Refresh Renovate PR lockfiles for Yarn 4 hardened mode

Fix: #1779

- Renovate lockFileMaintenance default false
- enable Renovate lockFileMaintenance (delete/create/commit lockfile)
  - Renovate groups yarn.lock .yarnrc.yml changes under 'npm'
- preserve Yarn 4 hardened mode in CI
  - protect vs lockfile poisoning
  - Renovate and forks outside cirlce of trust
  - significantly slower from Yarn querying lockfile remote registries
  - optimise future CI performance by enabling on only 1 matrix
- Yarn 4 hardened mode default true on GH PRs from public repo (fork)
  - yarn install --check-resolutions --refresh-lockfile
- Yarn 4 --immutable (--frozen-lockfile) default true in CI
- Yarn 4 --refresh-lockfile default true within PR context
- after migrate to .json5 to comment documentation

Author: leotm

renovate.json

@@ -8,6 +8,10 @@
   "postUpdateOptions": ["yarnDedupeHighest"],
   "timezone": "Europe/London",
   "dependencyDashboard": true,
+  "lockFileMaintenance": {
+    "enabled": true,
+    "enabledManagers": ["npm"]
+  },
   "packageRules": [
     {
       "matchSourceUrlPrefixes": ["https://github.com/swc-project/swc"],