chiragmak10
diff --git a/‎.github/workflows/renovate.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/renovate.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎IMPLEMENTATION_SUMMARY.md‎
Lines changed: 0 additions & 280 deletions b/‎IMPLEMENTATION_SUMMARY.md‎
Lines changed: 0 additions & 280 deletions
diff --git a/‎README.md‎
Lines changed: 12 additions & 4 deletions b/‎README.md‎
Lines changed: 12 additions & 4 deletions
@@ -14,8 +14,17 @@ jobs:
   renovate:
     name: Run Renovate Bot
     runs-on: ubuntu-latest
+    env:
+      RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
 
     steps:
+      - name: Validate Renovate token
+        if: ${{ env.RENOVATE_TOKEN == '' }}
+        run: |
+          echo "RENOVATE_TOKEN is not configured."
+          echo "Set repository secret RENOVATE_TOKEN (fine-grained token with Contents: Read/Write and Pull requests: Read/Write)."
+          exit 1
+
       - name: Checkout repository
         uses: actions/checkout@v4
 
 
@@ -120,16 +120,24 @@ This repo now uses Renovate to auto-update dependencies (including template mani
 
 ### One-time setup
 
-1. No additional token is required. Renovate uses the default `secrets.GITHUB_TOKEN`.
-2. Enable repository auto-merge in GitHub settings.
-3. Protect `master` and require CI checks before merge.
+1. Create a repository secret named `RENOVATE_TOKEN`.
+2. Use a fine-grained GitHub token scoped to this repository with:
+   - Contents: Read and write
+   - Pull requests: Read and write
+3. Enable repository auto-merge in GitHub settings.
+4. Protect `master`, require CI checks before merge, and enable merge queue.
+
+Why: PRs created with `GITHUB_TOKEN` do not trigger downstream `pull_request` workflows. Using `RENOVATE_TOKEN` ensures CI checks run and automerge can complete.
 
 Workflow file: `.github/workflows/renovate.yml`  
 Config file: `renovate.json`
 
 Behavior:
 
-- All dependency updates (major, minor, patch) auto-merge after checks pass.
+- Renovate runs with controlled concurrency (`prConcurrentLimit` and `branchConcurrentLimit` set to `3`) to reduce conflicts.
+- Major updates are never auto-merged and require manual review.
+- Minor, patch, pin, and digest updates are grouped into fewer PRs and auto-merge after checks pass.
+- Renovate automatically rebases dependency PRs when they fall behind `master`.
 - Custom regex managers keep template manifests, the resolver registry, and README dependency rows in sync.
 
 ## Screenshot