diff --git a/commitlint.config.js b/.github/commitlint.config.js
similarity index 100%
rename from commitlint.config.js
rename to .github/commitlint.config.js
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index de791be7..040c007d 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -4,11 +4,23 @@ updates:
   directory: /
   schedule:
     interval: weekly
+  groups:
+    github-actions:
+      patterns:
+      - "*"
 - package-ecosystem: docker
   directory: /
   schedule:
     interval: daily
+  groups:
+    docker:
+      patterns:
+      - "*"
 - package-ecosystem: gomod
   directory: /
   schedule:
     interval: daily
+  groups:
+    gomod:
+      patterns:
+      - "*"
diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
index ec064fe5..7e850104 100644
--- a/.github/workflows/dependabot-automerge.yaml
+++ b/.github/workflows/dependabot-automerge.yaml
@@ -18,16 +18,8 @@ jobs:
       uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"
-    - name: Auto-merge Dependabot PRs
-      # don't auto-merge action updates to appease OpenSSF scorecard
-      if: ${{ ! contains(steps.metadata.outputs.package-ecosystem, 'github-actions') }}
+    - name: Enable auto-merge for Dependabot PRs # these still need approval before merge
       run: gh pr merge --auto --merge "$PR_URL"
       env:
         PR_URL: ${{github.event.pull_request.html_url}}
         GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-    - name: Auto-approve Github maintained actions
-      if: contains(steps.metadata.outputs.dependency-names, 'github/codeql-action')
-      run: gh pr review --approve "$PR_URL"
-      env:
-        PR_URL: ${{github.event.pull_request.html_url}}
-        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 54a4fe5c..ad483e4c 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -16,16 +16,19 @@ jobs:
         go-version: stable
     - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
       with:
-        args: --timeout=180s
+        args: --timeout=180s --enable gocritic
   lint-commits:
     permissions:
       contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
     - uses: wagoid/commitlint-github-action@5ce82f5d814d4010519d15f0552aec4f17a1e1fe # v5.4.5
+      with:
+        configFile: .github/commitlint.config.js
   lint-actions:
     permissions:
       contents: read