diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6056ed25cb..86074d69c6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,9 +1,5 @@
 version: 2
 updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "weekly"
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
diff --git a/.github/workflows/go-latest-deps.yaml b/.github/workflows/go-latest-deps.yaml
new file mode 100644
index 0000000000..905a541a82
--- /dev/null
+++ b/.github/workflows/go-latest-deps.yaml
@@ -0,0 +1,35 @@
+# Test Go code against the latest version of all dependencies.
+# Catches upstream breakage early without forcing dependency churn on every PR.
+# Runs daily — failures are informational, not gating.
+# See https://words.filippo.io/dependabot for rationale.
+name: Go latest deps
+
+on:
+  schedule:
+    # Daily at 10:22 UTC
+    - cron: "22 10 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-latest-deps:
+    name: Test with latest deps
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      CGO_ENABLED: "1"
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+      - name: Update all dependencies to latest
+        run: go get -u -t ./...
+      - name: Tidy
+        run: go mod tidy
+      - name: Run tests
+        run: go test -short -timeout 1200s -parallel 5 ./...
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
new file mode 100644
index 0000000000..b634408add
--- /dev/null
+++ b/.github/workflows/govulncheck.yaml
@@ -0,0 +1,29 @@
+# Symbol-level Go vulnerability scanning.
+# Replaces Dependabot security alerts for Go — only fires when your code
+# actually calls a vulnerable symbol, not just when a transitive dep has a CVE.
+# See https://words.filippo.io/dependabot for rationale.
+name: govulncheck
+
+on:
+  schedule:
+    # Daily at 10:22 UTC
+    - cron: "22 10 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - name: Run govulncheck
+        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...