diff --git a/.gitea/workflows/renovate.yml b/.gitea/workflows/renovate.yml
new file mode 100644
index 0000000..353b7c0
--- /dev/null
+++ b/.gitea/workflows/renovate.yml
@@ -0,0 +1,33 @@
+name: Renovate
+
+on:
+  # Weekly sweep. Mondays 05:00 UTC — this cron owns the cadence; the repo's
+  # renovate.json5 deliberately has no internal schedule (avoids double-gating).
+  schedule:
+    - cron: '0 5 * * 1'
+  # Manual run for an on-demand sweep from the Actions tab.
+  workflow_dispatch:
+
+# Never let two Renovate runs touch the repo at once.
+concurrency:
+  group: renovate
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    runs-on: docker
+    steps:
+      - name: Run Renovate
+        uses: renovatebot/github-action@v40
+        env:
+          # Self-hosted Gitea, not github.com.
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_ENDPOINT: https://gitea.jeanlucmakiola.de/api/v1
+          # Bot-account token (Gitea secret). Needs repo read/write + PR scope.
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          # Scope to this repo only — no org-wide autodiscovery.
+          RENOVATE_AUTODISCOVER: 'false'
+          RENOVATE_REPOSITORIES: '["makiolaj/calendula"]'
+          # Commits/PRs authored as the bot, not a real maintainer.
+          RENOVATE_GIT_AUTHOR: 'Renovate Bot <renovate@jeanlucmakiola.de>'
+          LOG_LEVEL: info
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..103bd3d
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,56 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  extends: [
+    "config:recommended",
+    // chore(deps): … — match the repo's conventional-commit style.
+    ":semanticCommits",
+  ],
+
+  // No automerge: a dependency bump goes through the same review (and, for
+  // anything touching the build, the same on-device check) as a feature
+  // before it can ride a release — see docs/RELEASING.md and the
+  // "hold release for approval" rule.
+  automerge: false,
+
+  // One reviewable surface; the dashboard issue lists everything pending.
+  dependencyDashboard: true,
+  labels: ["dependencies"],
+  prConcurrentLimit: 5,
+  prHourlyLimit: 0,
+
+  // Cadence is owned by the Gitea Actions cron (.gitea/workflows/renovate.yml,
+  // Mondays) — no internal `schedule` here, so the two don't double-gate and
+  // silently skip a run.
+
+  // Gitea Actions workflows live under .gitea/workflows, not .github — extend
+  // the github-actions manager (same syntax) to watch them too.
+  "github-actions": {
+    fileMatch: ["^\\.gitea/workflows/[^/]+\\.ya?ml$"],
+  },
+
+  packageRules: [
+    // material3 is deliberately pinned to the 1.5 *alpha* line for the
+    // Expressive APIs (see gradle/libs.versions.toml). Follow the alpha train
+    // but keep it in its own PR, reviewed in isolation; revisit the pin when
+    // 1.5.0 stable lands.
+    {
+      matchPackageNames: ["androidx.compose.material3:material3"],
+      ignoreUnstable: false,
+      groupName: "material3 (alpha)",
+    },
+    // Test-only deps: group into one low-noise PR.
+    {
+      matchPackageNames: [
+        "org.junit.jupiter:**",
+        "org.junit.platform:**",
+        "com.google.truth:**",
+        "app.cash.turbine:**",
+        "androidx.test:**",
+        "androidx.test.espresso:**",
+        "androidx.test.ext:**",
+      ],
+      groupName: "test dependencies",
+    },
+  ],
+}