diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
new file mode 100644
index 0000000..66fa499
--- /dev/null
+++ b/.github/workflows/validate-renovate.yml
@@ -0,0 +1,55 @@
+name: Validate Renovate Config
+
+# Triggers on any path Renovate would pick up as a config (see lookup order:
+# https://docs.renovatebot.com/configuration-options/#configurationoptions).
+# Listing them all means a PR can't accidentally bypass validation by adding,
+# say, a higher-precedence `renovate.json` while only the `.json5` is path-filtered.
+on:
+  pull_request:
+    paths:
+      - 'renovate.json'
+      - 'renovate.json5'
+      - '.renovaterc'
+      - '.renovaterc.json'
+      - '.github/renovate.json'
+      - '.github/renovate.json5'
+      - '.github/workflows/validate-renovate.yml'
+  push:
+    branches: [master]
+    paths:
+      - 'renovate.json'
+      - 'renovate.json5'
+      - '.renovaterc'
+      - '.renovaterc.json'
+      - '.github/renovate.json'
+      - '.github/renovate.json5'
+      - '.github/workflows/validate-renovate.yml'
+
+jobs:
+  validate:
+    name: renovate-config-validator
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # We've deliberately chosen `renovate.json5` (supports comments). Any
+      # higher-precedence config file (`renovate.json`, `.renovaterc`,
+      # `.github/renovate.json`) would silently override it — fail loudly
+      # so a stray file is caught at PR time.
+      - name: Refuse higher-precedence config files
+        run: |
+          higher_precedence=(renovate.json .renovaterc .renovaterc.json .github/renovate.json)
+          found=()
+          for f in "${higher_precedence[@]}"; do
+            [[ -f "$f" ]] && found+=("$f")
+          done
+          if (( ${#found[@]} > 0 )); then
+            echo "::error::Higher-precedence Renovate config file(s) present — these override renovate.json5: ${found[*]}"
+            exit 1
+          fi
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      - run: npx --yes --package renovate@43 -- renovate-config-validator --strict --no-global renovate.json5
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..cb48299
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,21 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // Baseline = `hardcoretech/conf-renovate`. Inherited policy from the
+  // preset's `default.json5`:
+  // - `config:best-practices` (dependency dashboard, internal-checks-filter,
+  //   `groupName: null` for major updates, etc.)
+  // - SHA-pinned GHA + 3-day release-age soak + OSV vulnerability alerts
+  // - Per-ecosystem PR grouping (backend / frontend / docker / gha / terraform)
+  // - Datastore version pinning (mysql / rabbitmq / valkey on docker+helm)
+  // - PR volume controls (`prConcurrentLimit: 4`, `prHourlyLimit: 4`)
+  // - Weekly Monday schedule
+  // The preset auto-bumps this pin via its own customManager (v1.1.0+).
+  extends: [
+    "github>hardcoretech/conf-renovate#v1.2.1",
+    // Don't widen semver ranges (`^1.2.3` stays `^1.2.3`). Not in the preset.
+    ":preserveSemverRanges",
+  ],
+
+  labels: ["dependencies"],
+}