diff --git a/dist/index.js b/dist/index.js
index 41dc8fed..a9533d46 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -4090,6 +4090,9 @@ class Input {
         const version = core.getInput('renovate-version');
         return !!version && version !== '' ? version : null;
     }
+    mountDockerSocket() {
+        return core.getInput('mount-docker-socket') === 'true';
+    }
     /**
      * Convert to environment variables.
      *
@@ -4156,6 +4159,9 @@ class Renovate {
             const mountPath = path_1.default.join(this.configFileMountDir, baseName);
             dockerArguments.push(`--env ${configurationFile.key}=${mountPath}`, `--volume ${configurationFile.value}:${mountPath}`);
         }
+        if (this.input.mountDockerSocket()) {
+            dockerArguments.push('--volume /var/run/docker.sock:/var/run/docker.sock', `--group-add ${this.getDockerGroupId()}`);
+        }
         dockerArguments.push('--volume /tmp:/tmp', '--rm', this.docker.image());
         const command = `docker run ${dockerArguments.join(' ')}`;
         const code = await (0, exec_1.exec)(command);
@@ -4163,6 +4169,29 @@ class Renovate {
             new Error(`'docker run' failed with exit code ${code}.`);
         }
     }
+    /**
+     * Fetch the host docker group of the GitHub Action runner.
+     *
+     * The Renovate container needs access to this group in order to have the
+     * required permissions on the Docker socket.
+     */
+    getDockerGroupId() {
+        const groupFile = '/etc/group';
+        const groups = fs_1.default.readFileSync(groupFile, {
+            encoding: 'utf-8',
+        });
+        /**
+         * The group file has `groupname:group-password:GID:username-list` as
+         * structure and we're interested in the `GID` (the group ID).
+         *
+         * Source: https://www.thegeekdiary.com/etcgroup-file-explained/
+         */
+        const match = Renovate.dockerGroupRegex.exec(groups);
+        if (match?.groups?.groupId === undefined) {
+            throw new Error(`Could not find group docker in ${groupFile}`);
+        }
+        return match.groups.groupId;
+    }
     validateArguments() {
         if (/\s/.test(this.input.token.value)) {
             throw new Error('Token MUST NOT contain whitespace');
@@ -4175,6 +4204,7 @@ class Renovate {
         }
     }
 }
+Renovate.dockerGroupRegex = /^docker:x:(?<groupId>[1-9][0-9]*):/m;
 exports["default"] = Renovate;
 
 
diff --git a/package.json b/package.json
index f20251a8..411906e5 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "github-action",
-  "version": "38.0.0",
+  "version": "38.1.0",
   "private": true,
   "description": "GitHub Action to run Renovate self-hosted.",
   "license": "GPL-3.0-or-later",