diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..92c44a8
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000..8e9248e
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,17 @@
+name: Lint GitHub Actions workflows
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  actionlint:
+    uses: smallstep/workflows/.github/workflows/actionlint.yml@main
+    secrets: inherit
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index f8f201d..4b24de6 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -21,19 +21,20 @@ jobs:
           DOCKER_PLATFORMS=linux/amd64,linux/386,linux/arm,linux/arm64
           VERSION=latest
           if [[ $GITHUB_REF == refs/tags/* ]]; then
-            VERSION=${GITHUB_REF#refs/tags/v}
+            VERSION="${GITHUB_REF#refs/tags/v}"
           fi
           TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"
           if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
             TAGS="$TAGS --tag ${DOCKER_IMAGE}:latest"
           fi
-          echo "docker_image=${DOCKER_IMAGE}" >> ${GITHUB_OUTPUT}
-          echo "version=${VERSION}" >> ${GITHUB_OUTPUT}
+          # shellcheck disable=SC2129
+          echo "docker_image=${DOCKER_IMAGE}" >> "${GITHUB_OUTPUT}"
+          echo "version=${VERSION}" >> "${GITHUB_OUTPUT}"
           echo "buildx_args=--platform ${DOCKER_PLATFORMS} \
             --build-arg VERSION=${VERSION} \
             --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
             --build-arg VCS_REF=${GITHUB_SHA::8} \
-            ${TAGS} --file docker/step-ca-bootstrap/Dockerfile docker/step-ca-bootstrap/" >> ${GITHUB_OUTPUT}
+            ${TAGS} --file docker/step-ca-bootstrap/Dockerfile docker/step-ca-bootstrap/" >> "${GITHUB_OUTPUT}"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx