diff --git a/.github/PklProject b/.github/PklProject
index 92d136964..07a11b8bb 100644
--- a/.github/PklProject
+++ b/.github/PklProject
@@ -2,9 +2,9 @@ amends "pkl:Project"
 
 dependencies {
   ["pkl.impl.ghactions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0"
+    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.6.0"
   }
   ["gha"] {
-    uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.2.0"
+    uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.4.0"
   }
 }
diff --git a/.github/PklProject.deps.json b/.github/PklProject.deps.json
index 457d181d0..0a621f20f 100644
--- a/.github/PklProject.deps.json
+++ b/.github/PklProject.deps.json
@@ -3,16 +3,16 @@
   "resolvedDependencies": {
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.1",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.4.0",
       "checksums": {
-        "sha256": "fd515da685ea126678c3ec684e84a4f992d43481cc1d75cb866cd55775f675f9"
+        "sha256": "e0b9a9f71071d6101e9d764c069b2ec4a597d5315cb6e4c265b3f0d90c2b482c"
       }
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.6.0",
       "checksums": {
-        "sha256": "2c1e0d9efcd65b3c3207bf535c325ebc0ec2ab169187b324c4bb70821cac0e51"
+        "sha256": "fbc3c456ea468a0fe6baa9b3d30167259ac04e721a41a10fe82d2970026f0b1d"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1": {
@@ -24,16 +24,16 @@
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.0.3",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.1.0",
       "checksums": {
-        "sha256": "d368900942efb88ed51a98f9614748b06c74ba43423f045fcd6dedb5dbdc0bea"
+        "sha256": "025fac778f2c5f75c8229fa4ec0f49ebdb99a61affe9aae489fefd8fccd92faa"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.1",
       "checksums": {
-        "sha256": "02ef6f25bfca5b1d095db73ea15de79d2d2c6832ebcab61e6aba90554382abcb"
+        "sha256": "0a4fe9b0983716ec49fb060b9e5e83f8c365eb899d517123b43134416a9574b6"
       }
     }
   }
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 73242dbcd..acca6fcb1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,8 @@
 version: 2
 updates:
 - package-ecosystem: github-actions
+  cooldown:
+    default-days: 7
   directory: /
   ignore:
   - dependency-name: '*'
diff --git a/.github/index.pkl b/.github/index.pkl
index 787cc9666..a7082dc00 100644
--- a/.github/index.pkl
+++ b/.github/index.pkl
@@ -22,6 +22,8 @@ testReports {
   excludeJobs {
     "bench"
     "github-release"
+    "dependency-submission"
+    "dependency-review"
     Regex("deploy-.*")
   }
 }
@@ -40,11 +42,15 @@ local gradleCheckWindows = (baseGradleCheck) {
   os = "windows"
 }
 
-local typealias PklJobs = Mapping<String, PklJob>
+local typealias PklJobs = Mapping<String, PklJob | *Workflow.Job>
 
 local toWorkflowJobs: (PklJobs) -> Workflow.Jobs = (it) -> new Workflow.Jobs {
   for (k, v in it) {
-    [k] = v.job
+    when (v is PklJob) {
+      [k] = v.job
+    } else {
+      [k] = v
+    }
   }
 }
 
@@ -173,6 +179,22 @@ main {
       ) {
         needs = buildAndTestJobs.keys.toListing()
       }
+      ["dependency-submission"] {
+        `runs-on` = "ubuntu-latest"
+        permissions {
+          contents = "write"
+        }
+        steps {
+          module.catalog.`actions/checkout@v6`
+          (module.catalog.`actions/setup-java@v5`) {
+            with {
+              `java-version` = "25"
+              distribution = "temurin"
+            }
+          }
+          module.catalog.`gradle/actions/dependency-submission@v6`
+        }
+      }
     } |> toWorkflowJobs
 }
 
diff --git a/.github/jobs/BuildNativeJob.pkl b/.github/jobs/BuildNativeJob.pkl
index 7ec44c77c..7413992f7 100644
--- a/.github/jobs/BuildNativeJob.pkl
+++ b/.github/jobs/BuildNativeJob.pkl
@@ -23,7 +23,8 @@ preSteps {
   when (os == "linux" && !musl) {
     new {
       name = "Install deps"
-      run = "dnf install -y git binutils gcc glibc-devel zlib-devel libstdc++-static glibc-langpack-en"
+      run =
+        "dnf install -y git binutils gcc glibc-devel zlib-devel libstdc++-static glibc-langpack-en"
     }
   }
 }
diff --git a/.github/workflows/__lockfile__.yml b/.github/workflows/__lockfile__.yml
index 4f137becc..885e3b51a 100644
--- a/.github/workflows/__lockfile__.yml
+++ b/.github/workflows/__lockfile__.yml
@@ -30,5 +30,7 @@ jobs:
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
     - name: dawidd6/action-download-artifact@v11
       uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+    - name: gradle/actions/dependency-submission@v6
+      uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
     - name: gradle/actions/setup-gradle@v5
       uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index f90d76e0f..044bef1a5 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -831,6 +831,20 @@ jobs:
         ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPEPASSWORD }}
         ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPEUSERNAME }}
       run: ./gradlew --info --stacktrace --no-daemon -DpklMultiJdkTesting=true --no-parallel publishToSonatype
+  dependency-submission:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+    - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      with:
+        java-version: '25'
+        distribution: temurin
+    - uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
+      with: {}
   publish-test-results:
     if: '!cancelled()'
     needs:
@@ -891,6 +905,7 @@ jobs:
     - pkl-doc-alpine-linux-amd64-snapshot
     - pkl-doc-windows-amd64-snapshot
     - deploy-snapshot
+    - dependency-submission
     - publish-test-results
     runs-on: ubuntu-latest
     steps: