diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5cc10f5ce..d7d1a7e52 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,14 +38,27 @@ jobs:
           CC_SECRET: ${{ secrets.CC_SECRET }}
         if: ${{ env.CC_SECRET != '' }}
 
-  release:
+  # Dependabot and PRs from forks should not release canaries,
+  # but secrets and env vars cannot be read in `job.if`, so we check if
+  # GH_TOKEN is present before attempting to release.
+  release_check:
     runs-on: ubuntu-latest
     needs: [build]
+    steps:
+      - run: echo "::set-output name=CAN_RELEASE::${{ env.CAN_RELEASE }}"
+    env:
+      CAN_RELEASE: ${{ secrets.AUTO_RELEASE_GH_TOKEN != '' }}
+
+  release:
+    runs-on: ubuntu-latest
+    needs: [release_check]
     if: >
       !contains(github.event.head_commit.message, 'ci skip') &&
       !contains(github.event.head_commit.message, 'skip ci') && (
         github.event_name == 'push' ||
         github.event.pull_request.head.repo.full_name == github.repository
+      ) && (
+        needs.release_check.outputs.CAN_RELEASE == 'true'
       )
     steps:
       - uses: actions/checkout@v2
diff --git a/dependabot.yml b/dependabot.yml
new file mode 100644
index 000000000..f38eefc05
--- /dev/null
+++ b/dependabot.yml
@@ -0,0 +1,9 @@
+# see https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    ignore:
+      - dependency-name: "@codechecks/client"
diff --git a/package.json b/package.json
index e12a38154..765ac2e98 100644
--- a/package.json
+++ b/package.json
@@ -40,7 +40,7 @@
     "@babel/preset-typescript": "^7.13.0",
     "@babel/runtime": "^7.13.10",
     "@codechecks/build-size-watcher": "^0.1.0",
-    "@codechecks/client": "0.1.10",
+    "@codechecks/client": "0.1.10-beta",
     "@emotion/jest": "^11.3.0",
     "@preconstruct/cli": "^2",
     "@testing-library/react": "^11.2.6",
diff --git a/yarn.lock b/yarn.lock
index c47f565be..cb4147281 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1580,10 +1580,10 @@
     gzip-size "^5.0.0"
     lodash "^4.17.11"
 
-"@codechecks/client@0.1.10":
-  version "0.1.10"
-  resolved "https://registry.yarnpkg.com/@codechecks/client/-/client-0.1.10.tgz#41fe736c424976d9feb8116b131fb9c1f099d105"
-  integrity sha512-rvX+LknmMohsLTU8mHJqIcNTo8fKfw6A5i7JvT6JJWqwCLi+TujHpRO8BLf48iF96+gU5viVvKfRaUyhc3wloA==
+"@codechecks/client@0.1.10-beta":
+  version "0.1.10-beta"
+  resolved "https://registry.yarnpkg.com/@codechecks/client/-/client-0.1.10-beta.tgz#d93481214f43c1463586d9ca697d358a74fdc093"
+  integrity sha512-Wja7f4pxPK7A0D5h5RB7SLJCH0+H3Kz+mRXXX5Dj/58/aB1Tp2sXNu0bt0ESDE7CsAd/fROlf+Tu2nrn2g//fA==
   dependencies:
     bluebird "^3.5.3"
     chalk "^2.4.2"