DevSecNinja · Copilot · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026
diff --git a/.github/workflows/config-sync.yml b/.github/workflows/config-sync.yml
@@ -170,7 +170,6 @@ jobs:
               --force
       - name: Create PR if configs changed
         if: steps.pull.outputs.updated == '1'
-        # renovate: datasource=github-tags depName=DevSecNinja/.github
         uses: DevSecNinja/.github/actions/open-pr@c1725a7573e1cb5277889d925901b477ee814352 # v1.7.0
         with:
           branch: chore/config-sync

diff --git a/.github/workflows/release-please-caller.yml b/.github/workflows/release-please-caller.yml
@@ -33,7 +33,6 @@ jobs:
   release-please:
     # Self-reference: same repo, pinned to the SHA that introduced the
     # App-token wiring. Re-pin to the next vX.Y.Z tag once cut.
-    # renovate: datasource=github-tags depName=DevSecNinja/.github
     uses: DevSecNinja/.github/.github/workflows/release-please.yml@fa92001d3877b58e3c8f8b0fa2f6f9230fbb0792 # main
     permissions:
       contents: write

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -97,7 +97,6 @@ jobs:
       - name: Generate App token
         id: app-token
         if: inputs.app-id != ''
-        # renovate: datasource=github-releases depName=actions/create-github-app-token
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           app-id: ${{ inputs.app-id }}
@@ -110,7 +109,6 @@ jobs:
 
       - name: Run release-please
         id: release-please
-        # renovate: datasource=github-releases depName=googleapis/release-please-action
         uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         with:
           target-branch: ${{ inputs.target-branch }}

diff --git a/.github/workflows/vendored-file-sync.yml b/.github/workflows/vendored-file-sync.yml
@@ -149,7 +149,6 @@ jobs:
       - name: Open or update vendored-file sync PR
         id: open-pr
         if: ${{ inputs.create-pr && steps.detect.outputs.changed == 'true' }}
-        # renovate: datasource=github-tags depName=DevSecNinja/.github
         uses: DevSecNinja/.github/actions/open-pr@c1725a7573e1cb5277889d925901b477ee814352 # v1.7.0
         with:
           branch: ${{ inputs.branch }}

@@ -122,7 +122,6 @@ concurrency:
   cancel-in-progress: false
 jobs:
   release-please:
-    # renovate: datasource=github-tags depName=DevSecNinja/.github
     uses: DevSecNinja/.github/.github/workflows/release-please.yml@<sha> # vX.Y.Z
     permissions:
       contents: write
@@ -134,7 +133,11 @@ jobs:
 ```
 
 Pin `<sha>` to a release-tagged commit of `DevSecNinja/.github`. The
-`# renovate:` comment lets Renovate auto-bump it when new tags ship.
+`# vX.Y.Z` version comment on the `uses:` line is all Renovate needs:
+its GitHub Actions manager tracks reusable-workflow callers natively and
+auto-bumps both the pinned SHA and the comment when new tags ship. No
+separate `# renovate:` annotation is required (and adding one is dropped
+on the next bump).
 
 #### `release-please-config.json`