ci: adopt self-hosted Renovate, delete dependabot.yml (Phase 6)

Phase 6 of the scenario-regression smoke-pack tech-spec. Adopts self-hosted
Renovate via renovatebot/github-action and retires Dependabot per ADR-2.

What ships:
- renovate.json with:
  - osvVulnerabilityAlerts: true (CVE-aware updates)
  - dependencyDashboard: true (the dashboard issue is Renovate's state
    record between runs; without it Renovate re-resolves every dep every
    invocation and may double-open PRs)
  - 6 group rules from the spec's pinning-strategy table:
    * scenario-{packageName} for own GHCR images (per-image immediate)
    * upstream-{packageName} for tika / paperless-ngx / gotenberg (weekly)
    * npm-dev, npm-prod (weekly, separate)
    * composer (weekly)
    * github-actions (weekly + pinDigests=true)
    * security-priority (ungrouped, immediate, via vulnerabilityAlerts)
  - customManagers regex matching the GHCR / docker.io pins introduced in
    Phase 5: (ghcr.io|docker.io)/repo:tag@sha256:digest. Renovate's
    built-in docker manager doesn't cover ecs.ContainerImage.fromRegistry()
    string literals; this custom manager does.
- .github/workflows/renovate.yml:
  - twice daily (06:00, 18:00 UTC) + workflow_dispatch
  - renovatebot/github-action pinned by digest (v46.1.14 ->
    693b9ef15eec82123529a37c782242f091365961). Renovate's own
    github-actions packageRule keeps this current via pinDigests.
  - Uses RENOVATE_TOKEN (fine-grained PAT, repo:read+write on this repo
    only). Minted by operator per the runbook's Operational Notes.
- .github/dependabot.yml deleted. The 7 ecosystem groups from dependabot
  map onto the 6 Renovate groups (composer + drupal-core / contrib /
  localgov merged into single composer group; npm split into dev+prod
  by depType; pip routed to its own group; docker absorbed into custom
  managers + upstream group; github-actions ported verbatim).

Operator follow-ups (NOT in this PR):
- T6.3 mint RENOVATE_TOKEN and add as repo secret
- T6.5 close in-flight Dependabot PRs (preferred: merge the safe ones first)
- T6.6 verify Renovate fires post-merge - workflow_dispatch then check PR list

DoD per spec: "first Renovate PR has fired AND smoke has gated it" - the
smoke-gating part requires Phase 1b to be complete so the smoke workflow
runs. Until then, Renovate PRs open but the smoke check is a no-op (the
smoke workflow self-disables on placeholder config).

Author: chrisns

.github/dependabot.yml

@@ -0,0 +1,61 @@
+name: Renovate
+
+# Self-hosted Renovate via renovatebot/github-action. Phase 6 of the
+# scenario-regression smoke-pack tech-spec. Replaces .github/dependabot.yml
+# (deleted in this PR per ADR-2) with the unified bot.
+#
+# Cadence: twice daily. The cold-start cost is non-trivial (~2-3 min full
+# scan + per-package resolution) so 4×/day would burn CI minutes without
+# proportional value. workflow_dispatch lets a maintainer trigger ad-hoc.
+#
+# Action pin: digest, not tag. The spec's pinning strategy is "every pin
+# must carry a Renovate-trackable tag alongside the digest." The digest
+# below tracks v46.1.14 of renovatebot/github-action. Renovate's
+# github-actions packageRule (in renovate.json) pinDigests=true keeps
+# this current.
+
+on:
+  schedule:
+    - cron: '0 6,18 * * *'   # 06:00 and 18:00 UTC daily
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level (debug for verbose)'
+        required: false
+        default: 'info'
+        type: choice
+        options:
+          - info
+          - debug
+
+permissions:
+  contents: read
+  # Renovate writes via the PAT (RENOVATE_TOKEN), NOT GITHUB_TOKEN. Keeping
+  # GITHUB_TOKEN's permissions tight prevents accidental scope creep.
+
+concurrency:
+  group: renovate
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961   # v46.1.14
+        with:
+          # Fine-grained PAT scoped repo:read+write on co-cddo/ndx_try_aws_scenarios only.
+          # Minted by the operator per docs/smoke-test-account-setup.md →
+          # Operational Notes → RENOVATE_TOKEN rotation.
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          configurationFile: renovate.json
+        env:
+          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: '["co-cddo/ndx_try_aws_scenarios"]'
+          # Keep Renovate's onboarding off; renovate.json is the committed config.
+          RENOVATE_ONBOARDING: 'false'
+          RENOVATE_REQUIRE_CONFIG: 'required'

