diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cfa733e..af10b07 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,3 +23,8 @@ repos:
     rev: 5.12.0
     hooks:
       - id: isort
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 43.150.0
+    hooks:
+      - id: renovate-config-validator
+        args: [--strict, --no-global]
diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index 02871ff..0000000
--- a/renovate.json
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
-  "packageRules": [
-    {
-      "description": "Security hardening for GitHub Actions (FIS-17871): pin to SHA digests, delay updates 3 days",
-      "matchManagers": [
-        "github-actions"
-      ],
-      "groupName": "GitHub Actions",
-      "minimumReleaseAge": "3 days",
-      "pinDigests": true
-    }
-  ]
-}
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..95ee889
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,15 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // Baseline = `hardcoretech/conf-renovate` (see preset README for the
+  // inherited policy: SHA-pinned GHA, 3-day release-age soak, OSV alerts,
+  // per-ecosystem grouping, major-update isolation, datastore version pinning).
+  // The preset auto-bumps this pin via its own customManager (v1.1.0+).
+  extends: [
+    "github>hardcoretech/conf-renovate#v1.2.1",
+    // Don't widen semver ranges (`^1.2.3` stays `^1.2.3`). Not in the preset.
+    ":preserveSemverRanges",
+  ],
+
+  labels: ["dependencies"],
+}