConcurrentLimit10', // only 10 open PRs at the same time
+    ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
+    ':prHourlyLimit2' // Rate limit PR creation to a maximum of two per hour.
   ],
-  stabilityDays: 3, // Wait 3 days after the package has been published before upgrading it
+  minimumReleaseAge: "3", // Wait 3 days after the package has been published before upgrading it
   // packageRules order is important, they are applied from top to bottom and are merged,
   // meaning the most important ones must be at the bottom, for example grouping rules
   // If we do not want a package to be grouped with others, we need to set its groupName
   // to `null` after any other rule set it to something.
+  dependencyDashboardHeader: 'This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more. Before approving any upgrade: read the description and comments in the [`renovate.json5` file](https://github.com/mastodon/mastodon/blob/main/.github/renovate.json5).',
   packageRules: [
     {
-      // Ignore major version bumps for these node packages
+      // Require Dependency Dashboard Approval for major version bumps of these node packages
       matchManagers: ['npm'],
       matchPackageNames: [
         'tesseract.js', // Requires code changes
@@ -41,10 +42,10 @@
         'react-router-dom',
       ],
       matchUpdateTypes: ['major'],
-      enabled: false,
+      "dependencyDashboardApproval": true
     },
     {
-      // Ignore major version bumps for these Ruby packages
+      // Require Dependency Dashboard Approval for major version bumps of these Ruby packages
       matchManagers: ['bundler'],
       matchPackageNames: [
         'rack', // Needs to be synced with Rails version
@@ -55,7 +56,7 @@
         'redis', // Requires manual upgrade and sync with Sidekiq version
       ],
       matchUpdateTypes: ['major'],
-      enabled: false,
+      "dependencyDashboardApproval": true
     },
     {
       // Update Github Actions and Docker images weekly
@@ -63,25 +64,25 @@
       extends: ['schedule:weekly'],
     },
     {
-      // Ignore major & minor bumps for the ruby image, this needs to be synced with .ruby-version
+      // Require Dependency Dashboard Approval for major & minor bumps for the ruby image, this needs to be synced with .ruby-version
       matchManagers: ['dockerfile'],
       matchPackageNames: ['moritzheiber/ruby-jemalloc'],
       matchUpdateTypes: ['minor', 'major'],
-      enabled: false,
+      "dependencyDashboardApproval": true
     },
     {
-      // Ignore major bump for the node image, this needs to be synced with .nvmrc
+      // Require Dependency Dashboard Approval for major bumps for the node image, this needs to be synced with .nvmrc
       matchManagers: ['dockerfile'],
       matchPackageNames: ['node'],
       matchUpdateTypes: ['major'],
-      enabled: false,
+      "dependencyDashboardApproval": true
     },
     {
-      // Ignore major postgres bumps in the docker-compose file, as those break dev environments
+      // Require Dependency Dashboard Approval for major postgres bumps in the docker-compose file, as those break dev environments
       matchManagers: ['docker-compose'],
       matchPackageNames: ['postgres'],
       matchUpdateTypes: ['major'],
-      enabled: false,
+      "dependencyDashboardApproval": true
     },
     {
       // Update devDependencies every week, with one grouped PR