diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0f58bd188d963bd8afbb7eb3ad45fe35298ee24..ede2a51c78fab82f1913b6f694175f90d63ba535 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,19 @@
-# [1.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/renovate/compare/1.2.2...1.3.0) (2024-08-29)
+## [1.4.1](https://gitlab.com/to-be-continuous/renovate/compare/1.4.0...1.4.1) (2024-12-09)
+
+
+### Bug Fixes
+
+* renovate cannot upgrade overwritten TBC Docker images ([6a3794b](https://gitlab.com/to-be-continuous/renovate/commit/6a3794bddfeed511543c3b8a912729302739f6ff))
+* specifiy user agent to fix check links issue on mend.io ([2814754](https://gitlab.com/to-be-continuous/renovate/commit/2814754b05915cafb1e171df4a212f65f855c2a7))
+
+# [1.4.0](https://gitlab.com/to-be-continuous/renovate/compare/1.3.0...1.4.0) (2024-08-30)
+
+
+### Features
+
+* standard TBC secrets decoding ([adf9450](https://gitlab.com/to-be-continuous/renovate/commit/adf9450f9392d5ec7aced16a281e23346d190622))
+
+# [1.3.0](https://gitlab.com/to-be-continuous/renovate/compare/1.2.2...1.3.0) (2024-08-23)
 
 
 ### Bug Fixes
diff --git a/README.md b/README.md
index dff8f2313af207cdffcc356a868f086b7f34f1f2..2f45bb77b320fa7db6c83c85223cc88bf71d9c17 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
   # include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/renovate/gitlab-ci-renovate@1.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/renovate/gitlab-ci-renovate@1.4.1
 ```
 
 ### Use as a CI/CD template (legacy)
@@ -25,7 +25,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
   # include the template
   - project: "to-be-continuous/renovate"
-    ref: "1.2.2"
+    ref: "1.4.1"
     file: "/templates/gitlab-ci-renovate.yml"
 ```
 
@@ -72,6 +72,38 @@ Defaults values are set to manage GitLab features :
 | [`RENOVATE_LOG_FILE`](https://docs.renovatebot.com/config-overview/#logging-variables)                       | `renovate-log.ndjson`                     |
 | [`RENOVATE_LOG_FILE_LEVEL`](https://docs.renovatebot.com/config-overview/#logging-variables)                 | `debug`                                   |
 
+#### Default onboarding configuration
+`
+The default [onboarding configuration](https://docs.renovatebot.com/self-hosted-configuration/#onboardingconfig) is suitable for projects using to-be-continuous:
+
+- looks for user-defined inputs and variables in your `.gitlab-ci.yml` defining Docker images (ex: `SOMETOOL_IMAGE: docker.io/sometool:1.2.2`)
+
+```json
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":dependencyDashboard"
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], 
+      "matchStrings": [ "\\s?_IMAGE:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], 
+      "datasourceTemplate": "docker" 
+    },
+    {
+      "customType": "regex",
+      "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], 
+      "matchStrings": [ "\\s?image:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], 
+      "datasourceTemplate": "docker" 
+    }
+  ] 
+}
+```
 ### Dry-run implementation details
 
 Depending on the source of a pipeline, the template will either perform your dependency updates (create/update/delete branches and MRs)
diff --git a/bumpversion.sh b/bumpversion.sh
index 329e866dac988c049574a0a9f26ba89979c523a8..708faf434d2459d63b2bdaceada5eb32b0fd39eb 100755
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
   log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
 
