fix(renovate): unified manager-agnostic trusted orgs rule + lock file automerge

Trust is org-based, not manager-based. A package from github/** should
auto-merge whether detected by github-actions, custom.regex, or nix manager.

Changes:
- Remove matchManagers constraint from trusted orgs rule
- Remove matchUpdateTypes constraint — trusted orgs get ALL update types
  (major, minor, patch, digest, pin, etc.)
- Merge GitHub Actions + Nix flake input trust lists into single rule
- Include both bare (github/**) and URL-prefixed (https://github.com/github/**)
  patterns since different managers report depName differently
- Add automerge to lockFileMaintenance config
- Remove redundant Nix flake inputs rule (orgs now in unified rule)
- Remove redundant HuggingFace custom.regex rule (covered by source URL rule)
- Remove hashicorp/* from Terraform providers rule (now in unified rule)
- Expand trusted orgs: ansible, aws-ia, bitwarden, codecov, criblio,
  DopplerHQ, huggingface, kubernetes, kubernetes-sigs, nix-darwin,
  nix-systems, obra, open-telemetry, ossf, pre-commit, pypa,
  renovatebot, semgrep, sigstore

Fixes: nix-ai#381 (github/gh-aw not auto-merging via custom.regex manager)

(claude)

Author: JacobPEvans

renovate-presets.json

@@ -13,7 +13,10 @@
   "timezone": "America/Chicago",
   "lockFileMaintenance": {
     "enabled": true,
-    "schedule": ["before 7am on Monday", "before 7am on Thursday"]
+    "schedule": ["before 7am on Monday", "before 7am on Thursday"],
+    "automerge": true,
+    "automergeType": "pr",
+    "automergeStrategy": "squash"
   },
   "customManagers": [
     {
@@ -43,31 +46,103 @@
       "minimumReleaseAge": "0 days"
     },
     {
-      "description": "Auto-merge trusted GitHub Actions including major (3-day stabilization)",
-      "matchManagers": ["github-actions"],
+      "description": "Auto-merge trusted orgs — all managers, all update types (3-day stabilization)",
       "matchPackageNames": [
         "actions/**",
-        "googleapis/**",
+        "ansible/**",
         "anthropics/**",
         "astral-sh/**",
-        "DeterminateSystems/**",
-        "peter-evans/**",
+        "aws-actions/**",
+        "aws-ia/**",
+        "Azure/**",
+        "bitwarden/**",
+        "cachix/**",
+        "codecov/**",
+        "criblio/**",
         "DavidAnson/**",
+        "DeterminateSystems/**",
+        "docker/**",
+        "DopplerHQ/**",
         "dorny/**",
+        "edolstra/**",
         "github/**",
-        "softprops/**",
+        "google/**",
+        "google-github-actions/**",
+        "googleapis/**",
         "hashicorp/**",
+        "hercules-ci/**",
+        "huggingface/**",
+        "kubernetes/**",
+        "kubernetes-sigs/**",
+        "microsoft/**",
+        "nix-community/**",
+        "nix-darwin/**",
+        "nix-systems/**",
+        "NixOS/**",
+        "numtide/**",
+        "obra/**",
+        "open-telemetry/**",
         "opentofu/**",
+        "ossf/**",
+        "oxalica/**",
+        "peter-evans/**",
+        "pre-commit/**",
+        "pypa/**",
         "python/**",
-        "microsoft/**",
-        "Azure/**",
         "raycast/**",
-        "aws-actions/**",
-        "google/**",
-        "google-github-actions/**",
-        "docker/**"
+        "renovatebot/**",
+        "semgrep/**",
+        "sigstore/**",
+        "softprops/**",
+        "wakatime/**",
+        "https://github.com/actions/**",
+        "https://github.com/ansible/**",
+        "https://github.com/anthropics/**",
+        "https://github.com/astral-sh/**",
+        "https://github.com/aws-actions/**",
+        "https://github.com/aws-ia/**",
+        "https://github.com/Azure/**",
+        "https://github.com/bitwarden/**",
+        "https://github.com/cachix/**",
+        "https://github.com/codecov/**",
+        "https://github.com/criblio/**",
