diff --git a/.github/renovate.json b/.github/renovate.json
index 3f7cf1598b24..4ff729004c37 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -1,6 +1,38 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base"
   ],
-  "rangeStrategy": "widen"
+  "semanticCommits": "enabled",
+  "semanticCommitType": "chore",
+  "semanticCommitScope": "deps",
+  "rangeStrategy": "widen",
+  "bundler": {
+    "enabled": true
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "automerge": false,
+    "schedule": [
+      "before 5am on monday"
+    ],
+    "commitMessageAction": "maintain Gemfile.lock files"
+  },
+  "packageRules": [
+    {
+      "description": "Phase 1: Core & Handwritten Gems Lockfile Rollout",
+      "matchFileNames": [
+        "google-cloud-core/**",
+        "google-cloud-storage/**",
+        "google-cloud-pubsub/**",
+        "google-cloud-bigquery/**",
+        "google-cloud-errors/**"
+      ],
+      "groupName": "core handwritten gems lockfiles",
+      "rangeStrategy": "update-lockfile",
+      "lockFileMaintenance": {
+        "enabled": true
+      }
+    }
+  ]
 }
diff --git a/.github/workflows/generate-lockfiles.yml b/.github/workflows/generate-lockfiles.yml
new file mode 100644
index 000000000000..85825e5429d4
--- /dev/null
+++ b/.github/workflows/generate-lockfiles.yml
@@ -0,0 +1,47 @@
+name: Generate Gemfile.lock Batches
+
+on:
+  workflow_dispatch:
+    inputs:
+      batch_pattern:
+        description: "Gem directory glob pattern (e.g., google-cloud-core or google-cloud-a*)"
+        required: true
+        default: "google-cloud-core google-cloud-storage google-cloud-pubsub google-cloud-bigquery google-cloud-errors"
+
+jobs:
+  generate-locks:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1
+        with:
+          ruby-version: "3.3"
+          bundler-cache: false
+      - name: Generate Lockfiles for Batch
+        run: |
+          for gemdir in ${INPUTS_BATCH_PATTERN}; do
+            if [ -f "$gemdir/Gemfile" ]; then
+              echo "Locking $gemdir..."
+              (cd "$gemdir" && bundle lock)
+              if [ -f "$gemdir/Gemfile.lock" ]; then
+                git add -f "$gemdir/Gemfile.lock"
+              fi
+            fi
+          done
+        env:
+          INPUTS_BATCH_PATTERN: ${{ inputs.batch_pattern }}
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
+        with:
+          commit-message: "chore(deps): generate Gemfile.lock files for ${{ inputs.batch_pattern }}"
+          title: "chore(deps): generate Gemfile.lock files (${{ inputs.batch_pattern }})"
+          body: |
+            Automated initial `Gemfile.lock` generation for compliance mandate https://b.corp.google.com/issues/509981628.
+            
+            Reviewed and coordinated with André as part of the multi-phase rollout.
+          branch: "chore/generate-locks-batch"