diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index eb13796..f42f44b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,10 +7,6 @@ updates:
       interval: "daily"
     cooldown:
       default-days: 14
-    ignore:
-      # https://github.com/softprops/action-gh-release/issues/556
-      - dependency-name: "softprops/action-gh-release"
-        versions: ["2.2.0"]
     commit-message:
       prefix: "🦄 "
       include: scope
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index b3fd049..95d2873 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -2,9 +2,9 @@ name: CD
 
 on:
   workflow_dispatch:
-  release:
-    types:
-      - published
+  push:
+    tags:
+      - "v*"
   schedule:
     - cron: "0 0 * * 1"
 
@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: 3.12
+          python-version: 3.13
 
       - name: Build source distribution
         run: pipx run build --sdist --outdir dist/
@@ -432,7 +432,7 @@ jobs:
       contents: write # Required to upload signed artifacts to a GitHub release
       attestations: write # Required to generate build provenance attestations
     runs-on: ubuntu-latest
-    if: github.event_name == 'release' && github.event.action == 'published'
+    if: startsWith(github.ref, 'refs/tags/')
 
     steps:
       - name: Download all artifacts
@@ -442,7 +442,6 @@ jobs:
           merge-multiple: true
 
       - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        if: github.event_name == 'release' && github.event.action == 'published'
         with:
           # Comment this line out to publish to PyPI
           # repository-url: https://test.pypi.org/legacy/
@@ -462,12 +461,14 @@ jobs:
             upload/*.whl
             upload/*.tar.gz
 
-      - name: Publish to GitHub Releases
-        # Wait for https://github.com/softprops/action-gh-release/issues/556 to be resolved
-        # before bumping to v2.2.0.
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
-        if: github.event_name == 'release' && github.event.action == 'published'
-        with:
-          # This will contain not only the wheel and sdist, but also the signature files
-          # generated by the Sigstore action
-          files: upload/*
+      - name: Create GitHub Release and upload artifacts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Create a draft release and upload all artifacts (wheels, sdist, and
+          # Sigstore signatures), then publish — the release becomes immutable
+          # once it is no longer a draft
+          gh release create "${GITHUB_REF_NAME}" upload/* \
+            --draft \
+            --generate-notes
+          gh release edit "${GITHUB_REF_NAME}" --draft=false
diff --git a/.github/workflows/update-hugo.yml b/.github/workflows/update-hugo.yml
index f18a352..1fad65a 100644
--- a/.github/workflows/update-hugo.yml
+++ b/.github/workflows/update-hugo.yml
@@ -79,13 +79,19 @@ jobs:
 
       - name: Create pull request
         if: steps.check-hugo-release.outputs.updated == 'true'
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          branch: update-hugo-v${{ steps.check-hugo-release.outputs.latest_version }}
-          commit-message: "Update Hugo to v${{ steps.check-hugo-release.outputs.latest_version }}"
-          title: "Update Hugo to v${{ steps.check-hugo-release.outputs.latest_version }}"
-          body-path: /tmp/pr-body.md
-          committer: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
-          author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
-          reviewers: |
-            agriyakhetarpal
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LATEST_VERSION: ${{ steps.check-hugo-release.outputs.latest_version }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/$GITHUB_REPOSITORY"
+          git checkout -b "update-hugo-v${LATEST_VERSION}"
+          git add setup.py src/hugo/cli.py hugo
+          git commit -m "Update Hugo to v${LATEST_VERSION}"
+          git push origin "update-hugo-v${LATEST_VERSION}"
+          gh pr create \
+            --title "Update Hugo to v${LATEST_VERSION}" \
+            --body-file /tmp/pr-body.md \
+            --reviewer agriyakhetarpal
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1ebea9d..7100dce 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -18,7 +18,7 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: "v0.15.4"
+    rev: "v0.15.8"
     hooks:
       - id: ruff
         args: ["--fix", "--show-fixes"]
@@ -32,7 +32,7 @@ repos:
       - id: pyupgrade
 
   - repo: https://github.com/codespell-project/codespell
-    rev: "v2.4.1"
+    rev: "v2.4.2"
     hooks:
       - id: codespell
         args: ["--skip=CODE_OF_CONDUCT.md"]
@@ -45,7 +45,7 @@ repos:
         args: [--prose-wrap=preserve]
 
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: "v1.22.0"
+    rev: "v1.23.1"
     hooks:
       - id: zizmor
         args: ["--pedantic"]