Closes DEVOPS-970

Summary

• Onboard Renovate for this TypeScript/npm library starting from the loft-sh baseline (config:recommended + :semanticCommits + digest-pinned GitHub Actions, weekly schedule, dependencies/security labels, 3-day release stabilization).
• Tailor npm handling: 7-day stabilization, grouped non-major updates, majors individually; keep internal loft-sh packages and the exact-pinned peer contract under manual control.
• Add the reusable validate-renovate CI caller so future config edits are checked on every PR.

Coverage

Extract dry-run manager stats: npm 1 file / 32 deps, github-actions 1 file / 1 dep.

Deliberately not managed

• @loft-enterprise/client, @loft-enterprise/icons, @loft-enterprise/primitives (enabled: false): internal loft-sh packages whose versions are coordinated by hand across the UI repos that consume this library (loft-enterprise, hosted-platform). @loft-enterprise/icons is an unpinnable "*" wildcard, and @loft-enterprise/primitives is this repo's own published package name (consumed by loft-enterprise and hosted-platform UIs), so Renovate must never touch it.
• framer-motion and tailwindcss peerDependencies (enabled: false): exact-pinned (framer-motion 9.0.1, tailwindcss 3.4.0) to match the loft-enterprise consumer's exact versions. Bumping them here would desync the peer contract from the consumer; they are bumped manually in lockstep with loft-enterprise.
• tailwind-merge (no action needed): imported in clsx/index.ts but not declared in package.json, so there is no manifest entry for Renovate to manage. Flagged as a pre-existing missing dependency declaration, out of scope for this PR.

No Dockerfiles, lockfile, .nvmrc/engines/setup-node, .tool-versions, or other out-of-band version pins exist, so no custom regex managers were needed. No .github/dependabot.yml existed to remove.

Test plan

• renovate-config-validator renovate.json -> "Config validated successfully against 1 file(s)".
• No custom regex managers (customManagers: []), so no regex match-count verification required.
• LOG_LEVEL=debug renovate --platform=local --dry-run=extract -> managers npm (1 file, 32 deps) and github-actions (1 file, 1 dep); the 4 peer/internal deps extract but are correctly suppressed from PRs by the disable rules, leaving 27 @radix-ui/* + react-select as the managed update surface.
• actionlint on the new workflow: 0 findings. zizmor on the new workflow: 0 findings.

Post-merge checklist

• RENOVATE_GITHUB_TOKEN available to the Renovate runner if private module/registry access is needed (none required by this config today).
• Dependency Dashboard issue appears and the first run resolves all managers.
• Existing GitHub security alerts start getting security-labeled PRs.