diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
index 445a100f..b1d76b5e 100644
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@@ -14,13 +14,17 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   bandit-analysis:
     name: Run Bandit
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: write
+      security-events: write  # allow uploading code scanning results
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 985d25e1..949352f1 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,6 +3,10 @@ name: Lint
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     tags-ignore:
@@ -22,6 +26,7 @@ on:
 jobs:
 
   lint:
+    name: Run Static Analysis
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 38b3e046..a6f8236e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,6 +1,7 @@
 name: Publish Release
 
-permissions: read-all
+permissions:
+  contents: read
 
 concurrency:
   # stop previous release runs if tag is recreated
@@ -16,14 +17,12 @@ jobs:
   lint:
     permissions:
       contents: read
-      actions: write
     uses: ./.github/workflows/lint.yml
 
   test:
     permissions:
       contents: read
-      actions: write
-      id-token: write
+      id-token: write  # to allow codecov oidc upload
     uses: ./.github/workflows/test.yml
 
   build:
@@ -31,7 +30,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     outputs:
       PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
       RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 31409b39..13921f17 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -9,7 +9,12 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   analysis:
@@ -19,8 +24,9 @@ jobs:
       name: scorecard
       deployment: false  # Prevents creating a GitHub deployment object
     permissions:
-      security-events: write
-      id-token: write
+      contents: read
+      security-events: write  # allow uploading code scanning results
+      id-token: write  # to allow OIDC authentication for publishing results to OpenSSF REST API
 
     steps:
       - name: "Checkout code"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 95d1915c..ff515660 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,6 +3,10 @@ name: Test
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     tags-ignore:
@@ -41,13 +45,12 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     # Service containers to run with `container-job`
     strategy:
       fail-fast: false
       matrix:
         python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
-        postgres-version: ['12', '14', 'latest']
+        postgres-version: ['12', '14@sha256:bbb8851608e3ff4901156bf6a4bf90735a9d44ae014c03811bfdb2f9c354b18b', 'latest']
         psycopg-version: ['psycopg2', 'psycopg3']
         django-version:
           - 'dj42' # LTS April 2026
@@ -173,7 +176,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: sqlite
       COVERAGE_FILE: linux-py${{ matrix.python-version }}-${{ matrix.django-version }}-sqlite.coverage
@@ -247,7 +249,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -361,7 +362,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: mariadb
       COVERAGE_FILE: linux-py${{ matrix.python-version }}-${{ matrix.django-version }}-${{ matrix.mysqlclient-version }}-mariadb${{ matrix.mariadb-version }}.coverage
@@ -485,7 +485,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: oracle
       TEST_PYTHON_VERSION: ${{ matrix.python-version }}
@@ -620,7 +619,6 @@ jobs:
     runs-on: windows-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: sqlite
       COVERAGE_FILE: windows-py${{ matrix.python-version }}-${{ matrix.django-version }}-sqlite.coverage
@@ -691,7 +689,6 @@ jobs:
     runs-on: macos-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: sqlite
       COVERAGE_FILE: macos-py${{ matrix.python-version }}-${{ matrix.django-version }}-sqlite.coverage
@@ -762,11 +759,12 @@ jobs:
 
 
   coverage-combine:
+    name: Combine Coverage and Upload to Codecov
     needs: [postgres, sqlite, mysql, mariadb, oracle, windows, macos]
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
+      id-token: write  # for codecov oidc authentication
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
diff --git a/.github/workflows/update_coc.yml b/.github/workflows/update_coc.yml
index 97a9ed95..13d8c30e 100644
--- a/.github/workflows/update_coc.yml
+++ b/.github/workflows/update_coc.yml
@@ -1,6 +1,11 @@
 name: Update Code of Conduct
 
