diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 99c4eda..079e42b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,7 +6,7 @@ updates:
   - package-ecosystem: "composer" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
-      interval: "daily"
+      interval: "weekly"
     # Add assignees
     assignees:
       - "GaryJones"
@@ -17,4 +17,40 @@ updates:
       include: "scope"
     # Specify labels for Composer pull requests
     labels:
-      - "maintenance"
+      - "dependencies"
+    # Bundle minor and patch updates into a single pull request.
+    groups:
+      composer-minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "GaryJones"
+    # Prefix all commit messages with "Actions"
+    # include a list of updated dependencies
+    commit-message:
+      prefix: "Actions"
+      include: "scope"
+    # Specify labels for GitHub Actions pull requests
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "GaryJones"
+    # Prefix all commit messages with "NPM"
+    # include a list of updated dependencies
+    commit-message:
+      prefix: "NPM"
+      include: "scope"
+    # Specify labels for npm pull requests
+    labels:
+      - "dependencies"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 20f8d91..eca9b64 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,10 @@
 name: CI for Plugin Boilerplate
 
-on: [push]
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
 
 # Cancel any in-progress runs for the same branch when a new push lands.
 concurrency:
@@ -22,58 +26,68 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    timeout-minutes: 15
+
     permissions:
       contents: read
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           path: plugin-slug
           persist-credentials: false
 
       - name: Setup PHP 8.4
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
+        uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2
         with:
           php-version: '8.4'
           coverage: none
-          tools: composer:v2
+          tools: composer:v2, cs2pr
           extensions: mbstring # Just enough to keep phpunit happy when installing Composer dependencies.
 
       - name: Validate composer.json
-        run: composer validate --no-check-lock
+        run: composer validate --strict
 
       - name: Install Composer dependencies
         uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0
         with:
           working-directory: plugin-slug
-          composer-options: --prefer-dist --no-progress --no-suggest
+          composer-options: --prefer-dist --no-progress
 
-      # Needed as runs-on: system doesn't have xml-lint by default.
-      - name: Lint .phpcs.xml.dist
-        uses: ChristophWurst/xmllint-action@7c54ff113fc0f6d4588a15cb4dfe31b6ecca5212 # v1.2.1
-        with:
-          xml-file: ./plugin-slug/.phpcs.xml.dist
-          xml-schema-file: ./plugin-slug/vendor/squizlabs/php_codesniffer/phpcs.xsd
+      # The runner image does not ship xmllint, which bin/xml-lint uses to
+      # validate the XML configs against their schemas.
+      - name: Install xmllint
+        run: sudo apt-get install --yes --no-install-recommends libxml2-utils
 
-      # Needed as runs-on: system doesn't have xml-lint by default.
-      - name: Lint phpunit.xml.dist
-        uses: ChristophWurst/xmllint-action@7c54ff113fc0f6d4588a15cb4dfe31b6ecca5212 # v1.2.1
-        with:
-          xml-file: ./plugin-slug/phpunit.xml.dist
-          xml-schema-file: ./plugin-slug/vendor/phpunit/phpunit/phpunit.xsd
+      # php-parallel-lint and bin/xml-lint cover the PHP and XML files,
+      # so local runs and CI share one code path.
+      - name: Lint PHP and XML files
+        run: composer lint
 
-      - name: Lint PHP files
-        run: bin/php-lint
+      - name: Check composer.json normalisation
+        run: composer normalize --dry-run
 
+      # Pipe through cs2pr so sniff violations show as inline PR annotations.
       - name: Run PHPCS
-        run: composer cs
+        run: vendor/bin/phpcs -q --report=checkstyle | cs2pr
+
+      - name: Run Rector (dry run)
+        run: composer rector
+
+      - name: Run PHPStan
+        run: composer phpstan
+
+      - name: Audit dependencies
+        run: composer audit
 
   test:
     name: WP ${{ matrix.wordpress }} on PHP ${{ matrix.php }}
 
     runs-on: ubuntu-latest
 
+    timeout-minutes: 30
+
     permissions:
       contents: read
 
@@ -84,13 +98,13 @@ jobs:
           # Lowest supported PHP with lowest supported WordPress.
           - php: '8.4'
             wordpress: '6.9'
-          # Latest supported PHP with the latest WordPress.
+          # Latest supported PHP with latest supported WordPress.
           - php: '8.5'
-            wordpress: 'master'
+            wordpress: '7.0'
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           path: plugin-slug
           persist-credentials: false
@@ -109,10 +123,10 @@ jobs:
             ${{ runner.os }}-npm-wp-env-
 
