diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
new file mode 100644
index 0000000..d3e879f
--- /dev/null
+++ b/.github/workflows/validate-renovate.yml
@@ -0,0 +1,21 @@
+name: validate renovate.json5
+
+on:
+  pull_request:
+
+env:
+  LOG_LEVEL: debug
+
+jobs:
+  renovate-config-validator:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4
+        with:
+          node-version: 20
+
+      - run: npx -p renovate renovate-config-validator renovate.json5
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..5ff06b2
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,55 @@
+{
+  "extends": [
+    "config:best-practices",
+    ":rebaseStalePrs",
+    "regexManagers:dockerfileVersions"
+  ],
+  "packageRules": [
+    {
+      "matchPackagePatterns": [
+        "*"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "digest"
+      ],
+      "groupName": "all non-major dependencies",
+      "groupSlug": "all-minor-patch-digest",
+      "schedule": [
+        "after 10pm on friday"
+      ]
+    },
+    {
+      "matchManagers": [
+        "gomod"
+      ],
+      "postUpdateOptions": [
+        "gomodTidy"
+      ]
+    },
+    {
+      "description": "Only update codeql-action digest updates monthly",
+      "matchDatasources": [
+        "github-actions"
+      ],
+      "matchPackageNames": [
+        "github/codeql-action"
+      ],
+      "matchUpdateTypes": [
+        "digest"
+      ],
+      "schedule": [
+        "after 10pm on the first day of the month"
+      ]
+    }
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "osvVulnerabilityAlerts": true,
+  "dependencyDashboardOSVVulnerabilitySummary": "unresolved",
+  "vulnerabilityAlerts": {
+    "enabled": true
+  }
+}
\ No newline at end of file