diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..5ace4600
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 9ab66a5e..7b97bde5 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -5,11 +5,9 @@ on:
   pull_request:
     branches: [ "main" ]
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+# Default token permissions; the Pages job requests its write permissions explicitly.
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: deploy-${{ github.event_name }}-${{ github.ref }}
@@ -31,7 +29,7 @@ jobs:
         echo "JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64/" >> $GITHUB_ENV
         # dpkg-query -L  openjdk-17-jdk-headless
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
         fetch-tags: true
@@ -169,7 +167,7 @@ jobs:
         find "$BUILD_DIR" -type f -iname "*.apk" ! -name "android-build-*.apk" -exec cp {} "$INSTALL_DIR" \;
 
     - name: Create artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: files_${{ matrix.qtarch }}
         path: ${{ github.workspace }}/install/
@@ -208,7 +206,7 @@ jobs:
         sudo apt-get update
         sudo apt-get install -y build-essential ninja-build
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
         fetch-tags: true
@@ -216,7 +214,7 @@ jobs:
     - name: Load CI versions
       run: cat .github/ci-versions.env >> "$GITHUB_ENV"
 
-    - uses: mymindstorm/setup-emsdk@v13
+    - uses: mymindstorm/setup-emsdk@v15
       with:
         version: ${{ env.WEBASSEMBLY_VERSION }}
 
@@ -245,7 +243,7 @@ jobs:
       
     - name: Cache Qt WebAssembly build
       id: qt-cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: qt_wasm_lite
         key: ${{ matrix.config }}_qt-${{ env.QT_VERSION }}_emcc-${{ env.WEBASSEMBLY_VERSION }}
@@ -303,7 +301,7 @@ jobs:
       run: cmake --build $BUILD_DIR --target install
 
     - name: Create artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: files_${{ matrix.config}}
         path: ${{ github.workspace }}/install/
@@ -314,6 +312,10 @@ jobs:
     needs:
     - build-android
     - build-wasm
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
@@ -321,17 +323,20 @@ jobs:
     
     steps:
     - name: Install dependencies
-      run: sudo apt-get install -y lftp
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y lftp
       
     - name: Clone repository (only for version number)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
         fetch-tags: true
     
     - name: Download artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
+        pattern: files_*
         path: ${{github.workspace}}/downloaded
     
     - name: Move into place
@@ -369,12 +374,12 @@ jobs:
         FOLDER: github_page
     
     - name: Create Pages artifact
-      uses: actions/upload-pages-artifact@v3
+      uses: actions/upload-pages-artifact@v4
       with:
         path: ${{github.workspace}}/github_page
     
     - name: Setup Pages
-      uses: actions/configure-pages@v4
+      uses: actions/configure-pages@v5
 
     - name: Deploy to GitHub Pages
       id: deployment
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 619c3b1a..af9fe8a0 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -9,6 +9,9 @@ on:
 concurrency:
   group: linux-${{ github.event_name }}-${{ github.ref }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
   
 jobs:
   build:
@@ -16,7 +19,7 @@ jobs:
       fail-fast: false
       matrix:
         compiler: [gcc12, clang17, clang19]
-        build_type: [Release]
+        build_type: [Debug]
         include:
           - compiler: gcc12
             CC: "/usr/bin/gcc-12"
@@ -31,7 +34,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
       with:
         submodules: 'true'
 
@@ -89,7 +92,6 @@ jobs:
         -DALP_ENABLE_ASSERTS=ON
         -DALP_ENABLE_ADDRESS_SANITIZER=ON
         -DALP_ENABLE_APP_SHUTDOWN_AFTER_60S=ON
-        -DCMAKE_BUILD_TYPE=Debug
         -DALP_USE_LLVM_LINKER=ON
         -B ./build
 
diff --git a/.github/workflows/play-store.yml b/.github/workflows/play-store.yml
index 16645e86..33f8f1b2 100644
--- a/.github/workflows/play-store.yml
+++ b/.github/workflows/play-store.yml
@@ -9,6 +9,9 @@ concurrency:
   group: play-store-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check_release_tag:
     if: github.repository == 'AlpineMapsOrg/renderer'
@@ -19,7 +22,7 @@ jobs:
 
     steps:
     - name: Clone repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
         fetch-tags: true
@@ -53,7 +56,7 @@ jobs:
         sudo apt-get install -y build-essential ninja-build openjdk-17-jdk
         echo "JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64/" >> $GITHUB_ENV
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
         fetch-tags: true
@@ -165,7 +168,7 @@ jobs:
         find "$PLAY_STORE_DIR" -type f -iname "*.aab"
 
     - name: Create Play Store artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: play_store_aab
         path: ${{ github.workspace }}/play-store/
@@ -180,7 +183,7 @@ jobs:
 
     steps:
     - name: Download Play Store artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         pattern: play_store_aab
         path: ${{ github.workspace }}/play-store
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 8b654d3a..d4261bd8 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -9,6 +9,9 @@ on:
 concurrency:
   group: windows-${{ github.event_name }}-${{ github.ref }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
   
 jobs:
   build:
@@ -18,7 +21,7 @@ jobs:
             shell: 'powershell'
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
       with:
         submodules: 'true'
 
@@ -26,14 +29,11 @@ jobs:
       run: |
         Get-Content .github/ci-versions.env | Add-Content $env:GITHUB_ENV
 
-    - name: Install ninja-build tool (must be after Qt due PATH changes)
-      uses: turtlesec-no/get-ninja@main
-
     - name: Make sure MSVC is found when Ninja generator is in use
       uses: ilammy/msvc-dev-cmd@v1
         
-    - name: Install 7zip
-      run: choco install 7zip.install
+    - name: Install tools
+      run: choco install 7zip.install ninja
       
     - name: Install Mesa
       shell: cmd
@@ -61,7 +61,7 @@ jobs:
         CMAKE_PREFIX_PATH: ${{env.QT_ROOT_DIR}}/lib/cmake
       run: >
         cmake -G Ninja
-        -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
+        -DCMAKE_BUILD_TYPE=Debug
         -DALP_ENABLE_POSITIONING=false
         -DALP_ENABLE_ASSERTS=ON
         -B ./build