diff --git a/.github/.keep b/.github/.keep
new file mode 100644
index 0000000..368cc6e
--- /dev/null
+++ b/.github/.keep
@@ -0,0 +1 @@
+# keep
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6d6549a..d424910 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,11 @@
 version: 2
 updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule: { interval: "weekly" }
+    labels: ["deps","github-actions"]
   - package-ecosystem: "pip"
     directory: "/"
     schedule: { interval: "weekly" }
+    labels: ["deps","python"]
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
new file mode 100644
index 0000000..d5f8880
--- /dev/null
+++ b/.github/workflows/auto-merge-dependabot.yml
@@ -0,0 +1,23 @@
+name: auto-merge-dependabot
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, labeled]
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  automerge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Enable auto-merge (squash) for non-major
+        if: steps.meta.outputs.update-type != 'version-update:semver-major'
+        uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          pull-request-number: ${{ github.event.pull_request.number }}
+          merge-method: squash
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
new file mode 100644
index 0000000..388da4b
--- /dev/null
+++ b/.github/workflows/nightly.yml
@@ -0,0 +1,21 @@
+name: nightly
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+permissions: { contents: read }
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with: { python-version: '3.12' }
+      - run: python -m pip install -U pip
+      - run: pip install poetry
+      - run: poetry install --no-interaction
+      - run: poetry run ruff check .
+      - run: poetry run black --check .
+      - env: { PYTHONPATH: src }
+        run: poetry run pytest -q
+      - run: poetry run mypy src
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 9f728d7..3cc74cb 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -1,21 +1,18 @@
 name: publish-pypi
 on:
-  workflow_dispatch: {}   # Solo manual (seguro)
-
+  release:
+    types: [published]
 permissions:
   contents: read
-  id-token: write         # OIDC (sin token)
-
+  id-token: write
 jobs:
-  pypi:
-    environment: pypi     # coincide con PyPI (opcional, recomendado)
+  publish:
+    environment: pypi
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with: { python-version: '3.12' }
       - run: python -m pip install -U pip build
-      - run: python -m build              # genera dist/*
+      - run: python -m build
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          packages-dir: dist/             # OIDC -> no password
diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
new file mode 100644
index 0000000..70e3fe0
--- /dev/null
+++ b/.github/workflows/semantic-release.yml
@@ -0,0 +1,22 @@
+name: semantic-release
+on:
+  push:
+    branches: [main]
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: actions/setup-python@v5
+        with: { python-version: '3.12' }
+      - run: python -m pip install -U pip
+      - run: python -m pip install python-semantic-release==9.* build
+      - name: Run semantic-release (no PyPI upload)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: semantic-release version && semantic-release publish
diff --git a/pyproject.toml b/pyproject.toml
index 5964e0a..940eb7d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -41,3 +41,15 @@ diff-risk-web = "diff_risk_dashboard.web:main"
 [build-system]
 requires = ["poetry-core>=1.8.0"]
 build-backend = "poetry.core.masonry.api"
+
+[tool.semantic_release]
+branch = "main"
+upload_to_repository = false
+changelog_file = "CHANGELOG.md"
+commit_parser = "angular"
+version_toml = [
+  "pyproject.toml:version",
+  "pyproject.toml:project.version",
+  "pyproject.toml:tool.poetry.version"
+]
+build_command = "python -m pip install -U build && python -m build"