Replace Renovate config with shared preset (high-risk tier)

[bryanbeverly]

Summary

• Adds/replaces .github/renovate.json with the org-wide shared Renovate preset (pinned to v1.0.1)
• High-risk tier: no broad automerge. Only security/CVE fixes and lockfile maintenance automerge (inherited from shared preset).
• All regular dependency updates (Go, Node, Docker, Python, GitHub Actions) require human review
• Updates are batched to Monday mornings (UTC) with a 3-day minimum release age

What this does NOT do

• Does NOT automerge minor/patch updates (unlike low-risk repos)
• Does NOT automerge GitHub Actions major version bumps
• Automerge for security/CVE and lockfile maintenance is configured but will not activate until the Renovate bypass is enabled on GitHub rulesets (a later step)

Context

Part of the Dependency Strategy Unification plan (Step 3b).

Test plan

• Renovate creates/updates a Dependency Dashboard issue on next run
• PR format matches expected config (labels, grouping, weekly schedule)

Made with Cursor

---

Note

Low Risk
Only changes Renovate bot configuration; no application runtime, auth, or data paths are touched.

Overview
Renovate is now driven by the org-wide shared preset github>trufflesecurity/.github:renovate-config#v1.0.1 instead of local config:base plus repo-specific prConcurrentLimit / prHourlyLimit.

That pins this repo to the high-risk dependency policy: no broad automerge for normal updates (security/CVE and lockfile maintenance may still automerge per the preset, subject to GitHub ruleset bypass). Expect batched Monday (UTC) runs, a minimum release age, and human review for routine dependency PRs.

^{Reviewed by Cursor Bugbot for commit 5c49c77. Bugbot is set up for automated code reviews on this repo. Configure here.}