diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..485dee64bcfb48793379b200a1afd14e85a8aaf4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.idea
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f40668c0e1a6b1fd49df9314ae163fd957378232
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,29 @@
+include:
+  - project: 'to-be-continuous/tools/gitlab-ci'
+    ref: 'master'
+    file: '/templates/extract.yml'
+  - project: 'to-be-continuous/tools/gitlab-ci'
+    ref: 'master'
+    file: '/templates/validation.yml'
+  - project: 'to-be-continuous/kicker'
+    ref: 'master'
+    file: '/templates/validation.yml'
+  - project: 'to-be-continuous/bash'
+    ref: '3.2'
+    file: 'templates/gitlab-ci-bash.yml'
+  - project: 'to-be-continuous/semantic-release'
+    ref: '3.6'
+    file: '/templates/gitlab-ci-semrel.yml'
+
+stages:
+  - build
+  - publish
+
+variables:
+  GITLAB_CI_FILES: "templates/gitlab-ci-renovate.yml"
+  BASH_SHELLCHECK_FILES: "*.sh"
+
+semantic-release:
+  rules:
+    # on production branch(es): auto if SEMREL_AUTO_RELEASE_ENABLED
+    - if: '$TMPL_RELEASE_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
diff --git a/.gitlab/issue_templates/feature_request.md b/.gitlab/issue_templates/feature_request.md
index b75185104c139e05d39a2a28db6ac9a20acbcc8b..666c5fb191c2f1ad04c45718ba64b6f4dd4762a6 100644
--- a/.gitlab/issue_templates/feature_request.md
+++ b/.gitlab/issue_templates/feature_request.md
@@ -5,7 +5,7 @@
 ## Implementation ideas
 
 (If you have any implementation ideas, they can go here.)
-(Any design change proposal could be also discussed on the _to be continuous_ Google Group: https://groups.google.com/g/tbc-dev.)
+(Any design change proposal could be also discussed on the _to be continuous_ Discord server.)
 
 
 /label ~"kind/enhancement" ~"status/needs-investigation"
diff --git a/.releaserc.yml b/.releaserc.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4360313a707b37d81d052068e6f2e41587172843
--- /dev/null
+++ b/.releaserc.yml
@@ -0,0 +1,22 @@
+plugins: [
+  "@semantic-release/commit-analyzer",
+  "@semantic-release/release-notes-generator",
+  "@semantic-release/gitlab",
+  "@semantic-release/changelog",    
+  [
+    "@semantic-release/exec",
+    {
+      "prepareCmd": "./bumpversion.sh \"${lastRelease.version}\" \"${nextRelease.version}\" \"${nextRelease.type}\"",
+      "successCmd": "./post-release.sh \"${nextRelease.version}\""
+    }
+  ],
+  [
+    "@semantic-release/git",
+    {
+      "assets": ["*.md", "templates/*.yml"]
+    }
+  ]
+]
+branches:
+  - "master"
+tagFormat: "${version}"
\ No newline at end of file
diff --git a/CONTRIBUTE.md b/CONTRIBUTING.md
similarity index 97%
rename from CONTRIBUTE.md
rename to CONTRIBUTING.md
index 5a24023bf705aac9821202c2ef30e06071db25e5..590000261af6cc09c99120f6ec802e87bba1460f 100644
--- a/CONTRIBUTE.md
+++ b/CONTRIBUTING.md
@@ -5,6 +5,8 @@ We try to make it easy, and all contributions, even the smaller ones, are more t
 This includes bug reports, fixes, documentation, examples...
 But first, read this page (including the small print at the end).
 
+Contributions are available on https://gitlab.com/to-be-continuous/renovate
+
 ## Legal
 
 All original contributions to _to be continuous_ are licensed under the
diff --git a/README.md b/README.md
index 2821555683fa462a5c81a13d6712091d86e899fa..779799b7724dbef1757a92f9da42e6a5b571765f 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,39 @@
-# GitLab CI template Skeleton
+# GitLab CI template for Renovate
 
-This is a skeleton project for starting a new _to be continuous_ template.
+Automate your dependency updates with [Renovate](https://www.mend.io/renovate/).
 
-You shall fork it when you want to start developing a new template.
