fix: add render-template workflow and deduplicate Renovate detection

[wgordon17]

Summary

• Adds render-template.yaml workflow that re-renders root files when Renovate pushes to includes/ or template/ on renovate/** branches
• Conditionally runs nix flake lock when flake.nix inputs change (e.g. copier-flake digest update)
• Removes redundant custom regex Manager 1 — built-in github-actions manager already handles SHA-pinned actions natively
• Adds packageRule disabling built-in github-actions for template/** to prevent duplicate detection with the template regex manager
• Removes dead template/flake.nix.jinja pattern from copier-flake manager
• Adds test for the new packageRule (test_renovate_template_suppresses_builtin_gha)

[wgordon17]

Replaced the broken postUpgradeTasks approach (Renovate runs in Docker — Nix unavailable) with a separate GHA workflow.

What it does:

• render-template.yaml triggers on pushes to renovate/** branches when includes/ or template/ files change
• Installs Nix, runs just render, restores .copier-answers.yaml, commits if there's drift
• Propagates SHA changes from includes (source of truth) to derived root files (e.g. flake.nix)

No-loop safety:

• just render only modifies root files, not includes/ or template/ — paths filter prevents re-trigger
• GITHUB_TOKEN pushes don't trigger workflows (GitHub docs)

Consistency:

• render-template.yaml added to justfile restore list — survives just render
• Reverted nix-setup/RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS from Renovate workflow (not needed)
• Reverted postUpgradeTasks from Renovate config (Docker container can't run Nix)
• Kept managerFilePatterns simplification for copier-flake (only scans source-of-truth include)

Verified:

• nix develop -c just render works from minimal PATH
• Zero drift after render (consistency check passes)
• renovate-config-validator --strict passes
• 54 tests pass
• CI green (checks + consistency)