ci: add renovate config

[sydorovdmytro]

Closes DEVOPS-972

Summary

• Onboard Renovate for this TypeScript/npm icon library, starting from the loft-sh baseline (config:recommended + :semanticCommits + digest-pinned GitHub Actions, weekly schedule, security alerts bypassing it).
• The repo's entire dependency surface is npm: a single root package.json with one dependency. No lockfile, workflows, Dockerfiles, or tool-version pins exist, so no custom managers are needed.
• Add the validate-renovate CI caller workflow so future config edits are validated on every PR.

Coverage

Surface	Manager
package.json (root, @ant-design/icons)	built-in npm
.github/workflows/validate-renovate.yaml (added here)	built-in github-actions (digest pinning)

npm rules applied: 7-day minimumReleaseAge for all JS deps, and npm-non-major grouping for minor+patch. Majors flow individually under the default weekly schedule.

Deliberately not managed

Nothing is deliberately disabled. The repo has no out-of-band version pins:

• No lockfile committed (yarn/npm/pnpm) — npm manager works from package.json alone.
• No .github/workflows other than the one added here, no Dockerfiles, no .nvmrc / .tool-versions / engines / packageManager / workspaces.
• No .github/dependabot.yml to remove.
• The loft-enterprise package pins (React, react-router-dom, ESLint) were intentionally NOT copied — none of those packages exist in this repo.

Test plan

• renovate-config-validator renovate.json → "Config validated successfully against 1 file(s)".
• No custom regex managers, so no regex match-count verification was required.
• renovate --platform=local --dry-run=extract manager stats: {"github-actions": 7, "npm": 8, ...}; extracted npm 1 file / 1 dep (@ant-design/icons@5.3.7) and the github-actions workflow dep. Both inventoried ecosystems covered.
• actionlint on the workflow → 0 findings. zizmor → no findings (the 1 suppressed item is the pinned-SHA exemption from the trailing tag comment).

Post-merge checklist

• Dependency Dashboard issue appears and the first run resolves all managers.
• Existing GitHub security alerts start getting security-labeled PRs.
• RENOVATE_GITHUB_TOKEN available to the Renovate runner if private modules are ever added (not needed today — the only dep is public).