+## Usage
 
-Based on the kind of template (build, analyse, hosting, acceptance, ...), you should start working from one of the available `initial-xxx` branches, that each implement basic stuff.
+In order to include this template in your project, add the following to your `gitlab-ci.yml`:
 
+```yaml
+include:
+  - project: 'to-be-continuous/renovate'
+    ref: '1.0.0'
+    file: '/templates/gitlab-ci-renovate.yml'
+```
+
+## Configuration
+
+The Renovate template uses some global configuration used throughout all jobs.
+
+| Name                   | description                                                                     | default value     |
+|------------------------|---------------------------------------------------------------------------------|-------------------|
+| `RENOVATE_IMAGE`       | The Docker image used to run Renovate                                           | `registry.hub.docker.com/renovate/renovate:latest` |
+| :lock: `RENOVATE_TOKEN`| A GitLab access token to allow Renovate crawl your projects. [See doc](https://docs.renovatebot.com/modules/platform/gitlab/#authentication) | _none_ |
+| :lock: `GITHUB_COM_TOKEN`| A GitHub access token to allow Renovate fetch changelogs. [See doc](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-changelogs) | _none_ |
+
+This template will help you using [Renovate](https://www.mend.io/renovate/) from a GitLab project to
+automate your dependency updates within your groups or projects.
+On the contrary to other to-be-continuous templates, this one should be used in a separate project that
+will be in charge of crawling all your other projects.
+
+Upon including the template, carefuly follow [Renovate's documentation](https://docs.renovatebot.com/) to
+configure the bot accordingly. Pay attention to the following:
+
+* Remember to set the [platform](https://docs.renovatebot.com/self-hosted-configuration/#platform) parameter
+  to `gitlab` in your configuration.
+* [GitLab platform integration](https://docs.renovatebot.com/modules/platform/gitlab/) requires that you
+  declare a `RENOVATE_TOKEN` variable with an access token.
+* You'll also probaly need to declare a `GITHUB_COM_TOKEN` variable, holding a GitHub access token 
+  (for [fetching changelogs](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-changelogs))
diff --git a/Renovate.r2.yml b/Renovate.r2.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c9abda55a0313a1f0b723d23ee094f97a20b2c81
--- /dev/null
+++ b/Renovate.r2.yml
@@ -0,0 +1,13 @@
+files:
+    template: ./templates/gitlab-ci-renovate.yml
+    documentation: ./README.md
+    changelog: ./CHANGELOG.md
+data:
+    description: "Automate your dependency updates with Renovate"
+    public: true
+    labels:
+    - to be continuous
+    - Renovate
+    - Dependency Updates
+    license: LGPL v3
+    deprecated: false
\ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000000000000000000000000000000..7829ff13716e85ffb1dfd13503b2093b1ee93235
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes and updates are only applied to the latest released version. So always try to be up to date.
+
+## Reporting a Vulnerability
+
+In order to minimize risks of attack while investigating and fixing the issue, any vulnerability shall be reported by 
+opening a [**confidential** issue on gitlab.com](https://gitlab.com/to-be-continuous/renovate/-/issues/new?issue[confidential]=true&issue[description]=%28type+in+the+vulnerability+details+here%29%0A%0A%2Flabel%20~%22kind%3A%3Avulnerability%22).
+
+Follow-up and fixing will be made on a _best effort_ basis.
+
+If you have doubts about a potential vulnerability, please reach out one of the maintainers on Discord.
diff --git a/bumpversion.sh b/bumpversion.sh
new file mode 100755
index 0000000000000000000000000000000000000000..f06829a406ca8da98e570e8ad7d8bb22367b668d
--- /dev/null
+++ b/bumpversion.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+function log_info() {
+  >&2 echo -e "[\\e[1;94mINFO\\e[0m] $*"
+}
+
+function log_warn() {
+  >&2 echo -e "[\\e[1;93mWARN\\e[0m] $*"
+}
+
+function log_error() {
+  >&2 echo -e "[\\e[1;91mERROR\\e[0m] $*"
+}
+
+# check number of arguments
+if [[ "$#" -le 2 ]]; then
+  log_error "Missing arguments"
+  log_error "Usage: $0 <current version> <next version>"
+  exit 1
+fi
+
+curVer=$1
+nextVer=$2
+relType=$3
+
+if [[ "$curVer" ]]; then
+  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
+
+  # replace in README
+  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  mv -f README.md.next README.md
+
+  # replace in template and variants
+  for tmpl in templates/*.yml
+  do
+    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
+    mv -f "$tmpl.next" "$tmpl"
+  done
+else
+  log_info "Bump version to \\e[33;1m${nextVer}\\e[0m (release type: $relType): this is the first release (skip)..."
