chore: bump catalog to v2.1.1 + adopt PST renovate preset + RUSTSEC-2026-0104

Andrew Dunnrequested to merge
chore/catalog-v2.1.1-rustsec-2026-0104 into main

Summary

Unbreaks main on two fronts (catalog v2.1.0 bump merged earlier left audit + cosign red). Both fixes ship together because the audit job gates everything downstream — bumping catalog alone wouldn't get main green.

  • Bump 7 catalog component refs from @v2.1.0 to @v2.1.1. v2.1.1 restores a conditional cosign install in the binary template for non-catalog build_image; fixes the cosign: command not found failure on build and build-fips (rust:1.88.0).
  • cargo update -p rustls-webpki: 0.103.12 → 0.103.13. Clears RUSTSEC-2026-0104 (reachable panic in CRL parsing). Audit was failing on this before cosign even tried to run.
  • Add renovate.json extending the PST shared preset (gitlab>gitlab-com/public-sector-tools/pipeline//presets/renovate.json). Bot will pick up future Cargo + catalog tag bumps automatically; prevents this drift class recurring.

Test plan

  • audit job green (cargo-deny advisories clean)
  • build + build-fips green (cosign install succeeds)
  • attest + attest-fips green (binary jobs upstream)
  • check (clippy + cargo test) green
  • compliance + secret_detection green

Merge request reports