Exclude yao-pkg from renovate with comment (#859)

Author: eliykat

.github/renovate.json

@@ -0,0 +1,25 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["github>bitwarden/renovate-config"],
+  enabledManagers: ["github-actions", "npm"],
+  packageRules: [
+    {
+      groupName: "gh minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor", "patch"],
+    },
+    {
+      groupName: "Google Libraries",
+      matchPackagePatterns: ["google-auth-library", "googleapis"],
+      matchManagers: ["npm"],
+      groupSlug: "google-libraries",
+    },
+  ],
+  ignoreDeps: [
+    // yao-pkg is used to create a single executable application bundle for the CLI.
+    // It is a third party build of node which carries a high supply chain risk.
+    // This must be manually vetted by our appsec team before upgrading.
+    // It is excluded from renovate to avoid accidentally upgrading to a non-vetted version.
+    "@yao-pkg/pkg",
+  ],
+}