+fi
diff --git a/kicker.json b/kicker.json
new file mode 100644
index 0000000000000000000000000000000000000000..c1cb213f22bdc5b9ee3c2fbc69b09297b17165bb
--- /dev/null
+++ b/kicker.json
@@ -0,0 +1,23 @@
+{
+  "name": "Renovate",
+  "description": "Automate your dependency updates with [Renovate](https://www.mend.io/renovate/)",
+  "template_path": "templates/gitlab-ci-renovate.yml",
+  "kind": "misc",
+  "variables": [
+    {
+      "name": "RENOVATE_IMAGE",
+      "description": "The Docker image used to run Renovate",
+      "default": "registry.hub.docker.com/renovate/renovate:latest"
+    },
+    {
+      "name": "RENOVATE_TOKEN",
+      "description": "A GitLab access token to allow Renovate crawl your projects. [See doc](https://docs.renovatebot.com/modules/platform/gitlab/#authentication)",
+      "secret": true
+    },
+    {
+      "name": "GITHUB_COM_TOKEN",
+      "description": "A GitHub access token to allow Renovate fetch changelogs. [See doc](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-changelogs)",
+      "secret": true
+    }
+  ]
+}
diff --git a/logo.png b/logo.png
index 1d49ae4c533c608703bafbc7d380cac36a97fc9f..70753a173ed09089752a12e8a2006dc8dfc927c2 100644
Binary files a/logo.png and b/logo.png differ
diff --git a/post-release.sh b/post-release.sh
new file mode 100755
index 0000000000000000000000000000000000000000..6d197865fe21a418897824f758d127af2b59ef98
--- /dev/null
+++ b/post-release.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+function log_info() {
+  >&2 echo -e "[\\e[1;94mINFO\\e[0m] $*"
+}
+
+function log_warn() {
+  >&2 echo -e "[\\e[1;93mWARN\\e[0m] $*"
+}
+
+function log_error() {
+  >&2 echo -e "[\\e[1;91mERROR\\e[0m] $*"
+}
+
+# check number of arguments
+if [[ "$#" -lt 1 ]]; then
+  log_error "Missing arguments"
+  log_error "Usage: $0 <next version>"
+  exit 1
+fi
+
+nextVer=$1
+minorVer=${nextVer%\.[0-9]*}
+majorVer=${nextVer%\.[0-9]*\.[0-9]*}
+
+log_info "Creating minor version tag alias \\e[33;1m${minorVer}\\e[0m from $nextVer..."
+git tag --force -a "$minorVer" "$nextVer" -m "Minor version alias (targets $nextVer)"
+
+log_info "Creating major version tag alias \\e[33;1m${majorVer}\\e[0m from $nextVer..."
+git tag --force -a "$majorVer" "$nextVer" -m "Major version alias (targets $nextVer)"
+
+log_info "Pushing tags..."
+git_base_url=$(echo "$CI_REPOSITORY_URL" | cut -d\@ -f2)
+git_auth_url="https://token:${GITLAB_TOKEN}@${git_base_url}"
+git push --tags --force "$git_auth_url"
diff --git a/templates/gitlab-ci-renovate.yml b/templates/gitlab-ci-renovate.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fb607937959b4659bb776282b8c0480a4c91604c
--- /dev/null
+++ b/templates/gitlab-ci-renovate.yml
@@ -0,0 +1,265 @@
+# =========================================================================================
+# Copyright (C) 2021 Orange & contributors
+#
+# This program is free software; you can redistribute it and/or modify it under the terms
+# of the GNU Lesser General Public License as published by the Free Software Foundation;
+# either version 3 of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along with this
+# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
+# Floor, Boston, MA  02110-1301, USA.
