Setup renovate for updating dependencies

[AlexWaygood]

This PR sets up a renovate configuration file for updating dependencies. It is a competing PR to #11564.

The proposed configuration:

• Checks daily for new versions of pyright, pytype, and flake8-pyi
• Checks quarterly for new versions of all other pip dependencies (except for mypy), and groups them into a single PR
• Checks quarterly for new versions of all GitHub Actions, and groups them into a single PR

The advantages of renovate over dependabot are:

• It's extremely configurable. That means we can keep our pyright pin in pyproject.toml by defining a custom "manager" that uses a regex to grab the pyright version from our pyproject.toml file and check to see if it needs updates.
• We can set a quarterly schedule for GitHub Actions rather than a monthly schedule

The disadvantages of renovate over dependabot are:

• It's extremely configurable. That means it's easier to get the configuration wrong, and there's more complexity to wade through when navigating their docs.
• We'd need to authorise renovate's Github.com app to have access to this repository. Possibly that might require an admin for the python organisation rather than just an admin for typeshed? (I am neither, so don't really know.)

Fixes #11484
Closes #11491
Closes #11564

[AlexWaygood]

I use renovate over at typeshed-stats, FWIW, and I've been reasonably happy with it. Here's an example PR:

• Update github-actions AlexWaygood/typeshed-stats#181

[jakebailey]

• We'd need to authorise renovate's Github.com app to have access to this repository. Possibly that might require an admin for the python organisation rather than just an admin for typeshed? (I am neither, so don't really know.)

IIRC someone does need to add it to the org, but the app can be installed with only perms for one repo.

Maybe one day dependabot will get this... dependabot/dependabot-core#2483 (comment)

[JelleZijlstra]

I pushed some buttons but it doesn't seem like I have access to authorize the app here either; we'll probably have to ping Łukasz to do it.

[AlexWaygood]

I pushed some buttons but it doesn't seem like I have access to authorize the app here either; we'll probably have to ping Łukasz to do it.

Well, let's decide amongst ourselves whether this is a solution we like before we ping him 😄

[AlexWaygood]

The PR now also configures renovate to update our pre-commit config file, and removes our existing checks that make sure our requirements-tests.txt file is consistent with our pre-commit config; those checks are no longer necessary. This means we can also remove pyyaml and types-pyyaml as test dependencies 🎉

I looked into switching off pre-commit autoupdate PRs altogether, but it seems that's not possible (pre-commit-ci/issues#83). So it's possible we'll get PRs from both renovate and pre-commit on the first day of each quarter, if we go with this. I think we can live with that, though, personally.

[srittau]

LGTM