fix: let renovate regenerate uv lockfiles

[jr200]

Summary

• keep shared workflow ref updates in a dedicated Renovate PR instead of the all-dependencies group
• keep custom regex Python git deps in their own Renovate PR
• skip Renovate's built-in uv artifact updater for those custom regex Python git deps whose packageName is an org/repo slug
• leave the existing plain uv lock post-upgrade task responsible for regenerating uv.lock

Context

A consumer Renovate PR changed pyproject.toml without uv.lock. The Renovate run did try artifact regeneration, but its built-in uv command was invalid:

uv lock --upgrade-package package-a --upgrade-package org/package-repo --upgrade-package package-b
error: invalid value 'org/package-repo' for '--upgrade-package <UPGRADE_PACKAGE>'

That happens because the custom regex manager needs packageName=org/package-repo for GitHub tag lookup, while uv needs the Python package name for --upgrade-package.

The same grouped PR also included the shared workflow ref bump, so the branch-level post-upgrade task that ran was ./scripts/sync-shared; the plain uv lock post-upgrade task did not repair the lockfile.

Upstream Renovate has related open uv artifact issues, including renovatebot/renovate#41626 for improving uv lock --upgrade-package with the exact target version. The closest documented workaround pattern for uv lockfile edge cases is plain uv lock in postUpgradeTasks; see renovatebot/renovate#36121.

Renovate's skipArtifactsUpdate docs note that, in grouped branches, artifact updates are skipped only when every upgrade in the group wants to skip them. This is why the custom git deps are split into their own python-git-deps group here.

Validation

• jq empty default.json renovate.json
• npx --yes --package=renovate@43 -- renovate-config-validator --strict default.json renovate.json