diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f1860f6..d98ceef 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,8 @@ concurrency:
 
 jobs:
   python:
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
index 0b48c2c..db5c208 100644
--- a/.github/workflows/scans.yml
+++ b/.github/workflows/scans.yml
@@ -50,17 +50,7 @@ jobs:
         # More info at https://megalinter.io/latest/flavors/
         uses: oxsecurity/megalinter@ec124f7998718d79379a3c5b39f5359952baf21d # v8
         env:
-          # All available variables are described in documentation
-          # https://megalinter.io/latest/configuration/
-          APPLY_FIXES: all
-          DISABLE_LINTERS: JSON_JSONLINT,SPELL_CSPELL
-          DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM,REPOSITORY_KICS
-          FAIL_IF_UPDATED_SOURCES: true
-          GITHUB_STATUS_REPORTER: true
           GITHUB_TOKEN: ${{ github.token }}
-          PYTHON_DEFAULT_STYLE: ruff
-          SARIF_REPORTER: true
-          VALIDATE_ALL_CODEBASE: false
 
       - if: ${{ success() || failure() }}
         uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
diff --git a/.mega-linter.yml b/.mega-linter.yml
new file mode 100644
index 0000000..148387f
--- /dev/null
+++ b/.mega-linter.yml
@@ -0,0 +1,16 @@
+APPLY_FIXES: all
+DISABLE_LINTERS:
+  - JSON_JSONLINT
+  - PYTHON_ISORT
+  - PYTHON_PYLINT
+  - PYTHON_PYRIGHT
+  - SPELL_CSPELL
+DISABLE_ERRORS_LINTERS:
+  - COPYPASTE_JSCPD
+  - REPOSITORY_DEVSKIM
+  - REPOSITORY_KICS
+FAIL_IF_UPDATED_SOURCES: true
+GITHUB_STATUS_REPORTER: true
+PYTHON_DEFAULT_STYLE: ruff
+SARIF_REPORTER: true
+VALIDATE_ALL_CODEBASE: false
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7318b5c..30f0d9a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -61,7 +61,7 @@ repos:
       - id: detect-private-key
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.23.3
+    rev: v8.24.0
     hooks:
       - id: gitleaks
 
@@ -81,7 +81,7 @@ repos:
       - id: markdownlint
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.9.6
+    rev: v0.9.7
     hooks:
       - id: ruff
         types_or: [python, pyi, jupyter]
@@ -95,7 +95,7 @@ repos:
       - id: taplo-format
 
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.6.1
+    rev: 0.6.2
     hooks:
       - id: uv-lock
 
diff --git a/.python-version b/.python-version
new file mode 100644
index 0000000..24ee5b1
--- /dev/null
+++ b/.python-version
@@ -0,0 +1 @@
+3.13
diff --git a/renovate.json b/renovate.json
index 96c11cf..08a96fd 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,10 +1,19 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:best-practices", "group:allNonMajor"],
+  "extends": [
+    "config:best-practices",
+    "security:openssf-scorecard",
+    "group:allNonMajor",
+    "group:allDigest",
+    ":automergeMinor",
+    ":automergeDigest"
+  ],
   "packageRules": [
     {
-      "automerge": true,
-      "matchUpdateTypes": ["minor", "patch", "pin", "digest"]
+      "automerge": false,
+      "groupName": "python",
+      "matchPackageNames": ["python"],
+      "matchUpdateTypes": ["minor"]
     }
   ]
 }