       - name: Install wp-env
-        run: npm install -g @wordpress/env
+        run: npm install -g @wordpress/env@11.8.0
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
+        uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -126,7 +140,7 @@ jobs:
         uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0
         with:
           working-directory: plugin-slug
-          composer-options: --prefer-dist --no-progress --no-suggest
+          composer-options: --prefer-dist --no-progress
 
       - name: Setup Problem Matchers for PHPUnit
         env:
@@ -134,11 +148,13 @@ jobs:
         run: echo "::add-matcher::${RUNNER_TOOL_CACHE}/phpunit.json"
 
       - name: Run unit tests
-        run: composer unit
+        run: composer test:unit
 
+      # Mutation testing is slow; one leg on the latest PHP is enough,
+      # and infection.json.dist gates on minimum MSI so failures are real.
       - name: Run infection tests
+        if: matrix.php == '8.5'
         run: composer infection
-        continue-on-error: true
 
       - name: Start wp-env
         run: wp-env start
@@ -147,4 +163,7 @@ jobs:
           WP_ENV_PHP_VERSION: ${{ matrix.php }}
 
       - name: Run integration tests
-        run: composer integration
+        run: composer test:integration
+
+      - name: Run multisite integration tests
+        run: composer test:integration-ms
diff --git a/bin/php-lint b/bin/php-lint
deleted file mode 100755
index 9649d28..0000000
--- a/bin/php-lint
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-#
-# Temporary shim for the pre-refresh CI workflow, which calls bin/php-lint
-# directly. PHP syntax linting now lives in `composer lint` via
-# php-parallel-lint; the CI refresh removes this file when it switches the
-# workflow to the new entry points.
-
-set -euo pipefail
-
-exec vendor/bin/parallel-lint . --exclude vendor --exclude node_modules
diff --git a/composer.json b/composer.json
index f5a94ef..2fdf410 100644
--- a/composer.json
+++ b/composer.json
@@ -71,7 +71,6 @@
 		"cs": "@php ./vendor/bin/phpcs",
 		"cs-fix": "@php ./vendor/bin/phpcbf",
 		"infection": "./vendor/bin/infection --no-progress --threads=max --show-mutations",
-		"integration": "@test:integration",
 		"lint": [
 			"@php ./vendor/bin/parallel-lint . --exclude vendor --exclude node_modules",
 			"bin/xml-lint"
@@ -95,15 +94,13 @@
 		],
 		"test:integration": "bin/wp-env-phpunit --testsuite integration",
 		"test:integration-ms": "bin/wp-env-phpunit --multisite --testsuite integration",
-		"test:unit": "@php ./vendor/bin/phpunit --testsuite unit",
-		"unit": "@test:unit"
+		"test:unit": "@php ./vendor/bin/phpunit --testsuite unit"
 	},
 	"scripts-descriptions": {
 		"coverage": "Run the unit tests and generate an HTML coverage report in .phpunit.cache/coverage-html.",
 		"cs": "Check coding standards with PHP_CodeSniffer.",
 		"cs-fix": "Fix automatically fixable coding standards violations with PHP Code Beautifier and Fixer.",
 		"infection": "Run mutation testing with Infection.",
-		"integration": "Deprecated alias for test:integration, kept until CI moves to the new script names.",
 		"lint": "Check PHP files for syntax errors and XML config files against their schemas.",
 		"phpstan": "Run static analysis with PHPStan.",
 		"rector": "Preview automated refactorings with Rector (dry run).",
@@ -112,7 +109,6 @@
 		"test-full": "Run every check: lint, coding standards, Rector, unit, mutation, and integration tests.",
 		"test:integration": "Run the integration tests inside the wp-env tests container.",
 		"test:integration-ms": "Run the integration tests against WordPress multisite inside the wp-env tests container.",
-		"test:unit": "Run the unit tests.",
-		"unit": "Deprecated alias for test:unit, kept until CI moves to the new script names."
+		"test:unit": "Run the unit tests."
 	}
 }