diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..14ff6b2
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+version: 2
+updates:
+- package-ecosystem: pip
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 50
+  target-branch: develop
+  labels:
+  - dependency_updates
+  rebase-strategy: "disabled"
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "05:33"
+  target-branch: develop
+  labels:
+  - CI
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3165304..bb5be6e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,16 +16,21 @@ jobs:
     name: Publish package
     runs-on: ubuntu-latest
     if: github.repository == 'matgenix/qtoolkit' && startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: write
+      issues: read
+      pull-requests: read
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         submodules: true
         fetch-depth: 0
+        ref: ${{ env.PUBLISH_UPDATE_BRANCH }}
 
     - name: Set up Python 3.11
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v6
       with:
         python-version: '3.11'
 
@@ -38,7 +43,7 @@ jobs:
     - name: Update changelog
       uses: CharMixer/auto-changelog-action@v1
       with:
-        token: ${{ secrets.RELEASE_PAT_BOT }}
+        token: ${{ secrets.GITHUB_TOKEN }}
         release_branch: ${{ env.PUBLISH_UPDATE_BRANCH }}
         exclude_labels: "duplicate,question,invalid,wontfix,dependency_updates,skip_changelog"
 
@@ -57,7 +62,7 @@ jobs:
     - name: Update '${{ env.PUBLISH_UPDATE_BRANCH }}' with automated changes
       uses: CasperWA/push-protected@v2
       with:
-        token: ${{ secrets.RELEASE_PAT_BOT }}
+        token: ${{ secrets.ORG_RELEASE_PAT_BOT }}
         branch: ${{ env.PUBLISH_UPDATE_BRANCH }}
         unprotect_reviews: true
         sleep: 15
@@ -70,11 +75,11 @@ jobs:
     - name: Create release-specific changelog
       uses: CharMixer/auto-changelog-action@v1
       with:
-        token: ${{ secrets.RELEASE_PAT_BOT }}
+        token: ${{ secrets.GITHUB_TOKEN }}
         release_branch: ${{ env.PUBLISH_UPDATE_BRANCH }}
         since_tag: "${{ env.PREVIOUS_VERSION }}"
         output: "release_changelog.md"
-        exclude_labels: "duplicate,question,invalid,wontfix,dependency_updates,skip_changelog"
+        exclude_labels: "duplicate,question,invalid,wontfix,dependency_updates,CI,skip_changelog"
 
     - name: Append changelog to release body
       run: |
@@ -82,7 +87,7 @@ jobs:
         cat release_changelog.md >> release_body.md
         gh api /repos/${{ github.repository }}/releases/${{ github.event.release.id }} -X PATCH -F body='@release_body.md'
       env:
-        GITHUB_TOKEN: ${{ secrets.RELEASE_PAT_BOT }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Install docs dependencies
       run: |
@@ -104,7 +109,7 @@ jobs:
         done
 
     - name: Upload docs artifact
-      uses: actions/upload-pages-artifact@v2
+      uses: actions/upload-pages-artifact@v4
       with:
         path: ./doc/build/html
 
@@ -113,6 +118,13 @@ jobs:
         pip install -U build
         python -m build
 
+    - name: Publish package to Test PyPI first
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        user: __token__
+        password: ${{ secrets.TEST_PYPI_PASSWORD }}
+        repository-url: https://test.pypi.org/legacy/
+
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
@@ -132,4 +144,4 @@ jobs:
 
     steps:
     - name: Deploy docs
-      uses: actions/deploy-pages@v2
+      uses: actions/deploy-pages@v4