diff --git a/common/.github/workflows/openssf-scorecard-gate.yml b/common/.github/workflows/openssf-scorecard-gate.yml
new file mode 100644
index 0000000..c35dd52
--- /dev/null
+++ b/common/.github/workflows/openssf-scorecard-gate.yml
@@ -0,0 +1,28 @@
+# Gate PRs on OpenSSF Scorecard regressions.
+#
+# See also: https://github.com/ossf/scorecard/issues/1270
+name: OpenSSF Scorecard
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  scorecard:
+    name: Scorecard
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for regressions
+        uses: bootc-dev/actions/openssf-scorecard@main
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          head-sha: ${{ github.event.pull_request.head.sha }}
diff --git a/common/.github/workflows/openssf-scorecard.yml b/common/.github/workflows/openssf-scorecard.yml
deleted file mode 100644
index 314a0fa..0000000
--- a/common/.github/workflows/openssf-scorecard.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-# Upstream https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml
-# Tweaked to not pin actions by SHA digest as I think that's overkill noisy security theater.
-name: OpenSSF Scorecard analysis
-on:
-  push:
-    branches:
-      - main
-
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-24.04
-    permissions:
-      # Needed for Code scanning upload
-      security-events: write
-      # Needed for GitHub OIDC token if publish_results is true
-      id-token: write
-
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.4.3
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # Scorecard team runs a weekly scan of public GitHub repos,
-          # see https://github.com/ossf/scorecard#public-data.
-          # Setting `publish_results: true` helps us scale by leveraging your workflow to
-          # extract the results instead of relying on our own infrastructure to run scans.
-          # And it's free for you!
-          publish_results: true
-
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@v6
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: results.sarif
-
diff --git a/devenv/Containerfile.c10s b/devenv/Containerfile.c10s
index aee6ec3..50fab0f 100644
--- a/devenv/Containerfile.c10s
+++ b/devenv/Containerfile.c10s
@@ -30,6 +30,8 @@ FROM base as tools
 ARG gooseversion=v1.11.1
 # renovate: datasource=github-releases depName=bootc-dev/bcvk
 ARG bcvkversion=v0.9.0
+# renovate: datasource=github-releases depName=ossf/scorecard
+ARG scorecardversion=v5.1.1
 RUN <<EORUN
 set -xeuo pipefail
 arch=$(arch)
@@ -58,6 +60,23 @@ if test "${arch}" = x86_64; then
 else
   echo bcvk unavailable for $arch
 fi
+
+# scorecard (OpenSSF security scanner)
+td=$(mktemp -d)
+(
+  cd $td
+  # Map arch to scorecard naming convention
+  case "${arch}" in
+    x86_64) scarch=amd64 ;;
+    aarch64) scarch=arm64 ;;
+    *) echo "scorecard unavailable for $arch"; exit 0 ;;
+  esac
+  target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
+  /bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
+  tar xvzf $target
+  mv scorecard /usr/local/bin/scorecard
+)
+rm -rf $td
 EORUN
 
 FROM base as rust
diff --git a/devenv/Containerfile.debian b/devenv/Containerfile.debian
index d77fb33..3ab7b06 100644
--- a/devenv/Containerfile.debian
+++ b/devenv/Containerfile.debian
@@ -30,6 +30,8 @@ FROM base as tools
 ARG gooseversion=v1.11.1
 # renovate: datasource=github-releases depName=bootc-dev/bcvk
 ARG bcvkversion=v0.9.0
+# renovate: datasource=github-releases depName=ossf/scorecard
+ARG scorecardversion=v5.1.1
 RUN <<EORUN
 set -xeuo pipefail
 arch=$(arch)
@@ -56,6 +58,23 @@ if test "${arch}" = x86_64; then
 else
   echo bcvk unavailable for $arch
 fi
+
+# scorecard (OpenSSF security scanner)
+td=$(mktemp -d)
+(
+  cd $td
+  # Map arch to scorecard naming convention
+  case "${arch}" in
+    x86_64) scarch=amd64 ;;
+    aarch64) scarch=arm64 ;;
+    *) echo "scorecard unavailable for $arch"; exit 0 ;;
+  esac
+  target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
+  /bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
+  tar xvzf $target
+  mv scorecard /usr/local/bin/scorecard
+)
+rm -rf $td
 EORUN
 
 FROM base as rust
diff --git a/renovate-shared-config.json b/renovate-shared-config.json
index b7d7d49..d1812fc 100644
--- a/renovate-shared-config.json
+++ b/renovate-shared-config.json
@@ -39,6 +39,14 @@
       "matchStrings": [
         "# renovate: datasource=(?<datasource>[a-z-]+) depName=(?<depName>[^\\s]+)\\n.*@(?<currentValue>\\S+)"
       ]
+    },
+    // Shell scripts in GHA workflows/actions: Match "# renovate:" followed by VERSION=
+    {
+      "customType": "regex",
+      "managerFilePatterns": ["**/*.yml", "**/*.yaml"],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>[a-z-]+) depName=(?<depName>[^\\s]+)\\n\\s*VERSION=(?<currentValue>v?\\S+)"
+      ]
     }
   ],
   "packageRules": [