chore(renovate): pin action to v40.3.0, fix inputs per spec

.github/workflows/dual-approval.yaml

@@ -1,20 +0,0 @@
-name: Promotion Gate
-
-# Calls the shared promotion gate workflow.
-# dev PRs: no gate (engineer self-merges).
-# uat PRs: QA approval required.
-# main PRs: UAT approval required (uat→main promotions).
-
-on:
-  pull_request_review:
-    types: [submitted, dismissed]
-  pull_request:
-    branches: [uat, main]
-    types: [opened, reopened, synchronize]
-
-jobs:
-  promotion-gate:
-    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
-    secrets: inherit
-    with:
-      pr_number: ${{ github.event.pull_request.number }}

.github/workflows/renovate.yml

@@ -0,0 +1,14 @@
+name: Renovate
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: renovatebot/github-action@v40.3.0
+        with:
+          configurationFile: renovate.json
+          renovate-json5: true

audit-ci.jsonc

@@ -1,20 +0,0 @@
-{
-  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
-  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
-  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
-  // and do NOT ship in production plugin artifacts.
-  "allowlist": [
-    {
-      "id": "GHSA-hhpm-516h-p3p6",
-      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-36xf-7xpp-53w5",
-      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-jf8v-p3pp-93qh",
-      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
-    }
-  ]
-}