[#2332] Added stability flags workaround and fixed manual trigger bypass for dependency updates.

[AlexSkrypnyk]

Closes #2332

Summary

This PR addresses two Renovate improvements:

1. Stability flags workaround: Renovate has a known bug (renovatebot/renovate#24993) where it incorrectly rewrites version constraints that include stability flags (e.g., ^2@alpha becomes ^2.0.0-alpha4@alpha). A new packageRules entry in renovate.json sets rangeStrategy: "update-lockfile" for any Composer package whose constraint ends with a stability flag. Renovate will still keep composer.lock up to date but will not modify the constraint in composer.json.

2. Manual trigger bypass: The update-dependencies.yml workflow now uses RENOVATE_FORCE to bypass schedules, PR hourly limits, and branch concurrent limits when manually triggered. The previous approach of mutating the local renovate.json with jq did not work because Renovate reads the repo-level config from the remote repository, not the locally modified file. RENOVATE_FORCE is Renovate's highest-priority config layer and correctly overrides repo-level settings.

Changes

Stability flags (renovate.json)

• Added packageRules entry matching Composer packages with stability flags (/@(dev|alpha|beta|RC|stable)$/) and setting rangeStrategy: "update-lockfile".
• Affected packages: drupal/config_update (^2@alpha), drupal/coder (^9@alpha), phpcompatibility/php-compatibility (^10.0@alpha).

Manual trigger bypass (.github/workflows/update-dependencies.yml)

• Removed the jq-based schedule stripping step (it had no effect on the repo-level config Renovate reads).
• Added RENOVATE_FORCE env var on manual dispatch that sets {"schedule":[],"prHourlyLimit":0,"branchConcurrentLimit":0}, bypassing all three restrictions at the highest config priority level.
• The preserve_schedules input still works — when set to true, RENOVATE_FORCE is not applied.

Snapshots

• Updated installer test baseline and fixture snapshots to reflect both changes.

[coderabbitai]

Walkthrough

Added a Renovate packageRules entry for the Composer manager to use rangeStrategy: "update-lockfile" for dependencies whose current values end with stability flags (dev, alpha, beta, RC, stable). Modified the GitHub Actions workflow to set a RENOVATE_FORCE environment JSON (clearing schedule and setting prHourlyLimit/branchConcurrentLimit to 0) when runs are manually triggered with workflow_dispatch and inputs.preserve_schedules == false.

Changes

Cohort / File(s)	Summary
Renovate configuration renovate.json	Add a packageRules entry scoped to composer that matches current values ending in stability flags and applies rangeStrategy: "update-lockfile" for those matches (changes how Composer constraints are updated).
GitHub Actions workflow .github/workflows/update-dependencies.yml	On manual workflow_dispatch with preserve_schedules == false, set RENOVATE_FORCE to a JSON string that empties schedule and sets prHourlyLimit and branchConcurrentLimit to 0; otherwise set it to an empty string. Removed prior manual-run mutation/printing steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [#2249] Changed Renovate rangeStrategy to bump #2250: Adjusts Renovate rangeStrategy settings globally; related to Composer range handling in this PR.
• Fixed Renovate manual trigger not bypassing schedule. #1762: Modifies the same .github/workflows/update-dependencies.yml behavior for manual Renovate runs; closely related.
• Updated Renovate config to only update deps in the root of the project. #2277: Edits Renovate packageRules for Composer; overlaps with package matching and rule scope.

Suggested labels

Dependencies

Poem

🐰 I tunneled through JSON, nimble and spry,
I nudged the rules so wrong bumps pass by.
When humans press "run" at dawn's soft light,
I whisper an env and keep schedules right.
🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR successfully implements the objective from issue #2332 by adding a packageRules entry to renovate.json that prevents Renovate from rewriting Composer constraints with trailing stability flags while keeping composer.lock updated.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing issue #2332: renovate.json updates add the stability-flag workaround, and the workflow changes support manual trigger functionality without unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: the stability flags workaround for Renovate and the fix for manual trigger bypass for dependency updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/stability-flag-workaround

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.14%. Comparing base (f2fb245) to head (7902697).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2424      +/-   ##
==========================================
- Coverage   79.64%   79.14%   -0.51%     
==========================================
  Files         126      120       -6     
  Lines        6761     6642     -119     
  Branches       44        0      -44     
==========================================
- Hits         5385     5257     -128     
- Misses       1376     1385       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   100.00% (189/189)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

[AlexSkrypnyk]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   100.00% (189/189)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)