Add Renovate GitHub Actions workflow

Adds .github/workflows/renovate.yaml — scheduled Renovate run every Saturday at 02:00 UTC using create-github-app-token with RELEASE_APP_ID/RELEASE_APP_PRIVATE_KEY. Runs renovatebot/github-action@v41.0.0 with autodiscover and renovate-config.json. Includes workflow_dispatch for manual triggering.

Pipeline B infrastructure change reviewed by CTO and QA (Regression Regina).

.github/workflows/renovate.yaml

@@ -0,0 +1,30 @@
+name: Renovate
+
+on:
+  schedule:
+    - cron: '0 2 * * 6'  # Saturday 2:00 UTC — aligns with "every weekend" in renovate-config.json
+  workflow_dispatch:
+
+jobs:
+  renovate:
+    runs-on: runners-privilegedescalation
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          owner: privilegedescalation
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v41.0.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          configurationFile: renovate-config.json
+        env:
+          LOG_LEVEL: debug
+          RENOVATE_AUTODISCOVER: "true"