feat: add major-version update rules for GitHub Actions and npm

Adds explicit packageRules for major version bumps on both github-actions
and npm managers. Previously only minor/patch updates were configured,
requiring manual audits when major versions shipped (e.g. PRI-802 where
actions/setup-node v4→v6 had to be found and fixed by hand).

With these rules, Renovate will surface major bumps as PRs automatically.
automerge is false for both — major updates go through the normal
dual-approval workflow.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

renovate-config.json

@@ -11,10 +11,22 @@
       "matchUpdateTypes": ["minor", "patch"],
       "groupName": "npm minor and patch"
     },
+    {
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["major"],
+      "groupName": "npm major updates",
+      "automerge": false
+    },
     {
       "matchManagers": ["github-actions"],
       "matchUpdateTypes": ["minor", "patch"],
       "groupName": "github-actions minor and patch"
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["major"],
+      "groupName": "github-actions major updates",
+      "automerge": false
     }
   ]
 }