diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index fa20300..2597ae2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,32 +1,60 @@
 version: 2
 updates:
-  # Runtime/test dependencies.
+  # Runtime/test .NET dependencies. Group non-major bumps into one PR.
+  # BouncyCastle and other crypto primitives stay ungrouped so each major
+  # bump gets eyes-on review.
   - package-ecosystem: "nuget"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "monday"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 10
     labels:
       - "dependencies"
       - "dotnet"
-    # Cryptographic primitives are sensitive. Don't auto-merge.
+    groups:
+      dotnet-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+        exclude-patterns:
+          - "BouncyCastle*"
+      dotnet-major-non-crypto:
+        update-types:
+          - "major"
+        exclude-patterns:
+          - "BouncyCastle*"
     ignore:
+      # Cryptographic primitives are sensitive. Don't auto-merge majors.
       - dependency-name: "BouncyCastle.Cryptography"
         update-types: ["version-update:semver-major"]
 
-  # Rust second-source reader.
+  # Rust second-source reader. Group non-crypto crates; leave the PQ
+  # primitives and their core deps ungrouped for manual review.
   - package-ecosystem: "cargo"
     directory: "/impl/rust/pqf-reader"
     schedule:
       interval: "weekly"
       day: "monday"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 10
     labels:
       - "dependencies"
       - "rust"
+    groups:
+      rust-non-crypto:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "ml-kem"
+          - "ml-dsa"
+          - "hkdf"
+          - "sha2"
+          - "sha3"
+          - "generic-array"
+          - "rand_core"
+          - "zeroize"
 
-  # GitHub Actions.
+  # GitHub Actions. Safe to group everything.
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -36,3 +64,7 @@ updates:
     labels:
       - "dependencies"
       - "ci"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/python-binding.yml b/.github/workflows/python-binding.yml
index 87705dd..01bb940 100644
--- a/.github/workflows/python-binding.yml
+++ b/.github/workflows/python-binding.yml
@@ -23,7 +23,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        python: ["3.9", "3.12"]
+        python: ["3.10", "3.12"]
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -47,11 +47,18 @@ jobs:
           key: ${{ runner.os }}-py${{ matrix.python }}-cargo-${{ hashFiles('bindings/python/Cargo.toml', 'impl/rust/pqf-reader/Cargo.toml') }}
 
       - name: Install maturin
-        run: pip install --upgrade pip maturin
+        run: python -m pip install --upgrade pip maturin
 
-      - name: Build + install the binding into the venv
+      - name: Build wheel
         working-directory: bindings/python
-        run: maturin develop --release
+        run: maturin build --release --out dist
+
+      - name: Install wheel
+        working-directory: bindings/python
+        shell: bash
+        run: |
+          WHEEL=$(ls dist/*.whl | head -1)
+          python -m pip install "$WHEEL"
 
       - name: Smoke test (import + parse a vector)
         working-directory: bindings/python