Renovate: confirm bot activation + gate automerges on CI signal

[lexfrei]

.github/renovate.json already declares the bot config (config:recommended preset, gomodTidy + gomodUpdateImportPaths, custom manager for the helm v3 → v4 surface). Two follow-ups before relying on it:

1. Confirm the Renovate GitHub App is installed on cozystack/talm and is producing dependency PRs on the expected cadence. If it is not active yet, install it; the config file alone does nothing without the app.

2. Once active, classify the dependency-PR risk tiers and configure automerge accordingly:

   • patch updates of dependencies covered by unit + contract tests — eligible for automerge: true if and only if CI is green.
   • minor updates — manual review, no automerge.
   • major updates (helm v4, talos machinery, kubernetes minor bumps) — manual review with an explicit migration note in the PR body.

3. Before enabling automerge for any tier, audit the current test surface:

   • Does golangci-lint run --timeout 10m ./... cover all packages? Yes today.
   • Does go test -race ./... cover the apply/upgrade/init handlers under realistic shapes? Phase 1/2A/2B/2C gates and the init overwrite policy do; the talosctl wrappers are a thinner layer.
   • Are there CLI-level integration tests that catch a "library upgrade silently changes default flag" class of regression? Probably need at least a smoke-test workflow (golden-file talm template on a representative nodes/*.yaml) before flipping automerge: true.

4. Document the policy in CONTRIBUTING.md (or a new docs/renovate.md) so a future maintainer reading a green-CI Renovate PR knows which tier it is and what review level is expected.