ci: add Gitea Actions CI and Renovate coverage

CI workflow gates on nixfmt formatting and evaluates all three host toplevels (aarch64 evaluates without emulation; no full builds in CI).

renovate.json enables the nix manager and weekly lockFileMaintenance for flake.lock, plus grouped github-actions updates (Renovate matches .gitea/workflows). A self-hosted Renovate workflow runs it on Gitea, since Gitea has no built-in Renovate; it needs a RENOVATE_TOKEN secret.

.gitea/workflows/renovate.yaml

@@ -0,0 +1,31 @@
+# Self-hosted Renovate. Gitea has no built-in Renovate, so it runs here on a
+# schedule (and on demand). Requires a repo/org secret RENOVATE_TOKEN holding a
+# Gitea PAT with read/write on this repository and read on packages.
+# If a central Renovate bot already autodiscovers this repo, delete this file;
+# renovate.json alone is enough to configure it.
+name: Renovate
+
+on:
+  schedule:
+    - cron: "0 4 * * 1" # Mondays 04:00 UTC
+  workflow_dispatch:
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v40.3.6
+        with:
+          configurationFile: renovate.json
+          token: ${{ secrets.RENOVATE_TOKEN }}
+        env:
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_ENDPOINT: ${{ env.GITHUB_SERVER_URL }}/api/v1
+          RENOVATE_AUTODISCOVER: "false"
+          RENOVATE_REPOSITORIES: ${{ github.repository }}
+          RENOVATE_GIT_AUTHOR: "Renovate Bot <renovate@lyrathorpe.dev>"
+          LOG_LEVEL: info