diff --git a/standards/workflows/dependabot-rebase.yml b/standards/workflows/dependabot-rebase.yml
index fe0671e..0a621c0 100644
--- a/standards/workflows/dependabot-rebase.yml
+++ b/standards/workflows/dependabot-rebase.yml
@@ -6,8 +6,12 @@
 # AGENTS — READ BEFORE EDITING:
 #   • This file is a THIN CALLER STUB. All rebase/merge serialization logic
 #     lives in the reusable workflow above.
-#   • You MAY change: the ref in the `uses:` line when upgrading the reusable
-#     workflow version (bump to latest commit SHA or tag of petry-projects/.github).
+#   • You MAY change: the SHA in the `uses:` line when upgrading the reusable
+#     workflow version (bump SHA to latest main of petry-projects/.github).
+#   • SHA-pinned intentionally (not @v1): no semver tags are maintained for
+#     this internal reusable workflow. Downstream repos pin to a specific
+#     commit SHA and bump deliberately. To look up the current SHA:
+#     gh api repos/petry-projects/.github/branches/main --jq '.commit.sha'
 #   • You MUST NOT change: the concurrency group name, the explicit secrets
 #     block, or the job-level `permissions:` block — reusable workflows can be
 #     granted no more permissions than the calling job has, so removing the
@@ -20,8 +24,11 @@
 # ─────────────────────────────────────────────────────────────────────────────
 #
 # Dependabot update-and-merge — thin caller for the org-level reusable.
-# To adopt: copy this file to .github/workflows/dependabot-rebase.yml in your repo.
-# Required org secrets (passed explicitly):
+# To adopt: copy THIS file (standards/workflows/dependabot-rebase.yml) to
+#   .github/workflows/dependabot-rebase.yml in your repo. Do NOT copy
+#   .github/workflows/dependabot-rebase.yml from this repo — that file uses a
+#   local ref only valid in the source-of-truth repo.
+# Required org/repo secrets (inherited):
 #   APP_ID         — GitHub App ID with contents:write and pull-requests:write
 #   APP_PRIVATE_KEY — GitHub App private key
 name: Dependabot update and merge
@@ -43,8 +50,9 @@ permissions: {}
 jobs:
   dependabot-rebase:
     permissions:
-      pull-requests: write # call update-branch API on behind PRs and merge when ready
-    uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@b51e2edf830ea085be0277bcf3174c7b3ec8f958 # v1
+      contents: write   # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
+      pull-requests: write  # re-approve PRs after branch update
+    uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@9a694e5798ebb596476e6eda80f11e832d8fd0a9 # main
     secrets:
       APP_ID: ${{ secrets.APP_ID }}
       APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}