diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 87dbac45..379d08fb 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,24 +1,9 @@
 version: 2
 updates:
-  - package-ecosystem: "pip"
-    directory: "/"
-    insecure-external-code-execution: allow
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 100
-    labels:
-      - "maintenance"
-      - "dependencies"
-    groups:
-      pip:
-        patterns:
-          - "*"
-    commit-message:
-      prefix: "chore"
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directory: "examples/pure-hatch/.github/workflows"
     schedule:
-      interval: "daily"
+      interval: "weekly"
     open-pull-requests-limit: 100
     labels:
       - "maintenance"
diff --git a/examples/pure-hatch/.github/workflows/release.yml b/examples/pure-hatch/.github/workflows/release.yml
new file mode 100644
index 00000000..89f02600
--- /dev/null
+++ b/examples/pure-hatch/.github/workflows/release.yml
@@ -0,0 +1,46 @@
+name: Release
+
+on:
+  release:
+    types:
+      - published
+
+permissions: {} # no permissions to the token at global level
+
+jobs:
+  build_package:
+    name: Build the package
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # this job only needs read access
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Hatch
+        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+      - name: Build artifacts
+        run: hatch build
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          path: dist/
+          name: dist.zip
+          if-no-files-found: error
+          retention-days: 1
+
+  publish_release_to_pypi:
+    name: Publish release to PyPI
+    needs: [build_package]
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: <URL TO YOUR PROJECT HERE>
+    permissions:
+      contents: read # this job needs read access
+      id-token: write # but also needs to be able to write the publishing token
+    steps:
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: dist.zip
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4