diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..1c2fa0fe
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,27 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    labels:
+      - "dependencies"
+    # Run every Monday
+    schedule:
+      interval: "weekly"
+      timezone: "Europe/Zurich"
+    # Group PRs to avoid having to rebase/merge too many
+    groups:
+      dependabot:
+        patterns:
+          - "*"
+    # Only care about our direct dependencies
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      # Filter out semver patches updates to reduce the frequency of updates
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8503d53a..66c38db1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,9 +22,9 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
-          python-version: "3.10"
+          python-version: "3.12"
       - run: ./setup.sh
       - run: ./run_desktop_tests.sh
diff --git a/.github/workflows/reproducible.yml b/.github/workflows/reproducible.yml
index fbb4adc0..8bcb3f35 100644
--- a/.github/workflows/reproducible.yml
+++ b/.github/workflows/reproducible.yml
@@ -13,14 +13,14 @@ jobs:
       fail-fast: false
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: "true"
       - name: Install Rust toolchain
         run: rustup show
-      - uses: actions/setup-python@v1
+      - uses: actions/setup-python@v5
         with:
-          python-version: "3.10"
+          python-version: "3.12"
       - name: Set up OpenSK
         run: ./setup.sh
 
diff --git a/deploy.py b/deploy.py
index 6dc21ca0..3138c36d 100755
--- a/deploy.py
+++ b/deploy.py
@@ -418,8 +418,11 @@ def _build_app_or_example(self, is_example: bool):
     env["APP_HEAP_SIZE"] = str(APP_HEAP_SIZE)
 
     command = [
-        "cargo", "build", "--release", f"--target={props.arch}",
-        f"--features={','.join(self.args.features)}"
+        "cargo",
+        "build",
+        "--release",
+        f"--target={props.arch}",
+        f"--features={','.join(self.args.features)}"  # pylint: disable=W1405
     ]
     if is_example:
       command.extend(["--example", self.args.application])
@@ -439,7 +442,10 @@ def _check_invariants(self):
     features = ["std"]
     features.extend(self.args.features)
     self.checked_command_output([
-        "cargo", "test", f"--features={','.join(features)}", "--lib",
+        "cargo",
+        "test",
+        f"--features={','.join(features)}",  # pylint: disable=W1405
+        "--lib",
         "customization"
     ])
 
diff --git a/tools/configure.py b/tools/configure.py
index cfc0cb85..8bbbca5b 100755
--- a/tools/configure.py
+++ b/tools/configure.py
@@ -154,7 +154,9 @@ def main(args):
       )
       status = {"cert": result[1], "pkey": result[2]}
       responses.append(status)
+      # pylint: disable-next=W1405
       info(f"Certificate: {'Present' if result[1] else 'Missing'}")
+      # pylint: disable-next=W1405
       info(f"Private Key: {'Present' if result[2] else 'Missing'}")
       if args.lock:
         info("Device is now locked down!")