diff --git a/.github/renovate.json5 b/.github/renovate.json5
index eb15fa0792..48c139e204 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -16,7 +16,7 @@
   pep621: {
     // The default for this package manager is to only search for `pyproject.toml` files
     // found at the repository root: https://docs.renovatebot.com/modules/manager/pep621/#file-matching
-    fileMatch: ["^(python|scripts)/.*pyproject\\.toml$"],
+    managerFilePatterns: ["/^(python|scripts)/.*pyproject\\.toml$/"],
   },
   pip_requirements: {
     // The default for this package manager is to run on all requirements.txt files:
@@ -34,12 +34,32 @@
   npm: {
     // The default for this package manager is to only search for `package.json` files
     // found at the repository root: https://docs.renovatebot.com/modules/manager/npm/#file-matching
-    fileMatch: ["^playground/.*package\\.json$"],
+    managerFilePatterns: ["/^playground/.*package\\.json$/"],
   },
+  customManagers: [
+    {
+      customType: "regex",
+      managerFilePatterns: ["/^dist-workspace\\.toml$/"],
+      matchStrings: [
+        '"(?<depName>actions/[^"]+)" = "(?<currentDigest>[a-f0-9]{40})"\\s*#\\s*(?<currentValue>v[\\d\\.]+).*'
+      ],
+      datasourceTemplate: "github-tags",
+      autoReplaceStringTemplate: '"{{depName}}" = "{{newDigest}}" # {{newValue}}"',
+      extractVersionTemplate: "^(?<version>v[\\d\\.]+)$",
+      versioningTemplate: "semver"
+    }
+  ],
   "pre-commit": {
     enabled: true,
   },
   packageRules: [
+    // Ignore GitHub Actions in generated release.yml (managed by cargo-dist)
+    {
+      matchManagers: ["github-actions"],
+      matchFileNames: [".github/workflows/release.yml"],
+      enabled: false,
+      description: "Ignore GitHub Actions in release.yml as it's generated by cargo-dist",
+    },
     // Pin GitHub Actions to immutable SHAs.
     {
       matchDepTypes: ["action"],
@@ -106,6 +126,11 @@
       matchManagers: ["cargo"],
       matchPackageNames: ["strum"],
       description: "Weekly update of strum dependencies",
+    },
+    {
+      groupName: "cargo-dist GitHub Actions",
+      matchManagers: ["custom.regex"],
+      description: "Weekly update of GitHub Actions dependencies managed by cargo-dist",
     }
   ],
   vulnerabilityAlerts: {
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 641c83ac05..f1f9b88386 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -61,7 +61,7 @@ jobs:
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: false
           submodules: recursive
@@ -69,9 +69,9 @@ jobs:
         # we specify bash to get pipefail; it guards against the `curl` command
         # failing. otherwise `sh` won't catch that `curl` returned non-0
         shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/cargo-dist/releases/download/v0.28.5-prerelease.1/cargo-dist-installer.sh | sh"
+        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/cargo-dist/releases/download/v0.28.5-prerelease.3/cargo-dist-installer.sh | sh"
       - name: Cache dist
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: cargo-dist-cache
           path: ~/.cargo/bin/dist
@@ -87,7 +87,7 @@ jobs:
           cat plan-dist-manifest.json
           echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT"
       - name: "Upload dist-manifest.json"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: artifacts-plan-dist-manifest
           path: plan-dist-manifest.json
@@ -124,19 +124,19 @@ jobs:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       BUILD_MANIFEST_NAME: target/distrib/global-dist-manifest.json
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: false
           submodules: recursive
       - name: Install cached dist
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           name: cargo-dist-cache
           path: ~/.cargo/bin/
       - run: chmod +x ~/.cargo/bin/dist
       # Get all the local artifacts for the global tasks to use (for e.g. checksums)
       - name: Fetch local artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           pattern: artifacts-*
           path: target/distrib/
@@ -154,7 +154,7 @@ jobs:
 
           cp dist-manifest.json "$BUILD_MANIFEST_NAME"
       - name: "Upload artifacts"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: artifacts-build-global
           path: |
@@ -175,19 +175,19 @@ jobs:
     outputs:
       val: ${{ steps.host.outputs.manifest }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: false
           submodules: recursive
       - name: Install cached dist
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           name: cargo-dist-cache
           path: ~/.cargo/bin/
       - run: chmod +x ~/.cargo/bin/dist
       # Fetch artifacts from scratch-storage
       - name: Fetch artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           pattern: artifacts-*
           path: target/distrib/
@@ -201,7 +201,7 @@ jobs:
           cat dist-manifest.json
           echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT"
       - name: "Upload dist-manifest.json"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           # Overwrite the previous copy
           name: artifacts-dist-manifest
@@ -251,13 +251,13 @@ jobs:
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: false
           submodules: recursive
       # Create a GitHub Release while uploading all files to it
       - name: "Download GitHub Artifacts"
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           pattern: artifacts-*
           path: artifacts
diff --git a/dist-workspace.toml b/dist-workspace.toml
index 1c2305b911..500f88f145 100644
--- a/dist-workspace.toml
+++ b/dist-workspace.toml
@@ -5,7 +5,7 @@ packages = ["ruff"]
 # Config for 'dist'
 [dist]
 # The preferred dist version to use in CI (Cargo.toml SemVer syntax)
-cargo-dist-version = "0.28.5-prerelease.1"
+cargo-dist-version = "0.28.5-prerelease.3"
 # Whether to consider the binaries in a package for distribution (defaults true)
 dist = false
 # CI backends to support