Set up automatic PRs to bump dependencies

[leonm1]

Our manual dependency management is a security risk and a maintenance burden.

1. [ ] Configure RenovateBot (compatible with Bazel WORKSPACE files) for this repository to automatically create PRs for dependency updates.

2. [ ] Review all dependency URLs to ensure they use stable, versioned links that are compatible with Renovate's automated parsing.

3. [ ] Address the OpenSSF Scorecard findings in #425

Notably, I do not think we should create a rotation for dependency management. It is better for two people to have strong ownership than to delegate to a rotation which does not have strong incentive to prioritize dependency management.

We will need some way to manage dependencies which do not use a tags for versioning.