diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7662d99a..5c0c87c0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,6 +6,10 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+  - package-ecosystem: docker
+    directory: /cicd
+    schedule:
+      interval: daily
 
   # version updates: disabled
   # security updates: enabled
diff --git a/.github/workflows/deps-release-detect.yaml b/.github/workflows/deps-release-detect.yaml
new file mode 100644
index 00000000..3f8b4057
--- /dev/null
+++ b/.github/workflows/deps-release-detect.yaml
@@ -0,0 +1,88 @@
+name: Deps Release
+
+on: 'pull_request'
+
+permissions:
+  contents: write
+
+jobs:
+  detect:
+    name: Detect
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git checkout -b "$GITHUB_HEAD_REF"
+
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v2
+
+      - name: Install node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+      
+      - name: Install semver
+        run: |-
+          npm install -g semver
+
+      - name: Bump
+        run: |-
+          set -e
+          push=0
+          config='[
+            {
+              "directory": "cicd",
+              "dependencyName": "alpine"
+            }
+          ]'
+
+          deps='${{ steps.dependabot-metadata.outputs.updated-dependencies-json }}'
+
+          for i in $(seq 0 "$(("$(echo "$config" | jq length) - 1"))"); do
+            directory="$(echo "$config" | jq -r ".[$i].directory")"
+            dependencyName="$(echo "$config" | jq -r ".[$i].dependencyName")"
+            match="$(echo "$deps" | jq ".[] | select(.directory == \"/$directory\" and .dependencyName == \"$dependencyName\")")"
+            if [ -z "$match" ]; then
+              continue
+            fi
+
+            updateType="$(echo "$match" | jq -r ".updateType")"
+            prevVersion="$(echo "$match" | jq -r ".prevVersion")"
+            newVersion="$(echo "$match" | jq -r ".newVersion")"
+
+            echo "directory        : $directory"
+            echo "dependencyName   : $dependencyName"
+            echo "updateType       : $updateType"
+            echo "prevVersion      : $prevVersion"
+            echo "newVersion       : $newVersion"
+
+            tagPrevVersion="$(git ls-remote 2>/dev/null \
+              | grep -oE 'refs/tags/v[0-9]+\.[0-9]+\.[0-9]+' \
+              | cut -d'/' -f3 \
+              | xargs semver \
+              | tail -n 1)"
+            
+            tagNewVersion="$(semver -i patch "$tagPrevVersion")"
+              
+            echo "$tagPrevVersion" > ./cicd/tag-deps-version.txt
+            echo "$tagNewVersion" >> ./cicd/tag-deps-version.txt
+
+            git add ./cicd/tag-base-version.txt
+            if git commit -m "bump dependency release to $tagNewVersion"; then
+              push=1
+            fi
+          done
+
+          if [ "$push" = "1" ]; then
+            git push -u origin "$GITHUB_HEAD_REF"
+          fi
diff --git a/.github/workflows/deps-release-tag.yaml b/.github/workflows/deps-release-tag.yaml
new file mode 100644
index 00000000..8b3aa898
--- /dev/null
+++ b/.github/workflows/deps-release-tag.yaml
@@ -0,0 +1,56 @@
+name: Deps Release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  tag:
+    name: Tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - id: tag
+        name: Determine tag
+        run: |
+          old_version="$(head -n 1 ./cicd/tag-deps-version.txt)"
+          old_ref_name="v$old_version"
+          new_version="$(tail -n 1 ./cicd/tag-deps-version.txt)"
+          new_ref_name="v$new_version"
+
+          create=true
+          if [ "$(git ls-remote origin "refs/tags/$new_ref_name" | wc -l)" = "1" ]; then
+            create=false
+          fi
+
+          echo "old-version=$old_version" | tee -a "$GITHUB_OUTPUT"
+          echo "old-ref-name=$old_ref_name" | tee -a "$GITHUB_OUTPUT"
+          echo "new-version=$new_version" | tee -a "$GITHUB_OUTPUT"
+          echo "new-ref-name=$new_ref_name" | tee -a "$GITHUB_OUTPUT"
+          echo "create=$create" | tee -a "$GITHUB_OUTPUT"
+
+      - if: ${{ fromJSON(steps.tag.outputs.create) }}
+        name: Tag
+        run: |
+          commit="$(git rev-parse HEAD)"
+          git fetch origin refs/tags/"${{ steps.tag.outputs.old-ref-name }}"
+          git checkout -b deps "${{ steps.tag.outputs.old-ref-name }}"
+          git restore --source="$commit" ./cicd
+          git add ./cicd
+          if git commit -m "bump dependency release to ${{ steps.tag.outputs.new-version }}"; then
+            git tag "${{ steps.tag.outputs.new-ref-name }}"
+            git push origin "${{ steps.tag.outputs.new-ref-name }}"
+          fi
diff --git a/cicd/Dockerfile b/cicd/Dockerfile
index 3d4ff5b1..4ca13131 100644
--- a/cicd/Dockerfile
+++ b/cicd/Dockerfile
@@ -1,7 +1,7 @@
 #syntax=docker/dockerfile-upstream:1.5
 ARG GO_APP
 
-FROM alpine:3.19 as deps
+FROM alpine:3.19.0 as deps
 
 ARG GO_APP
 ARG GORELEASER_DIST_DIR=/go/src/dist
@@ -28,7 +28,7 @@ RUN <<EOT
   cp ${BIN_PATH} /go/bin
 EOT
 
-FROM alpine:3.19
+FROM alpine:3.19.0
 
 ARG GO_APP
 ENV GO_APP ${GO_APP}
diff --git a/cicd/tag-deps-version.txt b/cicd/tag-deps-version.txt
new file mode 100644
index 00000000..21226110
--- /dev/null
+++ b/cicd/tag-deps-version.txt
@@ -0,0 +1,2 @@
+0.14.0
+0.14.1