diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3dbb2c9..1426f3c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,4 +1,4 @@
-# Keep git submodules up to date automatically.
+# Keep git submodules and pinned GitHub Actions up to date automatically.
 #
 # This template embeds the shared `macros` repo as a git submodule. Dependabot's
 # `gitsubmodule` updater opens a PR whenever a submodule's default branch
@@ -14,3 +14,13 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "chore(submodule)"
+
+  # Also keep pinned GitHub Actions current. Dependabot scans .github/workflows/
+  # and opens a PR when a newer release of a pinned action is available;
+  # unversioned @HEAD / @main pins are left untouched.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore(actions)"