diff --git a/renovate.json5 b/renovate.json5
index 3362f52c23..9877976856 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -2,7 +2,7 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:recommended", "helpers:pinGitHubActionDigests", "customManagers:githubActionsVersions"],
   "configMigration": true,
-  "enabledManagers": ["github-actions", "gomod", "npm", "pep621", "nix"],
+  "enabledManagers": ["github-actions", "gomod", "npm", "pep621", "nix", "custom.regex"],
   "labels": ["dependencies"],
   "branchPrefix": "renovate/",
   "schedule": ["* * * * 1"], // dependency update PRs weekly, vulnerabilityAlerts bypasses this
@@ -60,13 +60,26 @@
     },
     {
       "groupName": "go dependencies",
-      "matchDatasources": ["go"], // covers gomod manager + Makefile go-tool customManager
+      "matchManagers": ["gomod"],
       "postUpgradeTasks": {
         "commands": ["make tidy"],
         "fileFilters": ["go.mod", "go.sum", "assets/go-licenses.json"],
         "executionMode": "branch",
       },
     },
+    {
+      "groupName": "tool dependencies",
+      "matchManagers": ["custom.regex"],
+      "matchFileNames": ["**/Makefile"],
+    },
+    {
+      "matchManagers": ["gomod"],
+      "matchDepNames": ["go"],
+      "matchDepTypes": ["golang"],
+      "rangeStrategy": "bump",
+      "schedule": ["at any time"],
+      "minimumReleaseAge": "0",
+    },
     {
       "groupName": "npm dependencies",
       "matchManagers": ["npm"],