.github/workflows/renovate.yml

@@ -0,0 +1,115 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":dependencyDashboard",
+    ":semanticCommits"
+  ],
+  "timezone": "Europe/London",
+  "platform": "github",
+  "labels": ["renovate"],
+  "osvVulnerabilityAlerts": true,
+  "vulnerabilityAlerts": {
+    "labels": ["security", "security-priority"],
+    "minimumReleaseAge": null
+  },
+  "rangeStrategy": "bump",
+  "configMigration": true,
+  "ignorePaths": [
+    "**/node_modules/**",
+    "**/cdk.out/**",
+    "**/.aws-sam/**",
+    "**/dist/**",
+    "**/.upstream/**"
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Pin GHCR + docker.io image references in CDK TypeScript and raw CFN templates. Renovate's built-in docker manager does not cover ecs.ContainerImage.fromRegistry() string literals; this manager does.",
+      "fileMatch": [
+        "^cloudformation/scenarios/.*\\.(ts|yaml|yml|json)$"
+      ],
+      "matchStrings": [
+        "(?<depName>(?:ghcr\\.io|docker\\.io)/[a-z0-9._/-]+):(?<currentValue>[a-z0-9.\\-]+)@(?<currentDigest>sha256:[a-f0-9]+)"
+      ],
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
+    }
+  ],
+  "packageRules": [
+    {
+      "description": "Pin discipline: NEVER replace a digest with a bare tag; updates must carry both.",
+      "matchCustomManagers": ["custom.regex"],
+      "pinDigests": true
+    },
+    {
+      "description": "Own GHCR images — one PR per scenario; immediate when an image bumps. Smoke runs scoped to that scenario give fast feedback.",
+      "groupName": "scenario-{{packageName}}",
+      "matchCustomManagers": ["custom.regex"],
+      "matchPackagePatterns": [
+        "^ghcr\\.io/co-cddo/ndx_try_aws_scenarios-"
+      ],
+      "schedule": ["at any time"]
+    },
+    {
+      "description": "Upstream container deps (tika, paperless-ngx, gotenberg). Weekly grouped per image to keep blast radius small.",
+      "groupName": "upstream-{{packageName}}",
+      "matchCustomManagers": ["custom.regex"],
+      "matchPackagePatterns": [
+        "^docker\\.io/apache/tika",
+        "^docker\\.io/gotenberg/gotenberg",
+        "^ghcr\\.io/paperless-ngx/paperless-ngx"
+      ],
+      "schedule": ["before 09:00 on monday"]
+    },
+    {
+      "description": "npm dev deps — weekly batched. Low-risk; noise control.",
+      "matchManagers": ["npm"],
+      "matchDepTypes": ["devDependencies"],
+      "groupName": "npm-dev",
+      "schedule": ["before 09:00 on monday"]
+    },
+    {
+      "description": "npm prod deps — weekly batched. Higher risk; smoke gates the merge.",
+      "matchManagers": ["npm"],
+      "matchDepTypes": ["dependencies"],
+      "groupName": "npm-prod",
+      "schedule": ["before 09:00 on monday"]
+    },
+    {
+      "description": "Drupal composer deps. Same cadence as npm-prod.",
+      "matchManagers": ["composer"],
+      "groupName": "composer",
+      "schedule": ["before 09:00 on monday"]
+    },
+    {
+      "description": "GitHub Actions — workflow action references. Weekly batched; action bumps rarely break.",
+      "matchManagers": ["github-actions"],
+      "groupName": "github-actions",
+      "schedule": ["before 09:00 on monday"]
+    },
+    {
+      "description": "Pin tag-only docker references in workflow files to digest. Required by the spec's pinning strategy ('every pin must carry a Renovate-trackable tag alongside the digest', conversely actions referenced without digest are not Renovate-trackable).",
+      "matchManagers": ["github-actions"],
+      "pinDigests": true
+    },
+    {
+      "description": "CVE response — never batch. Highest priority; surfaces via osvVulnerabilityAlerts.",
+      "matchPackagePatterns": [".*"],
+      "matchUpdateTypes": ["patch", "minor"],
+      "vulnerabilityAlerts": {
+        "groupName": "security-priority",
+        "schedule": ["at any time"]
+      }
+    },
+    {
+      "description": "Python pip Lambda layer deps — batched weekly with npm-dev cadence.",
+      "matchManagers": ["pip_requirements", "pip-compile"],
+      "groupName": "pip",
+      "schedule": ["before 09:00 on monday"]
+    }
+  ],
+  "prConcurrentLimit": 10,
+  "prHourlyLimit": 4,
+  "branchConcurrentLimit": 20
+}