-permissions: read-all
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 on:
   workflow_dispatch:
@@ -11,10 +16,10 @@ on:
 
 jobs:
   update_code_of_conduct:
+    name: Update Code of Conduct
     permissions:
-     contents: write
-     issues: write
-     pull-requests: write
+     contents: write  # allow updating the CODE_OF_CONDUCT.md file
+     pull-requests: write  # needed for CoC PR
 
     runs-on: ubuntu-latest
 
@@ -43,12 +48,23 @@ jobs:
       # Create a pull request to merge the changes into the main branch
       - name: Create Pull Request
         if: steps.check_changes.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            branch: bot-update-coc
-            add-paths: |
-                CODE_OF_CONDUCT.md
-            title: "🤖 Update Code of Conduct 🤖"
-            body: "Update the Code of Conduct with the latest version from the django-commons repository."
-            commit-message: "Update CODE_OF_CONDUCT.md from django-commons"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BRANCH: update-coc
+          REF_NAME: ${{ github.ref_name }}
+          GH_ACTOR: ${{ github.actor }}
+          GH_ACTOR_ID: ${{ github.actor_id }}
+        run: |
+          git config user.name "$GH_ACTOR"
+          git config user.email "$GH_ACTOR_ID+$GH_ACTOR@users.noreply.github.com"
+
+          git checkout -B "$BRANCH"
+          git add CODE_OF_CONDUCT.md
+          git commit -m "Update Code of Conduct"
+          git push --force-with-lease origin "$BRANCH"
+
+          gh pr view "$BRANCH" >/dev/null 2>&1 || gh pr create \
+            --base "$REF_NAME" \
+            --head "$BRANCH" \
+            --title "Update Code of Conduct" \
+            --body "Automated update."
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index b183863d..ad80fcab 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -14,13 +14,17 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   zizmor-analysis:
     name: Run Zizmor
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: write
+      security-events: write  # allow uploading code scanning results
 
     steps:
       - name: Checkout repository
diff --git a/uv.lock b/uv.lock
index b6a51ad5..61459aeb 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1324,14 +1324,14 @@ wheels = [
 
 [[package]]
 name = "jedi"
-version = "0.19.2"
+version = "0.20.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "parso" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/72/3a/79a912fbd4d8dd6fbb02bf69afd3bb72cf0c729bb3063c6f4498603db17a/jedi-0.19.2.tar.gz", hash = "sha256:4770dc3de41bde3966b02eb84fbcf557fb33cce26ad23da12c742fb50ecb11f0", size = 1231287, upload-time = "2024-11-11T01:41:42.873Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/46/b7/a3635f6a2d7cf5b5dd98064fc1d5fbbafcb25477bcea204a3a92145d158b/jedi-0.20.0.tar.gz", hash = "sha256:c3f4ccbd276696f4b19c54618d4fb18f9fc24b0aef02acf704b23f487daa1011", size = 3119416, upload-time = "2026-05-01T23:38:47.814Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c0/5a/9cac0c82afec3d09ccd97c8b6502d48f165f9124db81b4bcb90b4af974ee/jedi-0.19.2-py2.py3-none-any.whl", hash = "sha256:a8ef22bde8490f57fe5c7681a3c83cb58874daf72b4784de3cce5b6ef6edb5b9", size = 1572278, upload-time = "2024-11-11T01:41:40.175Z" },
+    { url = "https://files.pythonhosted.org/packages/9a/93/242e2eab5fe682ffcb8b0084bde703a41d51e17ee0f3a31ff0d9d813620a/jedi-0.20.0-py2.py3-none-any.whl", hash = "sha256:7bdd9c2634f56713299976f4cbd59cb3fa92165cc5e05ea811fb253480728b67", size = 4884812, upload-time = "2026-05-01T23:38:43.919Z" },
 ]
 
