chore: adopt shared conf-renovate preset (v1.2.1)

[gofreight-jackyeh]

Summary

Switches this repo onto the org-shared Renovate preset hardcoretech/conf-renovate pinned at v1.2.1. Part of the fleet rollout following the pilots gf-admin-console#182 (merged) and svc-thor#160.

The local config simplifies to the baseline:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: [
    "github>hardcoretech/conf-renovate#v1.2.1",
    ":preserveSemverRanges",
  ],
  labels: ["dependencies"],
}

What was dropped from the previous renovate.json (merge mode)

Dropped	Replaced by
extends: ["config:recommended"]	Preset default.json5 extends config:best-practices (stricter superset).
FIS-17871 GHA-hardening packageRule (pinDigests + minimumReleaseAge: "3 days")	Preset security.json5 (locked). The previous local rule lacked a matchUpdateTypes filter and would silently override the locked major-isolation policy — same blocker the reviewer caught on gf-admin-console#182 round 1.
groupName: "GitHub Actions"	Preset grouping-gha.json5 provides gha-non-major + isolated gha-major.

renovate.json → renovate.json5 rename (old file deleted in same commit; renovate.json has higher Renovate lookup precedence).

What the preset provides (inherited baseline)

• config:best-practices + dependency dashboard.
• SHA-pin GHA + 3-day release-age soak + OSV alerts (locked).
• Per-ecosystem PR grouping with major-update isolation.
• Datastore version pinning (mysql / rabbitmq / valkey on docker+helm).
• Built-in self-bump customManager — the next preset release auto-PRs a bump of #v1.2.1 here without any local config.

Validation gate

Adds the renovate-config-validator pre-commit hook (pinned to renovatebot/pre-commit-hooks@43.150.0) to .pre-commit-config.yaml. The existing CI pipeline already runs pre-commit run, so the same gate executes on PR + push without a new workflow file.

Verification

• renovate-config-validator --strict --no-global renovate.json5 passes locally (Node 24 + renovate@43, LOG_LEVEL=warn, exit 0).
• After merge: Renovate dashboard onboards the new config cleanly.
• First scheduled run produces PRs under preset group names (e.g. gha-non-major, plus ecosystem groups as applicable).
• Next conf-renovate release auto-PRs a bump of #v1.2.1 → #v<next>.

Rollback

Revert this branch — restores renovate.json exactly as it was before.

[gofreight-jackyeh]

Superseded by #66. The previous form (extends: ["github>hardcoretech/conf-renovate#vX.Y.Z"]) doesn't resolve on this public repo because the referenced preset repo isn't reachable from the public-scoped Renovate run. #66 replaces it with a self-contained config that has the same effective policy.