diff --git a/README.md b/README.md
index d517777e30f..7f8afd3b0e2 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ GitHub Action to run Renovate self-hosted.
 
 - [Badges](#badges)
 - [Options](#options)
+  - [`additional-env-list`](#additional-env-list)
   - [`configurationFile`](#configurationfile)
   - [`docker-cmd-file`](#docker-cmd-file)
   - [`docker-network`](#docker-network)
@@ -44,6 +45,11 @@ Options can be passed using the inputs of this action or the corresponding envir
 When both are passed, the input takes precedence over the environment variable.
 For the available environment variables, see the Renovate [Self-Hosted Configuration](https://docs.renovatebot.com/self-hosted-configuration/) docs.
 
+### `additional-env-list`
+
+A newline-separated list of environment variable names to pass through to the Renovate container, in addition to those already matched by [`env-regex`](#env-regex).
+See [Passing other environment variables](#passing-other-environment-variables) section for more details.
+
 ### `configurationFile`
 
 Configuration file to configure Renovate ("global" config) in JavaScript or JSON format.
@@ -409,9 +415,35 @@ For example if you wish to pass through some credentials for a [host rule](https
 
 ### Passing other environment variables
 
-If you want to pass other variables to the Docker container use the `env-regex` input to override the regular expression that is used to allow environment variables.
+There are two ways to pass additional variables through to the Renovate container:
+
+1. **Recommended:** use [`additional-env-list`](#additional-env-list) to list the names of the variables you want forwarded. This keeps the action's default `env-regex` in effect, so you'll continue to receive any future additions to the default allow-list. Variable names that are not present in the environment are silently ignored.
+2. Override [`env-regex`](#env-regex) with a custom regular expression. This gives you full control but also full ownership: if the action's default pattern changes, your override will not pick up those changes, and a typo in the regex can silently drop variables (including `RENOVATE_*` ones).
+
+Example using `additional-env-list` (recommended):
+
+```yml
+....
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.2
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v46.1.14
+        with:
+          configurationFile: example/renovate-config.js
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          additional-env-list: |
+            AWS_TOKEN
+            MY_OTHER_SECRET
+        env:
+          AWS_TOKEN: ${{ secrets.AWS_TOKEN }}
+          MY_OTHER_SECRET: ${{ secrets.MY_OTHER_SECRET }}
+```
 
-In your workflow pass the environment variable and whitelist it by specifying the `env-regex`:
+Example using `env-regex` (full override):
 
 ```yml
 ....
diff --git a/action.yml b/action.yml
index 1131e10ec85..17482d84a49 100644
--- a/action.yml
+++ b/action.yml
@@ -18,9 +18,13 @@ inputs:
     required: false
   env-regex:
     description: |
-      Override the environment variables which will be passsed into the renovate container.
+      Override the environment variables which will be passed into the renovate container.
       Defaults to `^(?:RENOVATE_\\w+|LOG_LEVEL|GITHUB_COM_TOKEN|NODE_OPTIONS|NO_COLOR|(?:HTTPS?|NO)_PROXY|(?:https?|no)_proxy)$`
     required: false
+  additional-env-list:
+    description: |
+      A newline-separated list of environment variable names to pass through to the Renovate container, in addition to those already matched by env-regex.
+    required: false
   renovate-version:
     description: |
       Renovate version to use.
diff --git a/src/input.ts b/src/input.ts
index ee988b6cccf..1497edeffb2 100644
--- a/src/input.ts
+++ b/src/input.ts
@@ -1,4 +1,4 @@
-import { getInput } from '@actions/core';
+import { getInput, getMultilineInput, warning } from '@actions/core';
 import path from 'node:path';
 
 export interface EnvironmentVariable {
@@ -31,11 +31,21 @@ export class Input {
     const envRegex = envRegexInput
       ? new RegExp(envRegexInput)
       : this.options.envRegex;
+    const additionalEnvVarNames = getMultilineInput('additional-env-list');
     this._environmentVariables = new Map(
       Object.entries(process.env)
-        .filter(([key]) => envRegex.test(key))
+        .filter(
+          ([key]) => envRegex.test(key) || additionalEnvVarNames.includes(key),
+        )
         .filter((pair): pair is [string, string] => pair[1] !== undefined),
     );
+    for (const name of additionalEnvVarNames) {
+      if (!this._environmentVariables.has(name)) {
+        warning(
+          `Environment variable '${name}' listed in 'additional-env-list' was not found in the parent process environment; it will not be passed to the renovate container.`,
+        );
+      }
+    }
 
     this.token = this.get(
       this.options.token.input,