From dc0b7663bb864411273467ff22173277bdeb0521 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 20 Jun 2026 07:47:39 +0000
Subject: [PATCH 1/3] Initial plan


From af56fe205f0fdd279bfac302ffac5f31d1cfc711 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 20 Jun 2026 07:52:44 +0000
Subject: [PATCH 2/3] docs(renovate): drop redundant uses-line annotation from
 onboarding guide

---
 docs/release-please-onboarding.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/release-please-onboarding.md b/docs/release-please-onboarding.md
index 98dd17e..d7bc803 100644
--- a/docs/release-please-onboarding.md
+++ b/docs/release-please-onboarding.md
@@ -122,7 +122,6 @@ concurrency:
   cancel-in-progress: false
 jobs:
   release-please:
-    # renovate: datasource=github-tags depName=DevSecNinja/.github
     uses: DevSecNinja/.github/.github/workflows/release-please.yml@<sha> # vX.Y.Z
     permissions:
       contents: write
@@ -134,7 +133,11 @@ jobs:
 ```
 
 Pin `<sha>` to a release-tagged commit of `DevSecNinja/.github`. The
-`# renovate:` comment lets Renovate auto-bump it when new tags ship.
+`# vX.Y.Z` version comment on the `uses:` line is all Renovate needs:
+its GitHub Actions manager tracks reusable-workflow callers natively and
+auto-bumps both the pinned SHA and the comment when new tags ship. No
+separate `# renovate:` annotation is required (and adding one is dropped
+on the next bump).
 
 #### `release-please-config.json`
 

From 306538a15802d5c9128316f7dae8221b2dc166d3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 20 Jun 2026 08:05:39 +0000
Subject: [PATCH 3/3] refactor(renovate): drop inert uses-line annotations from
 workflows

---
 .github/workflows/config-sync.yml           | 1 -
 .github/workflows/release-please-caller.yml | 1 -
 .github/workflows/release-please.yml        | 2 --
 .github/workflows/vendored-file-sync.yml    | 1 -
 4 files changed, 5 deletions(-)

diff --git a/.github/workflows/config-sync.yml b/.github/workflows/config-sync.yml
index 1809845..19b01b2 100644
--- a/.github/workflows/config-sync.yml
+++ b/.github/workflows/config-sync.yml
@@ -170,7 +170,6 @@ jobs:
               --force
       - name: Create PR if configs changed
         if: steps.pull.outputs.updated == '1'
-        # renovate: datasource=github-tags depName=DevSecNinja/.github
         uses: DevSecNinja/.github/actions/open-pr@c1725a7573e1cb5277889d925901b477ee814352 # v1.7.0
         with:
           branch: chore/config-sync
diff --git a/.github/workflows/release-please-caller.yml b/.github/workflows/release-please-caller.yml
index 5e23c88..0d8632f 100644
--- a/.github/workflows/release-please-caller.yml
+++ b/.github/workflows/release-please-caller.yml
@@ -33,7 +33,6 @@ jobs:
   release-please:
     # Self-reference: same repo, pinned to the SHA that introduced the
     # App-token wiring. Re-pin to the next vX.Y.Z tag once cut.
-    # renovate: datasource=github-tags depName=DevSecNinja/.github
     uses: DevSecNinja/.github/.github/workflows/release-please.yml@fa92001d3877b58e3c8f8b0fa2f6f9230fbb0792 # main
     permissions:
       contents: write
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 1332531..5e3598b 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -97,7 +97,6 @@ jobs:
       - name: Generate App token
         id: app-token
         if: inputs.app-id != ''
-        # renovate: datasource=github-releases depName=actions/create-github-app-token
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           app-id: ${{ inputs.app-id }}
@@ -110,7 +109,6 @@ jobs:
 
       - name: Run release-please
         id: release-please
-        # renovate: datasource=github-releases depName=googleapis/release-please-action
         uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         with:
           target-branch: ${{ inputs.target-branch }}
diff --git a/.github/workflows/vendored-file-sync.yml b/.github/workflows/vendored-file-sync.yml
index 851a97b..81ee07d 100644
--- a/.github/workflows/vendored-file-sync.yml
+++ b/.github/workflows/vendored-file-sync.yml
@@ -149,7 +149,6 @@ jobs:
       - name: Open or update vendored-file sync PR
         id: open-pr
         if: ${{ inputs.create-pr && steps.detect.outputs.changed == 'true' }}
-        # renovate: datasource=github-tags depName=DevSecNinja/.github
         uses: DevSecNinja/.github/actions/open-pr@c1725a7573e1cb5277889d925901b477ee814352 # v1.7.0
         with:
           branch: ${{ inputs.branch }}