diff --git a/.github/renovate.json5 b/.github/renovate.json5
new file mode 100644
index 00000000..7f93fe8e
--- /dev/null
+++ b/.github/renovate.json5
@@ -0,0 +1,29 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "enabledManagers": [
+    "bundler",
+    "github-actions",
+    "pre-commit",
+  ],
+  "extends": [
+    "config:recommended",
+    ":enablePreCommit",
+    "helpers:pinGitHubActionDigests",
+  ],
+  "automergeStrategy": "merge-commit",
+  "vulnerabilityAlerts": {
+    "enabled": true,
+  },
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "github-actions minor/patch",
+    },
+    {
+      "matchManagers": ["pre-commit"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "pre-commit hook minor/patch",
+    },
+  ],
+}
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index cd8abb5b..8c7ba7b5 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -8,5 +8,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: wagoid/commitlint-github-action@v5
+      # yamllint disable-line rule:comments
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # yamllint disable-line rule:comments rule:line-length
+      - uses: wagoid/commitlint-github-action@9763196e10f27aef304c9b8b660d31d97fce0f99 # v5.5.1
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 00000000..18f44f0b
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,156 @@
+---
+name: Test & release
+
+'on':
+  - pull_request
+  - push
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # yamllint disable-line rule:line-length
+  cancel-in-progress: ${{ github.ref != format('refs/heads/{0}', github.event.repository.default_branch) }}
+
+jobs:
+  should-run:
+    name: Prep / Should run
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      should-run: ${{ steps.action.outputs.should-run }}
+    steps:
+      - id: action
+        uses:
+          # yamllint disable-line rule:comments rule:line-length
+          techneg-it/should-workflow-run@dcbb88600d59ec2842778ef1e2d41f680f876329 # v1.0.0
+  gtp:
+    name: Prep / Get platforms
+    needs:
+      - should-run
+    if: fromJSON(needs.should-run.outputs.should-run)
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      test-platforms: ${{ steps.get-test-platforms.outputs.test-platforms }}
+    steps:
+      # yamllint disable-line rule:comments
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - id: get-test-platforms
+        run: |
+          PLATFORMS=$(
+            yq '[keys | .[] | select(test("^default-(deb|ubu)"))]' \
+              -o=json -I=0 .gitlab-ci.yml
+          )
+          OUTPUT="test-platforms=$PLATFORMS"
+          echo "Setting '$OUTPUT'"
+          echo "$OUTPUT" >> $GITHUB_OUTPUT
+  pre-commit:
+    name: Lint / `pre-commit`
+    needs: should-run
+    if: fromJSON(needs.should-run.outputs.should-run)
+    container: techneg/ci-pre-commit:v2.3.3
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      # yamllint disable-line rule:comments
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Export `CI_CACHE_ID` from container
+        run: echo "CI_CACHE_ID=$(cat /.ci_cache_id)" >> $GITHUB_ENV
+      # yamllint disable-line rule:comments
+      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.cache/pre-commit
+          key: "${{ env.CI_CACHE_ID }}|\
+                ${{ hashFiles('.pre-commit-config.yaml') }}"
+      - name: Run `pre-commit`
+        run: |
+          git config --global --add safe.directory $(pwd)
+          pre-commit run --all-files --color always --verbose
+  test:
+    name: Test / Kitchen
+    needs:
+      - gtp
+      - pre-commit
+      - should-run
+    if: fromJSON(needs.should-run.outputs.should-run)
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: ${{ fromJSON(needs.gtp.outputs.test-platforms) }}
+    steps:
+      # yamllint disable-line rule:comments
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # yamllint disable-line rule:comments
+      - uses: ruby/setup-ruby@2a18b06812b0e15bb916e1df298d3e740422c47e # v1.203.0
+        with:
+          bundler-cache: true
+          ruby-version: 3.1.2
+      - run: |
+          bin/kitchen test ${{ matrix.platform }}
+  test-conversion:
+    name: Test / Conversion
+    needs:
+      - pre-commit
+      - should-run
+    if: fromJSON(needs.should-run.outputs.should-run)
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      # yamllint disable-line rule:comments
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Convert the formula
+        run: |
+         export CONVERTED=test-the-use_this_template-button
+         git config user.email "test@example.com"
+         git config user.name "Test Name"
+         # Run the conversion script with debug output
+         DEBUG=true bin/convert-formula.sh "${CONVERTED}"
+         [ $(git rev-list HEAD --count) -eq 2 ]
+         # Quick visual check that correct files have been updated
+         git show --pretty="" --name-status
+         echo Done!
+      # yamllint disable-line rule:comments
+      - uses: ruby/setup-ruby@2a18b06812b0e15bb916e1df298d3e740422c47e # v1.203.0
+        with:
+          bundler-cache: true
+          ruby-version: 3.1.2
+      - name: Test / Kitchen
+        run: |
+         bin/kitchen list
+         bin/kitchen test default-debian-11-master-py3
+  results:
+    name: Release / Collect results
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      checks: read
+    runs-on: ubuntu-latest
+    steps:
+      # yamllint disable-line rule:comments rule:line-length
+      - uses: poseidon/wait-for-status-checks@899c768d191b56eef585c18f8558da19e1f3e707 # v0.6.0
+        with:
+          ignore: Release / Collect results
+          token: ${{ secrets.GITHUB_TOKEN }}
+      # yamllint disable-line rule:comments
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # yamllint disable-line rule:comments rule:line-length
+      - uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0
+        with:
+          branches: '"ma(in|ster)"'
+          dry-run: true
+          plugins: |
+            [
+              [
+                "@semantic-release/commit-analyzer",
+                {
+                  "releaseRules": "./release-rules.js"
+                }
+              ],
+              "@semantic-release/release-notes-generator",
+              "@semantic-release/github"
+            ]
+          repository-url: ${{ github.repository }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
index 39752a7a..6faf912c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,9 @@ __pycache__/
 # C extensions
 *.so
 