 [[package]]
@@ -1762,11 +1762,11 @@ wheels = [
 
 [[package]]
 name = "parso"
-version = "0.8.6"
+version = "0.8.7"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/81/76/a1e769043c0c0c9fe391b702539d594731a4362334cdf4dc25d0c09761e7/parso-0.8.6.tar.gz", hash = "sha256:2b9a0332696df97d454fa67b81618fd69c35a7b90327cbe6ba5c92d2c68a7bfd", size = 401621, upload-time = "2026-02-09T15:45:24.425Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/30/4b/90c937815137d43ce71ba043cd3566221e9df6b9c805f24b5d138c9d40a7/parso-0.8.7.tar.gz", hash = "sha256:eaaac4c9fdd5e9e8852dc778d2d7405897ec510f2a298071453e5e3a07914bb1", size = 401824, upload-time = "2026-05-01T23:13:02.138Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b6/61/fae042894f4296ec49e3f193aff5d7c18440da9e48102c3315e1bc4519a7/parso-0.8.6-py2.py3-none-any.whl", hash = "sha256:2c549f800b70a5c4952197248825584cb00f033b29c692671d3bf08bf380baff", size = 106894, upload-time = "2026-02-09T15:45:21.391Z" },
+    { url = "https://files.pythonhosted.org/packages/99/5d/8268b644392ee874ee82a635cd0df1773de230bde356c38de28e298392cc/parso-0.8.7-py2.py3-none-any.whl", hash = "sha256:a8926eb2a1b915486941fdbd31e86a4baf88fe8c210f25f2f35ecec5b574ca1c", size = 107025, upload-time = "2026-05-01T23:12:58.867Z" },
 ]
 
 [[package]]
@@ -1906,15 +1906,15 @@ wheels = [
 
 [[package]]
 name = "psycopg"
-version = "3.3.3"
+version = "3.3.4"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "typing-extensions", marker = "python_full_version < '3.13' or (extra == 'group-18-django-polymorphic-cx-oracle' and extra == 'group-18-django-polymorphic-oracledb') or (extra == 'group-18-django-polymorphic-dj42' and extra == 'group-18-django-polymorphic-dj52') or (extra == 'group-18-django-polymorphic-dj42' and extra == 'group-18-django-polymorphic-dj60') or (extra == 'group-18-django-polymorphic-dj52' and extra == 'group-18-django-polymorphic-dj60') or (extra == 'group-18-django-polymorphic-mysqlclient14' and extra == 'group-18-django-polymorphic-mysqlclient2x')" },
     { name = "tzdata", marker = "sys_platform == 'win32' or (extra == 'group-18-django-polymorphic-cx-oracle' and extra == 'group-18-django-polymorphic-oracledb') or (extra == 'group-18-django-polymorphic-dj42' and extra == 'group-18-django-polymorphic-dj52') or (extra == 'group-18-django-polymorphic-dj42' and extra == 'group-18-django-polymorphic-dj60') or (extra == 'group-18-django-polymorphic-dj52' and extra == 'group-18-django-polymorphic-dj60') or (extra == 'group-18-django-polymorphic-mysqlclient14' and extra == 'group-18-django-polymorphic-mysqlclient2x')" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d3/b6/379d0a960f8f435ec78720462fd94c4863e7a31237cf81bf76d0af5883bf/psycopg-3.3.3.tar.gz", hash = "sha256:5e9a47458b3c1583326513b2556a2a9473a1001a56c9efe9e587245b43148dd9", size = 165624, upload-time = "2026-02-18T16:52:16.546Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/db/2f/cb91e5502ec9de1de6f1b76cfbf69531932725361168bb06963620c77e2e/psycopg-3.3.4.tar.gz", hash = "sha256:e21207764952cff81b6b8bdacad9a3939f2793367fdac2987b3aac36a651b5bc", size = 165799, upload-time = "2026-05-01T23:31:55.179Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c8/5b/181e2e3becb7672b502f0ed7f16ed7352aca7c109cfb94cf3878a9186db9/psycopg-3.3.3-py3-none-any.whl", hash = "sha256:f96525a72bcfade6584ab17e89de415ff360748c766f0106959144dcbb38c698", size = 212768, upload-time = "2026-02-18T16:46:27.365Z" },
+    { url = "https://files.pythonhosted.org/packages/5c/e0/7b3dee031daae7743609ce3c746565d4a3ed7c2c186479eb48e34e838c64/psycopg-3.3.4-py3-none-any.whl", hash = "sha256:b6bbc25ccf05c8fad3b061d9db2ef0909a555171b84b07f29458a447253d679a", size = 213001, upload-time = "2026-05-01T23:20:50.816Z" },
 ]
 
 [[package]]