   # replace in README
-  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
   mv -f README.md.next README.md
 
   # replace in template and variants
diff --git a/kicker.json b/kicker.json
index 1e9f9baa54b60e20f51dabd229b9b3d898c761f6..5f590da918ee797d6aaa0b22f60a113e88bef8d9 100644
--- a/kicker.json
+++ b/kicker.json
@@ -11,6 +11,11 @@
       "description": "The Docker image used to run Renovate",
       "default": "registry.hub.docker.com/renovate/renovate:latest"
     },
+    {
+      "name": "RENOVATE_ONBOARDING_CONFIG",
+      "description": "Renovate configuration to use for onboarding PRs",
+      "default": "{\n  \"$$schema\": \"https://docs.renovatebot.com/renovate-schema.json\",\n  \"extends\": [\n    \"config:recommended\",\n    \":dependencyDashboard\"\n  ],\n \"labels\": [\n   \"dependencies\"\n  ],\n  \"customManagers\": [\n    {\n      \"customType\": \"regex\",\n      \"fileMatch\": [ \"\\\\.gitlab-ci\\\\.ya?ml$\" ], \n      \"matchStrings\": [ \"\\\\s?_IMAGE:\\\\s['\\\"](?<registryUrls>.*?)\\\\/(?<depName>.*?):(?<currentValue>.*)['\\\"]\" ], \n      \"datasourceTemplate\": \"docker\" \n    },\n    {\n      \"customType\": \"regex\",\n      \"fileMatch\": [ \"\\\\.gitlab-ci\\\\.ya?ml$\" ], \n      \"matchStrings\": [ \"\\\\s?image:\\\\s['\\\"](?<registryUrls>.*?)\\\\/(?<depName>.*?):(?<currentValue>.*)['\\\"]\" ], \n      \"datasourceTemplate\": \"docker\" \n    }\n  ] \n}"
+    },
     {
       "name": "RENOVATE_TOKEN",
       "description": "A GitLab access token to allow Renovate crawl your projects. [See doc](https://docs.renovatebot.com/modules/platform/gitlab/#authentication)",
diff --git a/lychee.toml b/lychee.toml
new file mode 100644
index 0000000000000000000000000000000000000000..008ae9f71c80c080785ec0aa9328cbc8767eaca6
--- /dev/null
+++ b/lychee.toml
@@ -0,0 +1,5 @@
+
+#############################  Requests  ############################
+
+# User agent to send with each request.
+user_agent = "Mozilla/version Gecko/version Firefox/version"
diff --git a/templates/gitlab-ci-renovate.yml b/templates/gitlab-ci-renovate.yml
index bd037d12b3fe2b0045cdfeb62ea156f94a1885c3..e48446fa91f6fb4bc3b3a122c71d779f93eb8ca5 100644
--- a/templates/gitlab-ci-renovate.yml
+++ b/templates/gitlab-ci-renovate.yml
@@ -27,6 +27,33 @@ spec:
       description: tags to filter applicable runners for renovate-depcheck job
       default: []
       type: array
+    onboarding-config:
+      description: Renovate configuration to use for onboarding PRs
+      default: >-
+        {
+          "$$schema": "https://docs.renovatebot.com/renovate-schema.json",
+          "extends": [
+            "config:recommended",
+            ":dependencyDashboard"
+          ],
+         "labels": [
+           "dependencies"
+          ],
+          "customManagers": [
+            {
+              "customType": "regex",
+              "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], 
+              "matchStrings": [ "\\s?_IMAGE:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], 
+              "datasourceTemplate": "docker" 
+            },
+            {
+              "customType": "regex",
+              "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], 
+              "matchStrings": [ "\\s?image:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], 
+              "datasourceTemplate": "docker" 
+            }
+          ] 
+        }
 ---
 workflow:
   rules:
@@ -70,6 +97,7 @@ variables:
   RENOVATE_LOG_FILE: renovate-log.ndjson
   RENOVATE_LOG_FILE_LEVEL: debug
   LOG_LEVEL: info
+  RENOVATE_ONBOARDING_CONFIG: $[[ inputs.onboarding-config ]]
 
 .renovate-scripts: &renovate-scripts |
   # BEGSCRIPT
@@ -219,7 +247,79 @@ variables:
     log_info "... done"
   }
 
+  # evaluate and export a secret
+  # - $1: secret variable name
+  function eval_secret() {
+    name=$1
+    value=$(eval echo "\$${name}")
+    case "$value" in
+    @b64@*)
+      decoded=$(mktemp)
+      errors=$(mktemp)
+      if echo "$value" | cut -c6- | base64 -d > "${decoded}" 2> "${errors}"
+      then
+        # shellcheck disable=SC2086
+        export ${name}="$(cat ${decoded})"
+        log_info "Successfully decoded base64 secret \\e[33;1m${name}\\e[0m"
+      else
+        fail "Failed decoding base64 secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"
+      fi
+      ;;
+    @hex@*)
+      decoded=$(mktemp)
+      errors=$(mktemp)
+      if echo "$value" | cut -c6- | sed 's/\([0-9A-F]\{2\}\)/\\\\x\1/gI' | xargs printf > "${decoded}" 2> "${errors}"
+      then
+        # shellcheck disable=SC2086
+        export ${name}="$(cat ${decoded})"
+        log_info "Successfully decoded hexadecimal secret \\e[33;1m${name}\\e[0m"
+      else
+        fail "Failed decoding hexadecimal secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"
+      fi
+      ;;
+    @url@*)
+      url=$(echo "$value" | cut -c6-)
+      if command -v curl > /dev/null
+      then
+        decoded=$(mktemp)
+        errors=$(mktemp)
+        if curl -s -S -f --connect-timeout 5 -o "${decoded}" "$url" 2> "${errors}"
+        then
+          # shellcheck disable=SC2086
+          export ${name}="$(cat ${decoded})"
+          log_info "Successfully curl'd secret \\e[33;1m${name}\\e[0m"
+        else
+          log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"
+        fi
+      elif command -v wget > /dev/null
+      then
+        decoded=$(mktemp)
+        errors=$(mktemp)
+        if wget -T 5 -O "${decoded}" "$url" 2> "${errors}"
+        then
+          # shellcheck disable=SC2086
+          export ${name}="$(cat ${decoded})"
+          log_info "Successfully wget'd secret \\e[33;1m${name}\\e[0m"
+        else
+          log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"
+        fi
+      else
+        fail "Couldn't get secret \\e[33;1m${name}\\e[0m: no http client found"
+      fi
+      ;;
+    esac
+  }
+
+  function eval_all_secrets() {
+    encoded_vars=$(env | grep -v '^scoped__' | awk -F '=' '/^[a-zA-Z0-9_]*=@(b64|hex|url)@/ {print $1}')
+    for var in $encoded_vars
+    do
+      eval_secret "$var"
+    done
+  }
+
   unscope_variables
+  eval_all_secrets
 
   # ENDSCRIPT
 
@@ -239,7 +339,7 @@ stages:
   image: $RENOVATE_IMAGE
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "renovate", "1.3.0"]
+      command: ["--service", "renovate", "1.4.1"]
   variables:
     RENOVATE_BASE_DIR: $CI_PROJECT_DIR
     RENOVATE_CACHE_DIR: $CI_PROJECT_DIR/.cache/renovate