ci: add renovate auto-approve workflow

[jimisola]

Summary

• Add caller workflow for the centralised Renovate auto-approve reusable workflow in reqstool/.github
• When Renovate opens a PR, this workflow approves it using `GITHUB_TOKEN`, satisfying the required-review branch protection rule
• Unblocks Renovate's existing auto-merge setting so PRs merge automatically once checks pass

🤖 Generated with Claude Code

In general, this issue is fixed by explicitly declaring a permissions block in the workflow (either at the root or per‑job) that grants only the minimal scopes the workflow needs. This overrides potentially broad repository defaults and documents the workflow’s required privileges.

For this specific workflow, we should add a root‑level permissions block between the name and on keys, because there is only one job and it delegates to a reusable workflow. A safe, minimal starting point that aligns with GitHub’s guidance is contents: read, which is equivalent to read‑only repository access. If the reusable workflow requires additional scopes (for example, to approve or update pull requests), those would typically be pull-requests: write. However, we are not allowed to assume additional behavior beyond the snippet, so we will start with the minimal explicit restriction: permissions: contents: read. This keeps existing behavior in nearly all cases where the reusable workflow only needs read access, while constraining the token compared to legacy defaults. The change is localized to .github/workflows/renovate-approve.yml, and no new imports or methods are required.

Concretely:

• Edit .github/workflows/renovate-approve.yml.
• Insert a permissions: block after line 1 (the name: line) and before the on: block.
• Set contents: read in that block.
  No other lines in the file need to change.