+# =========================================================================================
+# default workflow rules: Merge Request pipelines
+workflow:
+  rules:
+    # prevent branch pipeline when an MR is open (prefer MR pipeline)
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*tag(,[^],]*)*\]/" && $CI_COMMIT_TAG'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*branch(,[^],]*)*\]/" && $CI_COMMIT_BRANCH'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*mr(,[^],]*)*\]/" && $CI_MERGE_REQUEST_ID'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*default(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME =~ $CI_DEFAULT_BRANCH'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*prod(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*integ(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*dev(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
+      when: never
+    - when: always
+
+
+variables:
+  # variabilized tracking image
+  TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
+
+  RENOVATE_IMAGE: "registry.hub.docker.com/renovate/renovate:latest"
+  RENOVATE_ENDPOINT: $CI_API_V4_URL
+  
+  RENOVATE_LOG_FILE: renovate-log.ndjson
+  RENOVATE_AUTODISCOVER_FILTER: '${CI_PROJECT_ROOT_NAMESPACE}/**'
+  RENOVATE_BINARY_SOURCE: install
+  RENOVATE_LOG_FILE_LEVEL: debug
+  LOG_LEVEL: info
+
+.renovate-scripts: &renovate-scripts |
+  # BEGSCRIPT
+  set -e
+
+  function log_info() {
+      echo -e "[\\e[1;94mINFO\\e[0m] $*"
+  }
+
+  function log_warn() {
+      echo -e "[\\e[1;93mWARN\\e[0m] $*"
+  }
+
+  function log_error() {
+      echo -e "[\\e[1;91mERROR\\e[0m] $*"
+  }
+
+  function assert_defined() {
+    if [[ -z "$1" ]]
+    then
+      log_error "$2"
+      exit 1
+    fi
+  }
+
+  function install_ca_certs() {
+    certs=$1
+    if [[ -z "$certs" ]]
+    then
+      return
+    fi
+
+    if [[ ! "$(whoami)" == "root" ]]
+    then
+      log_warn "can't install custom CA certificates (not root user); make sure to handle it"
+      return
+    fi
+
+    # List of typical bundles
+    bundles="/etc/ssl/certs/ca-certificates.crt"                            # Debian/Ubuntu/Gentoo etc.
+    bundles="${bundles} /etc/ssl/cert.pem"                                  # Alpine Linux
+    bundles="${bundles} /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"  # CentOS/RHEL 7
+    bundles="${bundles} /etc/pki/tls/certs/ca-bundle.crt"                   # Fedora/RHEL 6
+    bundles="${bundles} /etc/ssl/ca-bundle.pem"                             # OpenSUSE
+    bundles="${bundles} /etc/pki/tls/cacert.pem"                            # OpenELEC
+
+    # Try to find the right bundle to update it with custom CA certificates
+    for bundle in ${bundles}
+    do
+      # import if bundle exists
+      if [[ -f "${bundle}" ]]
+      then
+        # Import certificates in bundle
+        echo "${certs}" | tr -d '\r' >> "${bundle}"
+
+        log_info "Custom CA certificates imported in \\e[33;1m${bundle}\\e[0m"
+        ca_imported=1
+        break
+      fi
+    done
+
+    if [[ -z "$ca_imported" ]]
+    then
+      log_warn "Could not import custom CA certificates !"
+    fi
+  }
+
+  function unscope_variables() {
+    _scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)
+    if [[ -z "$_scoped_vars" ]]; then return; fi
+    log_info "Processing scoped variables..."
