diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8b0675e7df0..22cc717a5b2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,5 +10,7 @@ updates:
           - "*"
     labels:
       - no-changelog-entry-needed
+    commit-message:
+      prefix: "[dependabot]"
     cooldown:
       default-days: 7
diff --git a/.github/release.yaml b/.github/release.yaml
index 386ce981916..3613b9eedad 100644
--- a/.github/release.yaml
+++ b/.github/release.yaml
@@ -4,3 +4,5 @@ changelog:
       - dependabot
       - pre-commit-ci
       - github-actions
+      - mne-bot
+      - mne[bot]
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
index 68720eaaa34..9210505c87c 100644
--- a/.github/workflows/automerge.yml
+++ b/.github/workflows/automerge.yml
@@ -1,17 +1,17 @@
 name: Bot auto-merge
-on: pull_request  # yamllint disable-line rule:truthy
+on: pull_request_target  # yamllint disable-line rule:truthy
+
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
   autobot:
-    permissions:
-      contents: write
-      pull-requests: write
     runs-on: ubuntu-latest
-    # Names can be found with gh api /repos/mne-tools/mne-python/pulls/12998 -q .user.login for example
-    if: (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'pre-commit-ci[bot]' || github.event.pull_request.user.login == 'github-actions[bot]') && github.repository == 'mne-tools/mne-python'
+    if: (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'pre-commit-ci[bot]') && github.repository == 'mne-tools/mne-python'
     steps:
       - name: Enable auto-merge for bot PRs
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GH_TOKEN: ${{secrets.MNE_BOT_TOKEN}}
diff --git a/.github/workflows/autopush.yml b/.github/workflows/autopush.yml
new file mode 100644
index 00000000000..6f5296dc617
--- /dev/null
+++ b/.github/workflows/autopush.yml
@@ -0,0 +1,35 @@
+name: Bot auto-push
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - dependabot/**
+      - pre-commit-ci*
+
+jobs:
+  autobot:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: true
+          token: ${{ secrets.MNE_BOT_TOKEN }}
+          ssh-user: mne-bot
+          fetch-depth: 0
+      - name: Push a commit for bot PRs to run CircleCI
+        run: |
+          set -xeo pipefail
+          git config --global user.name "mne[bot]"
+          git config --global user.email "50266005+mne-bot@users.noreply.github.com"
+          COMMIT_MESSAGE=$(git show -s --format=%s)
+          # Detect dependabot and pre-commit.ci commit messages
+          if [[ "$COMMIT_MESSAGE" == '[dependabot]'* ]] || [[ "$COMMIT_MESSAGE" == '[pre-commit.ci]'* ]] ; then
+            echo "Pushed commit to run CircleCI for: $COMMIT_MESSAGE" | tee -a $GITHUB_STEP_SUMMARY
+            git commit --allow-empty -m "mne[bot] Push commit to run CircleCI"
+            git push
+          else
+            echo "No need to push a commit for: $COMMIT_MESSAGE" | tee -a $GITHUB_STEP_SUMMARY
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.MNE_BOT_TOKEN }}
diff --git a/.github/workflows/credit.yml b/.github/workflows/credit.yml
index 3ceb98a185d..5a8b1ee73da 100644
--- a/.github/workflows/credit.yml
+++ b/.github/workflows/credit.yml
@@ -14,8 +14,8 @@ jobs:
     name: Update
     runs-on: ubuntu-latest
     env:
-      GH_TOKEN: ${{ github.token }}
-      GITHUB_TOKEN: ${{ github.token }}
+      GH_TOKEN: ${{ secrets.MNE_BOT_TOKEN }}
+      GITHUB_TOKEN: ${{ secrets.MNE_BOT_TOKEN }}
     steps:
       - uses: actions/checkout@v5
         with:
@@ -35,11 +35,12 @@ jobs:
       - name: Create PR
         run: |
           set -xeo pipefail
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-          git checkout -b credit
-          git commit -am "MAINT: Update code credit"
-          git push origin credit
-          PR_NUM=$(gh pr create --base main --head credit --title "MAINT: Update code credit" --body "Created by credit [GitHub action](https://github.com/mne-tools/mne-python/actions/runs/${{ github.run_id }}). <br> <br> *Adjustments may need to be made to \`doc/changes/credit_tools.py\` or \`.mailmap\` etc. to get CircleCI to pass.*" --label "no-changelog-entry-needed")
+          git config --global user.email "50266005+mne-bot@users.noreply.github.com"
+          git config --global user.name "mne[bot]"
+          BRANCH=credit/$GITHUB_RUN_ID
+          git checkout -b $BRANCH
+          git commit -am "mne[bot]: Update code credit"
+          git push origin $BRANCH
+          PR_NUM=$(gh pr create --base main --head $BRANCH --title "MAINT: Update code credit" --body "Created by credit [GitHub action](https://github.com/mne-tools/mne-python/actions/runs/${{ github.run_id }}). <br> <br> *Adjustments may need to be made to \`doc/changes/credit_tools.py\` or \`.mailmap\` etc. to get CircleCI to pass.*" --label "no-changelog-entry-needed")
           echo "Opened https://github.com/mne-tools/mne-python/pull/${PR_NUM}" >> $GITHUB_STEP_SUMMARY
         if: steps.status.outputs.dirty == 'true'
diff --git a/.github/workflows/spec_zero.yml b/.github/workflows/spec_zero.yml
index 6a45f2876b6..272d7cf60a4 100644
--- a/.github/workflows/spec_zero.yml
+++ b/.github/workflows/spec_zero.yml
@@ -19,8 +19,8 @@ jobs:
     name: Update dependency versions
     runs-on: ubuntu-latest
     env:
-      GH_TOKEN: ${{ github.token }}
-      GITHUB_TOKEN: ${{ github.token }}
+      GH_TOKEN: ${{ secrets.MNE_BOT_TOKEN }}
+      GITHUB_TOKEN: ${{ secrets.MNE_BOT_TOKEN }}
     steps:
       - uses: actions/checkout@v5
         with:
@@ -52,10 +52,10 @@ jobs:
       - name: Create PR
         run: |
           set -xeo pipefail
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
+          git config --global user.email "50266005+mne-bot@users.noreply.github.com"
+          git config --global user.name "mne[bot]"
           git checkout -b spec_zero
-          git commit -am "MAINT: Update dependency specifiers"
+          git commit -am "mne[bot]: Update dependency specifiers"
           git push origin spec_zero
           PR_NUM=$(gh pr create --base main --head spec_zero --title "MAINT: Update dependency specifiers" --body "Created by spec_zero [GitHub action](https://github.com/mne-tools/mne-python/actions/runs/${{ github.run_id }}). <br> <br> *Adjustments may need to be made to shims in \`mne/fixes.py\` in this or another PR. \`git grep TODO VERSION\` is a good starting point for finding potential updates.*" --label "no-changelog-entry-needed")
           echo "Opened https://github.com/mne-tools/mne-python/pull/${PR_NUM}" >> $GITHUB_STEP_SUMMARY
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index df2c361ac93..4fd8cd1d048 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -86,6 +86,8 @@ repos:
     hooks:
       - id: zizmor
         args: [--fix]
+        # We correctly use pull_request_trigger, and need Zizmor 2.0+ to configure the ignore
+        exclude: ^.github/workflows/automerge.yml
 
 # these should *not* be run on CIs:
 ci: