ci: implement renovate

[strophy]

Manually updating dependencies is boring, and creates increasing amounts of work as we add support for more plugins. This PR implements Renovate bot to update dependencies. It will be necessary to create a GitHub token named RENOVATE_TOKEN with repo level access to use this bot, as described here.

I have stored configuration metadata in renovate.json, but much of this could be moved into deps.list itself as annotations to each line, describing the type and source of the dependency update (see example here). This would be a bit more DRY, but makes the deps file look quite cluttered.

Since Docker Hub is actually the source of many of our updates, I have moved entire image tags into the deps.list file, to avoid problems such as golang:${GO_VERSION}-alpine${ALPINE_VERSION} being parsed into golang:1.19.3-alpine3.17 when this image does not actually exist yet, because Alpine 3.17 is still very new.

Finally, I have not yet been able to get the bot to support updating the commit hash for GOOGLE_API_VERSION. Issue open with Renovate devs here.

[rvolosatovs]

Nice work, excited to see this in action.
Please squash the fix commit with the parent commit

The quickest way is probably:

git reset HEAD^
git add .github
git commit --amend

You can use git diff to validate that everything is "still there", for example:

git diff upstream/ci/renovate

Assuming this repository is locally tracked as upstream this will give you a diff between what you have locally and the exact state of affairs in this PR

[rvolosatovs]

I added a token for now, but going forward let's switch to an app instead https://github.com/renovatebot/github-action#example-with-github-app

[strophy]

Sure, I'll swap it over to a GitHub App in another PR. Let's see if this config performs well first - you can see examples of the PRs it creates over here: https://github.com/strophy/docker-protobuf/pulls?q=is%3Apr+is%3Aclosed