chore(ci): bump catalog to v2.1.1 + adopt PST renovate preset

Andrew Dunnrequested to merge
chore/catalog-v2.1.1 into main

Summary

  • Bump pipeline/{container,verify,release} from @v2.1.0 to @v2.1.1. v2.1.1 restores a conditional cosign install in the binary template for consumers using non-catalog build_image. postern only uses the container path (ci-buildah image bundles cosign), so this is fleet- parity rather than functional necessity here.
  • Replace renovate.json with the PST shared preset (gitlab>gitlab-com/public-sector-tools/pipeline//presets/renovate.json). Inherits weekly Monday schedule, semantic-commit titles, batched-MR labels, no platform-automerge, UBI + golang group rules. Renovate will pick up Go module bumps and future catalog tags automatically.

Test plan

  • MR pipeline green (test, build, scan, verify, release stages)
  • No regressions in cosign verify-attestation step
  • Pipeline structure unchanged relative to !4 (merged) merge

Merge request reports