Add self-hosted Renovate Bot for Go version management (#4736)

## Changes

Add Renovate to manage the `go` directive version across all go.mod
files (/, /tools, /bundle/internal/tf/codegen). Dependabot continues to
handle package dependency updates with `go` version ignored to avoid
duplicate PRs.

## Why
We had cases where customers complained about scanners detecting CVEs
due to us not running the latest golang version. This would help us
upgrade proactively.

## Tests
Not tested, will test after merging by triggering that workflow.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: denik

.github/workflows/renovate.yml

@@ -0,0 +1,14 @@
+name: renovate
+
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Weekly on Monday at 00:00 UTC
+  workflow_dispatch:
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: renovatebot/github-action@0b17c4eb901eca44d018fb25744a50a74b2042df # v46.1.4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

renovate.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "enabledManagers": ["gomod"],
+  "packageRules": [
+    {
+      "matchManagers": ["gomod"],
+      "matchDepTypes": ["require", "indirect", "toolchain"],
+      "enabled": false
+    }
+  ]
+}