diff --git a/README.md b/README.md
index 1f2649a..a45b5fe 100644
--- a/README.md
+++ b/README.md
@@ -373,6 +373,15 @@ systemctl status homelab-gitea-runner.service
 journalctl -u homelab-gitea-runner.service -n 100 --no-pager
 ```
 
+## Renovate
+
+`renovate.json` defines dependency update rules for Dockerfiles, OpenTofu
+providers, Helm chart versions, and the pinned tools used by the Gitea Actions
+workflow. Renovate should open reviewable update branches or PRs only; it must
+not auto-merge infrastructure changes. Keep app-only dependency updates on the
+normal Gitea Actions path, and run `./lab.sh up` manually on the Debian server
+for platform or provisioning updates.
+
 ## Destructive Rebuilds
 
 `./lab.sh nuke` resets kubeadm, containerd runtime state, CNI files, Calico
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..0bfdfdb
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,88 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "timezone": "America/Mexico_City",
+  "dependencyDashboard": true,
+  "labels": [
+    "dependencies"
+  ],
+  "prConcurrentLimit": 4,
+  "packageRules": [
+    {
+      "description": "Group OpenTofu and Terraform provider updates.",
+      "matchManagers": [
+        "terraform"
+      ],
+      "matchDepTypes": [
+        "required_provider"
+      ],
+      "groupName": "OpenTofu providers"
+    },
+    {
+      "description": "Group Helm chart versions managed through OpenTofu.",
+      "matchManagers": [
+        "terraform"
+      ],
+      "matchDatasources": [
+        "helm"
+      ],
+      "groupName": "Helm charts"
+    },
+    {
+      "description": "Keep app base image changes separate from platform changes.",
+      "matchManagers": [
+        "dockerfile"
+      ],
+      "groupName": "application base images"
+    },
+    {
+      "description": "Do not automerge homelab infrastructure updates.",
+      "matchFileNames": [
+        "bootstrap/**",
+        "lab.sh",
+        ".gitea/workflows/**"
+      ],
+      "automerge": false
+    }
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^\\.gitea\\/workflows\\/.*\\.ya?ml$/"
+      ],
+      "matchStrings": [
+        "gitleaks_version=\"(?<currentValue>[^\"]+)\""
+      ],
+      "depNameTemplate": "gitleaks/gitleaks",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^\\.gitea\\/workflows\\/.*\\.ya?ml$/"
+      ],
+      "matchStrings": [
+        "trivy_version=\"(?<currentValue>[^\"]+)\""
+      ],
+      "depNameTemplate": "aquasecurity/trivy",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^lab\\.sh$/"
+      ],
+      "matchStrings": [
+        "runner_version=\"\\$\\{GITEA_ACT_RUNNER_VERSION:-(?<currentValue>[^\"]+)\\}\""
+      ],
+      "depNameTemplate": "go-gitea/act_runner",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver"
+    }
+  ]
+}