chore: reduce renovate updates noise

[sheerlox]

Description

in order to reduce the noise Renovate generates, this PR introduces the following changes:

• Renovate Bot: enable branch automerge (PRs won't be raised unless tests fail) for dev dependencies (minor & patch) & lock file maintenance
• configure the "Test" workflow to run on Renovate branches
• add a new "required_check" job in the "Test" workflow to simplify requiring status checks in branch protection
• add npm audit signatures to "Test" & "Release" workflows
• remove the npm run release script and use directly npx semantic-release in the "Release" workflow
• add a 5-minute test timeout to the "Test" workflow (to force us to keep a somewhat short feedback loop)

Motivation and Context

Renovate raises a lot of PRs, but most of them can be auto-merged if the tests are passing. this is already the current setup, but this PR pushes this further by configuring Renovate to not raise PRs if the update is configured for automerge.

I've been setting this up for the @insurgent-lab organization, and this PR is a reflection of the changes made there (see https://github.com/insurgent-lab/.github/commit/a1dac39ca49d89caf055f6ac808e03b191d292fd and https://github.com/insurgent-lab/conventional-changelog-preset/commit/e08b793c795520c98aebf2dd0c0be22fb18a0893).

TODO before merging

this new setup requires a different branch protection approach (to allow the Renovate bot to merge branches without going through the PR process), which is based on the new GitHub "Rulesets" feature:

• [x] go to the repository's rulesets settings and import these two rulesets files (which are the almost-exact equivalent to the current branch protection settings we previously setup in https://github.com/kelektiv/node-cron/pull/673, with the added "Renovate" bypass authorization).
  • [x] make sure the Bypass List for the "(no bypass)" ruleset is empty
  • [x] make sure the Bypass List for the "(bypass)" ruleset only contains "Repository admin - Role" & "Renovate - App"
  • [x] make sure the "Require status checks to pass before merging" > "Additional settings" > "Status checks that are required" only contains the test / required_check check
• [x] only once all the above are checked: go to the repository's branch protection settings and delete the branch protection for main.

since repository administrators are allowed to update the default branch (main) in the "(bypass)" ruleset, semantic-release will still be able to do its job since it's using a GitHub PAT from Nick.

side note: this TODO also prepares us to restrict the rights we give to semantic-release in the future. it currently isn't possible to run semantic-release as a GitHub app, but I know from exchanging with one of the organization's maintainers that fixing the security concerns introduced by the need for a GitHub PAT is very important to them.

[sheerlox]

rebased branch against main to resolve conflicts

[sheerlox]

@intcreator since I have no access to the repository settings, could you please go through the TODO to configure the new branch protection settings before we can merge this? :smile:

[intcreator]

done!

[ncb000gt]

:tada: This PR is included in version 3.1.7 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: