diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index 24e819e..67c535e 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -11,7 +11,7 @@ permissions: {}
 
 jobs:
   auto-merge:
-    uses: netresearch/.github/.github/workflows/auto-merge-deps.yml@22155f1bdaf6b0b19a6efb1c40e6778722c62cff # main
+    uses: netresearch/.github/.github/workflows/auto-merge-deps.yml@main
     with:
       safe-updates-only: true
       merge-strategy: rebase
diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml
new file mode 100644
index 0000000..80c2a77
--- /dev/null
+++ b/.github/workflows/pr-quality.yml
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Netresearch DTT GmbH
+#
+# PR Quality Gates — caller for the org-wide reusable workflow.
+# Provides:
+#   - PR size labeling (warn over 500 lines, alert over 1000)
+#   - Auto-approve for maintainer PRs (OWNER/MEMBER/COLLABORATOR), so the
+#     branch-protection "1 approval" gate doesn't block trivial maintainer
+#     work; Copilot review still runs separately via the Copilot ruleset.
+# Reusable: netresearch/.github/.github/workflows/pr-quality.yml
+
+name: PR Quality Gates
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions: {}
+
+jobs:
+  quality:
+    uses: netresearch/.github/.github/workflows/pr-quality.yml@main
+    with:
+      auto-approve-maintainers: true
+    permissions:
+      contents: read
+      pull-requests: write
diff --git a/renovate.json b/renovate.json
index 19ea465..05c85ab 100644
--- a/renovate.json
+++ b/renovate.json
@@ -53,6 +53,17 @@
       "groupName": "GitHub Actions",
       "pinDigests": true
     },
+    {
+      "description": "First-party Netresearch reusable workflows: never digest-pin. Org policy is @main (or @vN once tagged releases exist). Distinct from third-party actions which DO get SHA-pinned per supply-chain convention. Without this rule, Renovate's earlier digest-pinning produced commit 309fca0 (auto-merge.yml@<sha>) which violates that policy.",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchPackagePatterns": [
+        "^netresearch/"
+      ],
+      "pinDigests": false,
+      "enabled": false
+    },
     {
       "description": "Security updates - high priority",
       "matchCategories": [