diff --git a/renovate.json b/renovate.json
index bcb6238b..e4f29762 100644
--- a/renovate.json
+++ b/renovate.json
@@ -5,6 +5,13 @@
       "matchPackagePatterns": ["^@tiptap/"],
       "groupName": "tiptap",
       "automerge": false
+    },
+    {
+      "description": "Digest bumps for images used in privileged CI steps (--privileged --pid=host) must be reviewed manually — a compromised image has root-equivalent host access.",
+      "matchPaths": [".gitea/workflows/**"],
+      "matchUpdateTypes": ["digest"],
+      "automerge": false,
+      "reviewersFromCodeOwners": false
     }
   ]
 }