diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 1b1554b23..f912ca3ac 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -1,6 +1,7 @@
 {
   // Configuration file for RenovateBot: https://docs.renovatebot.com/configuration-options
-  extends: ["config:base"],
+  extends: ["config:recommended"],
+  baseBranches: ["$default", "/^hotfix\\/.*/"],
   ignoreDeps: [
     // Each ignore is probably connected with an ignore in pyproject.toml.
     // Ensure you change this and those simultaneously.
@@ -23,6 +24,7 @@
       automerge: true,
       minimumReleaseAge: "0 seconds",
       schedule: ["at any time"],
+      matchBaseBranches: ["$default"],  // Only do minor releases on main
     },
     {
       // Same as above, but for hotfix branches, only for patch, and without auto-merging.
@@ -48,7 +50,8 @@
       groupName: "internal packages",
       matchPackagePrefixes: ["craft-", "snap-"],
       matchLanguages: ["python"],
-      prPriority: 2
+      prPriority: 2,
+      matchBaseBranches: ["$default"],  // Not for hotfix branches
     },
     {
       // GitHub Actions are higher priority to update than most dependencies since they don't tend to break things.
@@ -67,10 +70,10 @@
       // Minor changes can be grouped and automerged for dev dependencies, but are also deprioritised.
       groupName: "development dependencies (non-major)",
       groupSlug: "dev-dependencies",
-      matchPackagePrefixes: [
-        "dev",
-        "lint",
-        "types"
+      matchDepPatterns: [
+        "dev/.*",
+        "lint/.*",
+        "types/.*"
       ],
       matchPackagePatterns: [
         // Generated from the dependency dashboard, may not be complete.
@@ -99,11 +102,13 @@
       matchPackageNames: ["Sphinx", "furo"],
       matchPackagePatterns: ["[Ss]phinx.*$"],
       matchPackagePrefixes: ["docs"],
+      matchBaseBranches: ["$default"],  // Not for hotfix branches
     },
     {
           // Other major dependencies get deprioritised below minor dev dependencies.
       matchUpdateTypes: ["major"],
-      prPriority: -2
+      prPriority: -2,
+      matchBaseBranches: ["$default"],  // Not for hotfix branches
     },
     {
       // Major dev dependencies are stone last, but grouped.
@@ -127,19 +132,22 @@
         "^(.*/)?ruff$",
         "^(.*/)?twine$",
         "^(.*/)?types-"
-      ]
+      ],
+      matchBaseBranches: ["$default"],  // Not for hotfix branches
     },
     {
       // Pyright makes regular breaking changes in patch releases, so we separate these
       // and do them independently.
       matchPackageNames: ["pyright"],
-      prPriority: -4
+      prPriority: -4,
+      matchBaseBranches: ["$default"],  // Not for hotfix branches
     }
   ],
-  regexManagers: [
+  customManagers: [
     {
       // tox.ini can get updates too if we specify for each package.
       fileMatch: ["tox.ini"],
+      customType: "regex",
       depTypeTemplate: "devDependencies",
       matchStrings: [
         "# renovate: datasource=(?<datasource>\\S+)\n\\s+(?<depName>.*?)(\\[[\\w]*\\])*[=><]=?(?<currentValue>.*?)\n"
@@ -148,9 +156,11 @@
     {
       // .pre-commit-config.yaml version updates
       fileMatch: [".pre-commit-config.yaml"],
-      depTypeTemplate: "devDependencies",
+      customType: "regex",
+      datasourceTemplate: "pypi",
+      depTypeTemplate: "lint",
       matchStrings: [
-        "# renovate: datasource=(?<datasource>\\S+);\\s*depName=(?<depName>.*?)\n\s+rev: \"v?(?<currentValue>.*?)\""
+        "- repo: .*/<(?<depName>\\S+)\\s*\\n\\s*rev:\s+\"?v?(?<currentValue>\\S*)\"?",
       ]
     }
   ],
@@ -161,7 +171,7 @@
   prCreation: "not-pending", // Wait until status checks have completed before raising the PR
   prNotPendingHours: 4, // ...unless the status checks have been running for 4+ hours.
   prHourlyLimit: 1, // No more than 1 PR per hour.
-  stabilityDays: 2, // Wait 2 days from release before updating.
+  minimumReleaseAge: "2 days",
   automergeStrategy: "squash", // Squash & rebase when auto-merging.
   semanticCommitType: "build"  // use `build` as commit header type (i.e. `build(deps): <description>`)
 }
diff --git a/.github/workflows/check-renovate.yaml b/.github/workflows/check-renovate.yaml
new file mode 100644
index 000000000..7d13cfbf2
--- /dev/null
+++ b/.github/workflows/check-renovate.yaml
@@ -0,0 +1,40 @@
+name: Renovate check
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/check-renovate.yaml"
+      - ".github/renovate.json5"
+
+  # Allows triggering the workflow manually from the Actions tab
+  workflow_dispatch:
+    inputs:
+      enable_ssh_access:
+        type: boolean
+        description: 'Enable ssh access'
+        required: false
+        default: false
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - name: Install renovate
+        run: npm install --global renovate
+      - name: Enable ssh access
+        uses: mxschmitt/action-tmate@v3
+        if: ${{ inputs.enable_ssh_access }}
+        with:
+          limit-access-to-actor: true
+      - name: Check renovate config
+        run: renovate-config-validator .github/renovate.json5
+      - name: Renovate dry-run
+        run: renovate --dry-run --autodiscover
+        env:
+          RENOVATE_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RENOVATE_USE_BASE_BRANCH_CONFIG: ${{ github.ref }}