diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index bfd3593197..79a299bde0 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -34,6 +34,29 @@ name: Check Spelling
 #
 #   For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key
 
+# Sarif reporting
+#
+# Access to Sarif reports is generally restricted (by GitHub) to members of the repository.
+#
+# Requires enabling `security-events: write`
+# and configuring the action with `use_sarif: 1`
+#
+#   For information on the feature, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Sarif-output
+
+# Minimal workflow structure:
+#
+# on:
+#   push:
+#     ...
+#   pull_request_target:
+#     ...
+# jobs:
+#   # you only want the spelling job, all others should be omitted
+#   spelling:
+#     # remove `security-events: write` and `use_sarif: 1`
+#     # remove `experimental_apply_changes_via_bot: 1`
+#     ... otherwise adjust the `with:` as you wish
+
 on:
   push:
     branches:
@@ -63,7 +86,8 @@ jobs:
       followup: ${{ steps.spelling.outputs.followup }}
     runs-on: ubuntu-latest
     if:
-      contains(github.event_name, 'pull_request') || github.event_name == 'push'
+      ${{ contains(github.event_name, 'pull_request') || github.event_name ==
+      'push' }}
     concurrency:
       group: spelling-${{ github.event.pull_request.number || github.ref }}
       # note: If you use only_check_changed_files, you do not want cancel-in-progress
@@ -73,7 +97,8 @@ jobs:
         id: spelling
         uses: check-spelling/check-spelling@main
         with:
-          suppress_push_for_open_pull_request: 1
+          suppress_push_for_open_pull_request:
+            ${{ github.actor != 'dependabot[bot]' && 1 }}
           checkout: true
           only_check_changed_files: 1
           check_file_names: 1
@@ -81,17 +106,12 @@ jobs:
           post_comment: 0
           use_magic_file: 1
           experimental_apply_changes_via_bot: 1
-          use_sarif: 0
-          extra_dictionary_limit: 10
-          extra_dictionaries:
-            cspell:aws/aws.txt cspell:cpp/src/cpp.txt
-            cspell:filetypes/filetypes.txt cspell:node/node.txt
-            cspell:public-licenses/src/generated/public-licenses.txt
-            cspell:python/src/common/extra.txt
-            cspell:python/src/python/python-lib.txt
-            cspell:python/src/python/python.txt cspell:r/src/r.txt
-            cspell:software-terms/src/software-terms.txt cspell:sql/src/tsql.txt
-            cspell:win32/src/win32.txt
+          use_sarif:
+            ${{ (!github.event.pull_request ||
+            (github.event.pull_request.head.repo.full_name ==
+            github.repository)) && 1 }}
+          extra_dictionary_limit: 20
+          extra_dictionaries: cspell:software-terms/dict/softwareTerms.txt
 
   comment-push:
     name: Report (Push)
@@ -105,7 +125,7 @@ jobs:
       github.event_name == 'push'
     steps:
       - name: comment
-        uses: check-spelling/check-spelling@prerelease
+        uses: check-spelling/check-spelling@main
         with:
           checkout: true
           spell_check_this: check-spelling/spell-check-this@prerelease
@@ -117,6 +137,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: spelling
     permissions:
+      contents: read
       pull-requests: write
     if:
       (success() || failure()) && needs.spelling.outputs.followup &&