ci(renovate): add scheduled Renovate workflow

[bussyjd]

Summary

• Adds .github/workflows/renovate.yml — hourly scheduled Renovate run plus a workflow_dispatch trigger with a dry_run input
• This workflow was originally introduced in the integration branch behind Review of my sell agent work so far #455 but dropped during the squash merge to main. The existing renovate.json config currently has no runner without it

Test plan

• Confirmed via gh api repos/.../actions/secrets: RENOVATE_TOKEN is NOT yet configured. Repo has only ANTHROPIC_API_KEY, GOOGLE_API_KEY, HOODI_FUNDER_PRIVATE_KEY. See comment thread — needs either a PAT secret added before merge, or a swap to GITHUB_TOKEN + pull-requests: write permission
• Once secret resolved + merged, trigger via Actions → Renovate → Run workflow with dry_run=true and verify the run completes without opening PRs
• Confirm the next hourly schedule fires and Renovate processes the existing renovate.json managers (frontend tag, gateway API version, image pins)

[OisinKyne]

please confirm whether dropping the workflow file from #455 was intentional (e.g. you're relying on the hosted Mend Renovate GitHub App).

No, deleting renovate maybe wasn't intentional? i see no deletions in that pr? it adds a renovate file? but maybe we're supposed to use github built in renovate not a third party renovate bot, idk. I just wanted pr bumps for more version checking.

https://github.com/ObolNetwork/obol-stack/pull/455/changes#diff-2f2dcee4f3f279ea8d2f4cd0235f2ab917d8cf1d8e11f4f195a3816afe79af26R1

[bussyjd]

Quick clarification on the timeline so this isn't ambiguous:

• The file was added by Review of my sell agent work so far #455 — that's what your link shows on the diff view. ✅
• But the squash-merge of Review of my sell agent work so far #455 to main dropped it. Compare the diff on main for the merge commit (3bec7fc → squashed to main) — only renovate.json exists today; renovate.yml is gone.

So this PR re-adds what got lost during the squash, nothing more. Independent of the hosted-vs-self-hosted question — renovate.json config currently has nothing to actually run it because no Renovate Action lives in .github/workflows/. If we later prefer the Mend GitHub App route, we can swap by uninstalling this workflow and installing the App; the config file stays the same.

If you're happy, I'll merge once #460 has a tick.

[bussyjd]

Heads-up from running through the test plan: RENOVATE_TOKEN does not currently exist in the repo's Actions secrets (only ANTHROPIC_API_KEY, GOOGLE_API_KEY, HOODI_FUNDER_PRIVATE_KEY). The workflow as written will fail on first run.

Two options:

1. Add the secret before merging. Renovate's Action wants a PAT with repo + workflow scopes, or a fine-grained PAT scoped to this repo with Contents: write, Pull requests: write, Actions: read. Generate one under a dedicated service identity and add it as RENOVATE_TOKEN.
2. Drop the secret reference and use GITHUB_TOKEN. Works fine for opening PRs in the same repo; the only catch is PRs opened by GITHUB_TOKEN don't trigger other workflows on the resulting PRs (so CI wouldn't auto-run on Renovate PRs unless you swap in a PAT for that purpose).

Happy to push option 2 onto this branch if you'd prefer to avoid the secret management overhead.

[OisinKyne]

push option 2?

[bussyjd]

Pushed option 2 in f6852ec: swapped to secrets.GITHUB_TOKEN and added an explicit permissions block (contents: write for the renovate/* branches, pull-requests: write for opening PRs, issues: write for the Dependency Dashboard / onboarding issue).

Trade-off worth flagging: GitHub does not run downstream workflows on PRs opened by GITHUB_TOKEN. So Renovate's PRs won't auto-trigger lint-test etc. until someone closes/reopens them or pushes a commit. If that becomes annoying we can revisit with a fine-grained PAT later.