diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
index 767b084559..5cb16ba2e5 100644
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -613,7 +613,6 @@ unicore
 universiti
 untaring
 uploadtest
-uploadtest.txt
 UPM
 upv
 uscms
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
index 6c3dd8d187..9b9cfd4308 100644
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -1,6 +1,3 @@
-# Expected "words" that aren't in the dictionary, one word per line.
-# Some arbitrary strings that are in test files that aren't really words.
-# They should be removed if the test are changed/removed.
 CVMFS
 diracsgm
 microk8s
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index d49509ce6b..79a299bde0 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -34,6 +34,29 @@ name: Check Spelling
 #
 #   For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key
 
+# Sarif reporting
+#
+# Access to Sarif reports is generally restricted (by GitHub) to members of the repository.
+#
+# Requires enabling `security-events: write`
+# and configuring the action with `use_sarif: 1`
+#
+#   For information on the feature, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Sarif-output
+
+# Minimal workflow structure:
+#
+# on:
+#   push:
+#     ...
+#   pull_request_target:
+#     ...
+# jobs:
+#   # you only want the spelling job, all others should be omitted
+#   spelling:
+#     # remove `security-events: write` and `use_sarif: 1`
+#     # remove `experimental_apply_changes_via_bot: 1`
+#     ... otherwise adjust the `with:` as you wish
+
 on:
   push:
     branches:
@@ -44,12 +67,12 @@ on:
     branches:
       - "**"
     types:
-      - 'opened'
-      - 'reopened'
-      - 'synchronize'
+      - "opened"
+      - "reopened"
+      - "synchronize"
   issue_comment:
     types:
-      - 'created'
+      - "created"
 
 jobs:
   spelling:
@@ -62,7 +85,9 @@ jobs:
     outputs:
       followup: ${{ steps.spelling.outputs.followup }}
     runs-on: ubuntu-latest
-    if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'"
+    if:
+      ${{ contains(github.event_name, 'pull_request') || github.event_name ==
+      'push' }}
     concurrency:
       group: spelling-${{ github.event.pull_request.number || github.ref }}
       # note: If you use only_check_changed_files, you do not want cancel-in-progress
@@ -72,7 +97,8 @@ jobs:
         id: spelling
         uses: check-spelling/check-spelling@main
         with:
-          suppress_push_for_open_pull_request: 1
+          suppress_push_for_open_pull_request:
+            ${{ github.actor != 'dependabot[bot]' && 1 }}
           checkout: true
           only_check_changed_files: 1
           check_file_names: 1
@@ -80,33 +106,12 @@ jobs:
           post_comment: 0
           use_magic_file: 1
           experimental_apply_changes_via_bot: 1
-          use_sarif: 0
-          extra_dictionary_limit: 10
-          extra_dictionaries:
-            cspell:aws/aws.txt
-            cspell:bash/bash-words.txt
-            cspell:cpp/src/cpp.txt
-            cspell:django/django.txt
-            cspell:elixir/elixir.txt
-            cspell:filetypes/filetypes.txt
-            cspell:fullstack/fullstack.txt
-            cspell:html/html.txt
-            cspell:java/java.txt
-            cspell:node/node.txt
-            cspell:npm/npm.txt
-            cspell:php/php.txt
-            cspell:powershell/powershell.txt
-            cspell:public-licenses/src/generated/public-licenses.txt
-            cspell:python/src/common/extra.txt
-            cspell:python/src/python/python-lib.txt
-            cspell:python/src/python/python.txt
-            cspell:r/src/r.txt
-            cspell:rust/rust.txt
-            cspell:scala/scala.txt
-            cspell:software-terms/src/software-terms.txt
-            cspell:sql/src/tsql.txt
-            cspell:typescript/typescript.txt
-            cspell:win32/src/win32.txt
+          use_sarif:
+            ${{ (!github.event.pull_request ||
+            (github.event.pull_request.head.repo.full_name ==
+            github.repository)) && 1 }}
+          extra_dictionary_limit: 20
+          extra_dictionaries: cspell:software-terms/dict/softwareTerms.txt
 
   comment-push:
     name: Report (Push)
@@ -115,10 +120,12 @@ jobs:
     needs: spelling
     permissions:
       contents: write
-    if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
+    if:
+      (success() || failure()) && needs.spelling.outputs.followup &&
+      github.event_name == 'push'
     steps:
       - name: comment
-        uses: check-spelling/check-spelling@prerelease
+        uses: check-spelling/check-spelling@main
         with:
           checkout: true
           spell_check_this: check-spelling/spell-check-this@prerelease
@@ -130,8 +137,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: spelling
     permissions:
+      contents: read
       pull-requests: write
-    if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
+    if:
+      (success() || failure()) && needs.spelling.outputs.followup &&
+      contains(github.event_name, 'pull_request')
     steps:
       - name: comment
         uses: check-spelling/check-spelling@main
@@ -148,11 +158,10 @@ jobs:
       pull-requests: write
       actions: read
     runs-on: ubuntu-latest
-    if: ${{
-        github.event_name == 'issue_comment' &&
-        github.event.issue.pull_request &&
-        contains(github.event.comment.body, '@check-spelling-bot apply')
-      }}
+    if:
+      ${{ github.event_name == 'issue_comment' &&
+      github.event.issue.pull_request && contains(github.event.comment.body,
+      '@check-spelling-bot apply') }}
     concurrency:
       group: spelling-update-${{ github.event.issue.number }}
       cancel-in-progress: false