+    for _scoped_var in $_scoped_vars
+    do
+      _fields=${_scoped_var//__/:}
+      _condition=$(echo "$_fields" | cut -d: -f3)
+      case "$_condition" in
+      if) _not="";;
+      ifnot) _not=1;;
+      *)
+        log_warn "... unrecognized condition \\e[1;91m$_condition\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"
+        continue
+      ;;
+      esac
+      _target_var=$(echo "$_fields" | cut -d: -f2)
+      _cond_var=$(echo "$_fields" | cut -d: -f4)
+      _cond_val=$(eval echo "\$${_cond_var}")
+      _test_op=$(echo "$_fields" | cut -d: -f5)
+      case "$_test_op" in
+      defined)
+        if [[ -z "$_not" ]] && [[ -z "$_cond_val" ]]; then continue;
+        elif [[ "$_not" ]] && [[ "$_cond_val" ]]; then continue;
+        fi
+        ;;
+      equals|startswith|endswith|contains|in|equals_ic|startswith_ic|endswith_ic|contains_ic|in_ic)
+        # comparison operator
+        # sluggify actual value
+        _cond_val=$(echo "$_cond_val" | tr '[:punct:]' '_')
+        # retrieve comparison value
+        _cmp_val_prefix="scoped__${_target_var}__${_condition}__${_cond_var}__${_test_op}__"
+        _cmp_val=${_scoped_var#"$_cmp_val_prefix"}
+        # manage 'ignore case'
+        if [[ "$_test_op" == *_ic ]]
+        then
+          # lowercase everything
+          _cond_val=$(echo "$_cond_val" | tr '[:upper:]' '[:lower:]')
+          _cmp_val=$(echo "$_cmp_val" | tr '[:upper:]' '[:lower:]')
+        fi
+        case "$_test_op" in
+        equals*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val" ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val" ]]; then continue;
+          fi
+          ;;
+        startswith*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val"* ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val"* ]]; then continue;
+          fi
+          ;;
+        endswith*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val" ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val" ]]; then continue;
+          fi
+          ;;
+        contains*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val"* ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val"* ]]; then continue;
+          fi
+          ;;
+        in*)
+          if [[ -z "$_not" ]] && [[ "__${_cmp_val}__" != *"__${_cond_val}__"* ]]; then continue;
+          elif [[ "$_not" ]] && [[ "__${_cmp_val}__" == *"__${_cond_val}__"* ]]; then continue;
+          fi
+          ;;
+        esac
+        ;;
+      *)
+        log_warn "... unrecognized test operator \\e[1;91m${_test_op}\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"
+        continue
+        ;;
+      esac
+      # matches
+      _val=$(eval echo "\$${_target_var}")
+      log_info "... apply \\e[32m${_target_var}\\e[0m from \\e[32m\$${_scoped_var}\\e[0m${_val:+ (\\e[33;1moverwrite\\e[0m)}"
+      _val=$(eval echo "\$${_scoped_var}")
+      export "${_target_var}"="${_val}"
+    done
+    log_info "... done"
+  }
+
+  unscope_variables
+
+  # ENDSCRIPT
+
+stages:
+  - build
+  - test
+  - package-build
+  - package-test
+  - infra
+  - deploy
+  - acceptance
+  - publish
+  - infra-prod
+  - production
+
+.renovate-base:
+  image: $RENOVATE_IMAGE
+  services:
+    - name: "$TBC_TRACKING_IMAGE"
+      command: ["--service", "renovate", "1.0.0" ]
+  variables:
+    RENOVATE_BASE_DIR: $CI_PROJECT_DIR
+    RENOVATE_CACHE_DIR: $CI_PROJECT_DIR/.cache/renovate
+  # Cache downloaded dependencies and plugins between builds.
+  # To keep cache across branches add 'key: "$CI_JOB_NAME"'
+  # TODO (if necessary): define cache policy here
+  cache:
+    key: ${CI_COMMIT_REF_SLUG}-renovate
+    paths:
+      - .cache/renovate/**
+  before_script:
+    - *renovate-scripts
+    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
+
+# (example) validator job
+renovate-validator:
+  extends: .renovate-base
+  stage: build
+  # force no dependency
+  dependencies: []
+  script:
+    - renovate-config-validator
+
+# dependency check job: on manual or schedule (dry-run otherwise)
+renovate-depcheck:
+  extends: .renovate-base
+  stage: test
+  # force no dependency
+  dependencies: []
+  variables:
+    # dry-run by default
+    RENOVATE_DRY_RUN: "true"
+  script:
+    - renovate $RENOVATE_EXTRA_FLAGS
+  artifacts:
+    when: always
+    expire_in: 1d
+    paths:
+      - "$RENOVATE_LOG_FILE"
+  rules:
+    # not dry run on manual or schedule
+    - if: '$CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "web"'
+      variables:
+        RENOVATE_DRY_RUN: "false"
+    - if: $RENOVATE_TOKEN