Enable Renovate via self-hosted GitHub App

[rh-hemartin]

Summary

Renovate is not running on this repository. Dependency updates are not being tracked or proposed automatically.

Changes

• Create a dedicated GitHub App (fullsend-renovate) with the required permissions (contents, PRs, issues, checks, statuses, workflows write; metadata and vulnerability_alerts read), matching the approach used by kubearchive/kubearchive
• Add .github/workflows/renovate.yml — runs self-hosted Renovate twice daily via renovatebot/github-action, authenticates with the GitHub App token via actions/create-github-app-token
• Add RENOVATE_APP_ID variable and RENOVATE_PRIVATE_KEY secret to the repo
• Update renovate.json — add gomodTidy post-update and prHourlyLimit: 1

Why

• Automated dependency PRs catch security patches and version bumps without manual tracking
• GitHub App auth avoids PAT rotation and scoping issues
• Mirrors the proven setup in kubearchive/kubearchive

[fullsend-ai-triage]

🤖 Finished Triage · ✅ Success · Started 8:19 AM UTC · Completed 8:21 AM UTC
Commit: 4e21a60 · View workflow run →

[fullsend-ai-triage]

Triage Summary

This is a well-scoped feature request to enable automated dependency updates via a self-hosted Renovate GitHub App.

Problem: The repository has a renovate.json config (including a custom manager for OpenShell version tracking) but no workflow or GitHub App to actually run Renovate. Dependencies are not being tracked automatically.

Proposed implementation (from the issue):

1. Create a fullsend-renovate GitHub App with required permissions
2. Add .github/workflows/renovate.yml using renovatebot/github-action with twice-daily runs
3. Configure RENOVATE_APP_ID variable and RENOVATE_PRIVATE_KEY secret
4. Update renovate.json with gomodTidy post-update and prHourlyLimit: 1

Related issues: #336 (dependency bot PR triage automation) and #691 (Renovate auto-merge with merge queues) are downstream — they address how to handle Renovate PRs once they exist. Enabling Renovate is a prerequisite for those issues to become actionable.

Proposed test case:

1. Verify renovate.yml workflow runs on schedule without errors
2. Confirm Renovate creates dependency update PRs
3. Validate gomodTidy runs as post-update command
4. Check prHourlyLimit of 1 is respected
5. Edge case: verify existing custom manager for OpenShell
   version tracking in openshell-version.sh still works

---

Labels: Feature request for CI/infrastructure tooling — type/feature for classification and component/ci for the workflow and GitHub App setup.