diff --git a/renovate.json b/renovate.json
index c95f708e..2b4af645 100644
--- a/renovate.json
+++ b/renovate.json
@@ -14,8 +14,8 @@
       "automerge": false
     },
     {
-      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
-      "matchPaths": [".gitea/workflows/**"],
+      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access. Covers .gitea/actions/** too: the reload-caddy alpine digest now lives in a composite action (#603).",
+      "matchPaths": [".gitea/workflows/**", ".gitea/actions/**"],
       "matchUpdateTypes": ["digest"],
       "automerge": false,
       "reviewersFromCodeOwners": false