+# CI/CD Tooling
+.gitlab-ci-local/
+
 # Distribution / packaging
 .Python
 env/
@@ -45,7 +48,7 @@ nosetests.xml
 coverage.xml
 *.cover
 .hypothesis/
-.kitchen
+.kitchen/
 .kitchen.local.yml
 kitchen.local.yml
 junit-*.xml
@@ -110,12 +113,18 @@ ENV/
 # Bundler
 .bundle/
 
+# Node.js/npm
+node_modules/
+
 # copied `.md` files used for conversion to `.rst` using `m2r`
 docs/*.md
 
 # Vim
 *.sw?
 
+# Salt package files (SPM)
+*.spm
+
 ## Collected when centralising formulas (check and sort)
 # `collectd-formula`
 .pytest_cache/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 01e4346d..ab7fac18 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -15,7 +15,8 @@ ci:
   autoupdate_schedule: quarterly
   skip: []
   submodules: false
-default_stages: [commit]
+default_install_hook_types: [commit-msg, pre-commit]
+default_stages: [pre-commit]
 repos:
   - repo: https://github.com/dafyddj/commitlint-pre-commit-hook
     rev: v2.3.0
@@ -25,8 +26,26 @@ repos:
         description: Lint commit message against @commitlint/config-conventional rules
         stages: [commit-msg]
         additional_dependencies: ['@commitlint/config-conventional@17.1.0']
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-added-large-files
+        name: Check for added large files
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.30.0
+    hooks:
+      - id: check-github-workflows
+        name: Check GitHub workflows with check-jsonschema
+        args: [--verbose]
+      - id: check-gitlab-ci
+        name: Check Gitlab CI config with check-jsonschema
+        args: [--verbose]
+      - id: check-renovate
+        name: Check Renovate config with check-jsonschema
+        additional_dependencies: [json5==0.9.14]
+        args: [--verbose]
   - repo: https://github.com/rubocop-hq/rubocop
-    rev: v1.57.0
+    rev: v1.69.1
     hooks:
       - id: rubocop
         name: Check Ruby files with rubocop
@@ -39,7 +58,7 @@ repos:
         files: ^.*\.(sh|bash|ksh)$
         types: []
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.32.0
+    rev: v1.35.1
     hooks:
       - id: yamllint
         name: Check YAML syntax with yamllint
@@ -53,6 +72,7 @@ repos:
         # 1. SLS files under directory `test/` which are state files
         # 2. `kitchen.vagrant.yml`, which contains Embedded Ruby (ERB) template syntax
         # 3. YAML files heavily reliant on Jinja
+        # 4. `.copier-answers.yml` and related files which are auto-generated
         files: |
           (?x)^(
                 .*\.yaml|
@@ -64,6 +84,7 @@ repos:
           )$
         exclude: |
           (?x)^(
+                \.copier-answers(\..+)?\.ya?ml|
                 kitchen.vagrant.yml|
                 test/.*/states/.*\.sls
           )$
@@ -74,14 +95,14 @@ repos:
         name: Check Salt files using salt-lint
         files: ^.*\.(sls|jinja|j2|tmpl|tst)$
   - repo: https://github.com/myint/rstcheck
-    rev: v6.2.0
+    rev: v6.2.4
     hooks:
       - id: rstcheck
         name: Check reST files using rstcheck
-        exclude: 'docs/CHANGELOG.rst'
+        exclude: docs/CHANGELOG.rst
         additional_dependencies: [sphinx==7.2.6]
   - repo: https://github.com/saltstack-formulas/mirrors-rst-lint
-    rev: v1.3.2
+    rev: v1.4.0
     hooks:
       - id: rst-lint
         name: Check reST files using rst-lint
diff --git a/Gemfile.lock b/Gemfile.lock
index be16d6ee..29220c1d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -455,7 +455,7 @@ GEM
     mutex_m (0.1.2)
     net-scp (4.0.0)
       net-ssh (>= 2.6.5, < 8.0.0)
-    net-ssh (7.2.0)
+    net-ssh (7.3.0)
     net-ssh-gateway (2.0.0)
       net-ssh (>= 4.0.0)
     nokogiri (1.15.4)
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 00000000..a3dc9557
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,40 @@
+{
+  "forkProcessing": "enabled",
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "enabledManagers": [
+    "bundler",
+    "github-actions",
+    "pre-commit"
+  ],
+  "extends": [
+    "config:recommended",
+    ":enablePreCommit",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "automergeStrategy": "merge-commit",
+  "vulnerabilityAlerts": {
+    "enabled": true
+  },
+  "packageRules": [
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "groupName": "github-actions minor/patch"
+    },
+    {
+      "matchManagers": [
+        "pre-commit"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "groupName": "pre-commit hook minor/patch"
+    }
+  ]
+}