diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..359235d249
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,27 @@
+version: 2
+updates:
+  # Automatically keep GitHub Actions SHA-pinned to the latest commit SHAs.
+  # Dependabot will update both the SHA and the inline version comment (e.g. # v6)
+  # while leaving any extra documentation comments intact.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "ci"
+    groups:
+      actions:
+        patterns:
+          - "actions/*"
+      gradle-actions:
+        patterns:
+          - "gradle/*"
+      peter-evans:
+        patterns:
+          - "peter-evans/*"
+      usefulness:
+        patterns:
+          - "usefulness/*"
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index 3a5afbddc3..3a0616cc6f 100644
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -16,26 +16,30 @@ jobs:
     runs-on: ubuntu-latest-8-cores
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      # gh api repos/actions/checkout/commits/v6 --jq '.sha'
       with:
           submodules: true
 
     - name: set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      # gh api repos/actions/setup-java/commits/v5 --jq '.sha'
       with:
         distribution: temurin
         java-version: 17
         cache: gradle
 
     - name: Validate Gradle Wrapper
-      uses: gradle/actions/wrapper-validation@v5
+      uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
+      # gh api repos/gradle/actions/commits/v6 --jq '.sha'
 
     - name: Build with Gradle
       run: ./gradlew qa
 
     - name: Archive reports for failed build
       if: ${{ failure() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+      # gh api repos/actions/upload-artifact/commits/v7 --jq '.sha'
       with:
         name: reports
         path: '*/build/reports'
diff --git a/.github/workflows/diffuse.yml b/.github/workflows/diffuse.yml
index 0764351107..3e8b05e22a 100644
--- a/.github/workflows/diffuse.yml
+++ b/.github/workflows/diffuse.yml
@@ -14,15 +14,17 @@ jobs:
   assemble-base:
     if: ${{ github.repository != 'signalapp/Signal-Android' }}
     runs-on: ubuntu-latest-8-cores
-    
+
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      # gh api repos/actions/checkout/commits/v6 --jq '.sha'
       with:
         submodules: true
         ref: ${{ github.event.pull_request.base.sha }}
 
     - name: set up JDK 17
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      # gh api repos/actions/setup-java/commits/v5 --jq '.sha'
       with:
         distribution: temurin
         java-version: 17
@@ -32,11 +34,13 @@ jobs:
       run: echo "y" | ${ANDROID_SDK_ROOT}/cmdline-tools/latest/bin/sdkmanager --install "ndk;${{ env.NDK_VERSION }}"
 
     - name: Validate Gradle Wrapper
-      uses: gradle/actions/wrapper-validation@v5
+      uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
+      # gh api repos/gradle/actions/commits/v6 --jq '.sha'
 
     - name: Cache base apk
       id: cache-base
-      uses: actions/cache@v4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      # gh api repos/actions/cache/commits/v5 --jq '.sha'
       with:
         path: diffuse-base.apk
         key: diffuse-${{ github.event.pull_request.base.sha }}
@@ -49,7 +53,8 @@ jobs:
       if: steps.cache-base.outputs.cache-hit != 'true'
       run: mv app/build/outputs/apk/playProd/release/*arm64*.apk diffuse-base.apk
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      # gh api repos/actions/checkout/commits/v6 --jq '.sha'
       with:
         submodules: true
         clean: 'false'
@@ -61,18 +66,21 @@ jobs:
       run: mv app/build/outputs/apk/playProd/release/*arm64*.apk diffuse-new.apk
 
     - id: diffuse
-      uses: usefulness/diffuse-action@v1
+      uses: usefulness/diffuse-action@41995fe8ff6be0a8847e63bdc5a4679c704b455c # v1
+      # gh api repos/usefulness/diffuse-action/commits/v1 --jq '.sha'
       with:
         old-file-path: diffuse-base.apk
         new-file-path: diffuse-new.apk
 
-    - uses: peter-evans/find-comment@v2
+    - uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4
+      # gh api repos/peter-evans/find-comment/commits/v4 --jq '.sha'
       id: find-comment
       with:
         issue-number: ${{ github.event.pull_request.number }}
         body-includes: Diffuse output
 
-    - uses: peter-evans/create-or-update-comment@v3
+    - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
+      # gh api repos/peter-evans/create-or-update-comment/commits/v5 --jq '.sha'
       with:
         body: |
           Diffuse output:
@@ -83,7 +91,8 @@ jobs:
         issue-number: ${{ github.event.pull_request.number }}
         token: ${{ secrets.GITHUB_TOKEN }}
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+      # gh api repos/actions/upload-artifact/commits/v7 --jq '.sha'
       with:
         name: diffuse-output
         path: ${{ steps.diffuse.outputs.diff-file }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 7fceb466db..365a07f6d9 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -11,7 +11,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        # gh api repos/actions/checkout/commits/v6 --jq '.sha'
       - name: Build image
         run: |
           cd reproducible-builds
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 09cc747f24..74906a406d 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -14,7 +14,8 @@ jobs:
       actions: write
 
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+        # gh api repos/actions/stale/commits/v10 --jq '.sha'
         with:
           days-before-stale: 60
           days-before-close: 7
diff --git a/README.md b/README.md
index 7c9871ea78..7f5dbe43cc 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # Signal Android
 
-Signal is a simple, powerful, and secure messenger that uses your phone's data connection (WiFi/3G/4G/5G) to communicate securely.
+Signal is a simple, powerful, and secure messenger that uses your phone's data connection (WiFi/4G/5G) to communicate securely.
 
 Millions of people use Signal every day for free and instantaneous communication anywhere in the world. Send and receive high-fidelity messages, participate in HD voice/video calls, and explore a growing set of new features that help you stay connected.