diff --git a/.github/renovate.json b/.github/renovate.json
index cd662b7f..7a952789 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -44,6 +44,23 @@
       "matchUpdateTypes": ["minor", "patch"],
       "automerge": true
     },
+    {
+      "description": "Limit actions/checkout to stable v4.x updates and block auto-upgrade to v5/v6",
+      "matchManagers": ["github-actions"],
+      "matchPackageNames": ["actions/checkout"],
+      "allowedVersions": "<5.0.0",
+      "automerge": false,
+      "matchUpdateTypes": ["minor", "patch"],
+      "labels": ["dependencies", "github-actions", "manual-review"]
+    },
+    {
+      "description": "Do not auto-upgrade other github-actions majors without review",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["major"],
+      "automerge": false,
+      "labels": ["dependencies", "github-actions", "manual-review"],
+      "prPriority": 0
+    },
     {
       "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
       "matchManagers": ["dockerfile"],