chore: expand dependency automation for version bumps and SHA pinning

[Copilot]

Summary

This PR tightens dependency automation to cover version bumps and GitHub Actions SHA pinning consistently across the repo. It removes overlapping config and scopes both Renovate and Dependabot to the dependency surfaces that actually exist.

• Renovate consolidation

  • Removed duplicate .github/renovate.json and centralized policy in root renovate.json.
  • Enabled managers for github-actions, gomod, and regex.
  • Added regex managers to track workflow Hugo versions in both forms used in this repo.

• SHA pinning + update behavior

  • Enforced digest pinning behavior for GitHub Actions updates (pinDigests).
  • Kept dependency PR flow bounded via concurrency/hourly limits and dependency labeling.

• Dependabot alignment

  • Kept active ecosystems: github-actions, gomod.
  • Removed unused ecosystems (pip, gitsubmodule) since no matching manifests are present.

{
  "matchManagers": ["github-actions"],
  "groupName": "github actions",
  "pinDigests": true
}

Type of change

• chore — maintenance (dependencies, config, CI/CD)

PR title and commit types must follow these standards — view the contributing guide

Checklist

• PR title follows the commit convention (e.g. fix: correct nmcli command in eduroam guide)
• Both EN and NL versions updated (if applicable)
• Media is in AVIF format (not PNG/JPG)
• No broken image references (/images/*.avif all exist in static/images/)
• Tested locally with hugo server