+        "https://github.com/DavidAnson/**",
+        "https://github.com/DeterminateSystems/**",
+        "https://github.com/docker/**",
+        "https://github.com/DopplerHQ/**",
+        "https://github.com/dorny/**",
+        "https://github.com/edolstra/**",
+        "https://github.com/github/**",
+        "https://github.com/google/**",
+        "https://github.com/google-github-actions/**",
+        "https://github.com/googleapis/**",
+        "https://github.com/hashicorp/**",
+        "https://github.com/hercules-ci/**",
+        "https://github.com/huggingface/**",
+        "https://github.com/kubernetes/**",
+        "https://github.com/kubernetes-sigs/**",
+        "https://github.com/microsoft/**",
+        "https://github.com/nix-community/**",
+        "https://github.com/nix-darwin/**",
+        "https://github.com/nix-systems/**",
+        "https://github.com/NixOS/**",
+        "https://github.com/numtide/**",
+        "https://github.com/obra/**",
+        "https://github.com/open-telemetry/**",
+        "https://github.com/opentofu/**",
+        "https://github.com/ossf/**",
+        "https://github.com/oxalica/**",
+        "https://github.com/peter-evans/**",
+        "https://github.com/pre-commit/**",
+        "https://github.com/pypa/**",
+        "https://github.com/python/**",
+        "https://github.com/raycast/**",
+        "https://github.com/renovatebot/**",
+        "https://github.com/semgrep/**",
+        "https://github.com/sigstore/**",
+        "https://github.com/softprops/**",
+        "https://github.com/wakatime/**"
       ],
-      "matchUpdateTypes": ["major", "minor", "patch"],
       "automerge": true,
       "automergeType": "pr",
       "automergeStrategy": "squash",
@@ -86,10 +161,7 @@
       "description": "Auto-merge trusted Terraform providers (3-day stabilization, minor/patch only)",
       "matchManagers": ["terraform"],
       "matchDatasources": ["terraform-provider"],
-      "matchPackageNames": [
-        "hashicorp/*",
-        "bpg/*"
-      ],
+      "matchPackageNames": ["bpg/*"],
       "matchUpdateTypes": ["minor", "patch"],
       "automerge": true,
       "automergeType": "pr",
@@ -106,44 +178,12 @@
       "automergeStrategy": "squash",
       "minimumReleaseAge": "3 days"
     },
-    {
-      "description": "Auto-merge trusted Nix flake inputs (3-day stabilization, CI-gated)",
-      "matchManagers": ["nix"],
-      "matchDatasources": ["git-refs"],
-      "matchPackageNames": [
-        "https://github.com/NixOS/**",
-        "https://github.com/nix-community/**",
-        "https://github.com/cachix/**",
-        "https://github.com/anthropics/**",
-        "https://github.com/numtide/**",
-        "https://github.com/hercules-ci/**",
-        "https://github.com/DeterminateSystems/**",
-        "https://github.com/edolstra/**",
-        "https://github.com/oxalica/**",
-        "https://github.com/wakatime/**"
-      ],
-      "automerge": true,
-      "automergeType": "pr",
-      "automergeStrategy": "squash",
-      "minimumReleaseAge": "3 days"
-    },
     {
       "description": "GitHub releases use v-prefixed tags for custom Nix packages",
       "matchDatasources": ["github-releases"],
       "matchManagers": ["custom.regex"],
       "extractVersion": "^v(?<version>.+)$"
     },
-    {
-      "description": "Auto-merge trusted PyPI packages from HuggingFace (custom managers)",
-      "matchDatasources": ["pypi"],
-      "matchManagers": ["custom.regex"],
-      "matchPackageNames": ["huggingface-hub", "huggingface-mcp-server"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "automerge": true,
-      "automergeType": "pr",
-      "automergeStrategy": "squash",
-      "minimumReleaseAge": "3 days"
-    },
     {
       "description": "Twice-weekly schedule for all custom regex managers",
       "matchManagers": ["custom.regex"],