The general idea is that renv.lock is created by capturing the current state of a user's R library paths, and so that implies the user has installed a set of packages via some means in order to be captured. (Usually, those would be packages that were current on CRAN at the time of installation, or perhaps some packages installed from separate remote sources.)
Right now, there aren't any exported tools to create an renv.lock "from scratch", but depending on what exactly you want to do you could try creating renv.lock by hand -- it is just JSON, after all.
It's worth confirming what your R package version requirements are -- do you want exactly some set of versions (as would be specified in a lockfile), or is there some other meaning for what the "right" versions are? (E.g. you always want to be current with CRAN, etc.) This could effect the overall approach.