diff --git a/.github/workflows/dual-approval.yaml b/.github/workflows/dual-approval.yaml
new file mode 100644
index 0000000..a2de07c
--- /dev/null
+++ b/.github/workflows/dual-approval.yaml
@@ -0,0 +1,18 @@
+name: Dual Approval (CTO + QA)
+
+# Calls the shared dual-approval-check workflow.
+# Passes when both privilegedescalation-cto and privilegedescalation-qa
+# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
+# in branch protection to enforce this gate.
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  dual-approval:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
diff --git a/renovate.json b/renovate.json
index 9ca1ba1..d9ce489 100644
--- a/renovate.json
+++ b/renovate.json
@@ -4,6 +4,7 @@
   "baseBranches": ["main"],
   "schedule": ["every weekend"],
   "prConcurrentLimit": 10,
+  "pinDigests": true,
   "packageRules": [
     {
       "matchManagers": ["npm"],
@@ -17,3 +18,4 @@
     }
   ]
 }
+