diff --git a/.github/workflows/validate-renovate.yaml b/.github/workflows/validate-renovate.yaml
new file mode 100644
index 0000000..c620e9b
--- /dev/null
+++ b/.github/workflows/validate-renovate.yaml
@@ -0,0 +1,19 @@
+# Caller workflow for the reusable validate-renovate workflow in loft-sh/github-actions.
+name: Validate Renovate Config
+
+on:
+  pull_request:
+    paths:
+      - 'renovate.json'
+      - 'renovate.json5'
+      - '.renovaterc'
+      - '.renovaterc.json'
+
+permissions: {}
+
+jobs:
+  validate-renovate:
+    permissions:
+      contents: read
+      pull-requests: read
+    uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@b52efbd927586ea78282073f79d2423e552c9f62 # validate-renovate/v1
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..3a3a9f4
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,55 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "baseBranchPatterns": ["main"],
+  "labels": ["dependencies"],
+  "prHourlyLimit": 5,
+  "prConcurrentLimit": 10,
+  "minimumReleaseAge": "3 days",
+  "schedule": ["before 6am on monday"],
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "labels": ["security"]
+  },
+  "postUpdateOptions": ["gomodTidy"],
+  "packageRules": [
+    {
+      "description": "Group GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "groupName": "github-actions"
+    },
+    {
+      "description": "Group Go patch updates to reduce PR noise; majors and minors stay individual for review",
+      "matchManagers": ["gomod"],
+      "matchUpdateTypes": ["patch"],
+      "groupName": "go-patch-updates"
+    },
+    {
+      "description": "Group Kubernetes Go modules so the k8s.io/sigs.k8s.io ecosystem moves in lockstep (covers go.mod deps and the pinned code-generator/kube-openapi tools in the Justfile)",
+      "matchPackageNames": ["k8s.io/{/,}**", "sigs.k8s.io/{/,}**"],
+      "groupName": "k8s-go-deps"
+    }
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "deepcopy-gen (k8s.io/code-generator) tool version in the Justfile gen recipe",
+      "managerFilePatterns": ["/^Justfile$/"],
+      "matchStrings": ["go run k8s\\.io/code-generator/cmd/deepcopy-gen@(?<currentValue>v[\\d.]+)"],
+      "depNameTemplate": "k8s.io/code-generator",
+      "datasourceTemplate": "go"
+    },
+    {
+      "customType": "regex",
+      "description": "openapi-gen (k8s.io/kube-openapi) tool version in the Justfile gen recipe",
+      "managerFilePatterns": ["/^Justfile$/"],
+      "matchStrings": ["go run k8s\\.io/kube-openapi/cmd/openapi-gen@(?<currentValue>v[\\d.]+-[\\d]+-[0-9a-f]+)"],
+      "depNameTemplate": "k8s.io/kube-openapi",
+      "datasourceTemplate": "go"
+    }
+  ]
+}