Add shared Renovate config preset

[bryanbeverly]

Summary

• Adds renovate-config.json as the org-wide shared Renovate preset
• Individual repos will adopt this via "extends": ["github>trufflesecurity/.github:renovate-config"] (low-risk, track latest) or "extends": ["github>trufflesecurity/.github:renovate-config#v1.0.0"] (high-risk, pinned)
• This PR has no behavioral impact on any repo until repos update their own renovate.json to extend this preset

What's in the preset

• config:recommended + helpers:pinGitHubActionDigests + :pinDevDependencies + :configMigration + abandonments:recommended
• Weekly schedule: before 6am on monday (UTC) for non-security updates
• 3-day minimumReleaseAge for all ecosystems (security CVEs bypass automatically)
• gomodTidy for clean go.sum files
• Vulnerability alerts: automerge after CI, bypass delay and schedule
• Lock file maintenance: weekly, automerged
• Grouped GitHub Actions PRs
• prConcurrentLimit: 5, prHourlyLimit: 3

Context

Part of the Dependency Strategy Unification plan (Step 1). After merge, this will be tagged v1.0.0.

Test plan

• Verify JSON is valid (renovate-config-validator or Renovate dry run)
• Confirm no existing repo behavior changes (no repo extends this yet)
• After merge, tag as v1.0.0

Made with Cursor

---

Note

Low Risk
Adds a new shared Renovate configuration file but does not change runtime code paths; impact is limited to how dependency update PRs will be generated once adopted by other repos.

Overview
Introduces an org-wide renovate-config.json preset that standardizes Renovate behavior: weekly scheduled dependency updates (UTC), 3-day release age delay, PR rate limits, and gomodTidy post-update.

Configures security/vulnerability alerts and lockfile maintenance to automerge, and groups GitHub Actions updates into a single PR while pinning action digests and dev dependencies.

^{Reviewed by Cursor Bugbot for commit 0df893a. Bugbot is set up for automated code reviews on this repo. Configure here.}