diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..807baca
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Dependencies listed in .github/workflows/*.yml
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index abe7367..06acafb 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
       - main
       - release-*
   pull_request:
+  schedule:
+    # Runs at 00:00 UTC every Monday
+    - cron: '0 0 * * 1'
 permissions:
   contents: read
 
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 4517406..1cbff63 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -7,6 +7,9 @@ on:
       - main
       - release-*
   pull_request:
+  schedule:
+    # Runs at 00:00 UTC every Monday
+    - cron: '0 0 * * 1'
 env:
   GO_VERSION: 1.24
 permissions:
@@ -75,11 +78,17 @@ jobs:
         go-version: "${{ env.GO_VERSION }}"
     - run: go mod tidy --diff
 
+  govulncheck:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: golang/govulncheck-action@v1
+
   all-done:
     needs:
       - codespell
       - deps
       - go-fix
+      - govulncheck
       - lint
       - space-at-eol
     runs-on: ubuntu-24.04