diff --git a/.github/actions/run-in-docker-action/action.yml b/.github/actions/run-in-docker-action/action.yml
index 5d46ca1b016..0884d3a4430 100644
--- a/.github/actions/run-in-docker-action/action.yml
+++ b/.github/actions/run-in-docker-action/action.yml
@@ -6,8 +6,7 @@ inputs:
     required: true
   scope:
     description: 'A cached image scope'
-    required: false
-    default: ${{ runner.arch }}
+    required: true
   command:
     description: 'A command to run in a container'
     required: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 59d2251497c..308035c6a54 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
       - '**'
     tags-ignore:
       - '**'
+  schedule:
+    # Run on the default branch every Monday morning.
+    # This also warms the Docker caches after key rotation.
+    - cron: '22 2 * * 1'
 
 concurrency:
   group: ${{ github.event_name != 'pull_request' && github.run_id || github.ref }}
@@ -48,6 +52,8 @@ jobs:
   docker_cache:
     name: "Build ${{ matrix.arch }} Docker image"
     runs-on: ${{ matrix.runner }}
+    outputs:
+      cache_scope: ${{ steps.cache_timestamp.outputs.period }}
 
     strategy:
       fail-fast: false
@@ -59,6 +65,10 @@ jobs:
             runner: ubuntu-24.04-arm
 
     steps:
+      - name: Get cache validity period
+        id: cache_timestamp
+        run: echo "period=$(($(date +%V) / 4))" >> "$GITHUB_OUTPUT"
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
@@ -70,8 +80,8 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           file: ./ci/linux-debian.Dockerfile
-          cache-from: type=gha,scope=${{ runner.arch }}
-          cache-to: type=gha,scope=${{ runner.arch }},mode=min
+          cache-from: type=gha,scope=${{ runner.arch }}-${{ steps.cache_timestamp.outputs.period }}
+          cache-to: type=gha,scope=${{ runner.arch }}-${{ steps.cache_timestamp.outputs.period }},mode=min
 
   x86_64-debian:
     name: "x86_64: Linux (Debian stable)"
@@ -117,6 +127,7 @@ jobs:
         uses: ./.github/actions/run-in-docker-action
         with:
           dockerfile: ./ci/linux-debian.Dockerfile
+          scope: ${{ runner.arch }}-${{ needs.docker_cache.outputs.cache_scope }}
           command: ./ci/ci.sh
 
       - &PRINT_LOGS
@@ -636,6 +647,7 @@ jobs:
         uses: ./.github/actions/run-in-docker-action
         with:
           dockerfile: ./ci/linux-debian.Dockerfile
+          scope: ${{ runner.arch }}-${{ needs.docker_cache.outputs.cache_scope }}
           command: |
             g++ -Werror include/*.h
             clang -Werror -x c++-header include/*.h
diff --git a/.gitignore b/.gitignore
index ce33a84adf4..fbc311d7b5d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,26 +45,15 @@ coverage.*.html
 *.gcno
 *.gcov
 
-build-aux/ar-lib
-build-aux/config.guess
-build-aux/config.sub
-build-aux/depcomp
-build-aux/install-sh
-build-aux/ltmain.sh
-build-aux/m4/libtool.m4
-build-aux/m4/lt~obsolete.m4
-build-aux/m4/ltoptions.m4
-build-aux/m4/ltsugar.m4
-build-aux/m4/ltversion.m4
-build-aux/missing
-build-aux/compile
-build-aux/test-driver
+/autotools-aux/
+!/autotools-aux/m4/bitcoin_secp.m4
+
 libsecp256k1.pc
 
 ### CMake
 /CMakeUserPresets.json
-# Default CMake build directory.
-/build
+# CMake build directories.
+/*build*
 
 ### Python
 __pycache__/
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 01b14b53758..4ef69c08913 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -217,6 +217,7 @@ else()
   try_append_c_flags(-Wcast-align=strict) # GCC >= 8.0.
   try_append_c_flags(-Wconditional-uninitialized) # Clang >= 3.0 only.
   try_append_c_flags(-Wextra) # GCC >= 3.4, this is the newer name of -W, which we don't use because older GCCs will warn about unused functions.
+  try_append_c_flags(-Wleading-whitespace=spaces) # GCC >= 15.0
   try_append_c_flags(-Wnested-externs)
   try_append_c_flags(-Wno-long-long) # GCC >= 3.0, -Wlong-long is implied by -pedantic.
   try_append_c_flags(-Wno-overlength-strings) # GCC >= 4.2, -Woverlength-strings is implied by -pedantic.
@@ -224,6 +225,7 @@ else()
   try_append_c_flags(-Wreserved-identifier) # Clang >= 13.0 only.
   try_append_c_flags(-Wshadow)
   try_append_c_flags(-Wstrict-prototypes)
+  try_append_c_flags(-Wtrailing-whitespace=any) # GCC >= 15.0
   try_append_c_flags(-Wundef)
 endif()
 
diff --git a/Makefile.am b/Makefile.am
index dc798575e3e..07d7a2ba7f3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-ACLOCAL_AMFLAGS = -I build-aux/m4
+ACLOCAL_AMFLAGS = -I autotools-aux/m4
 
 # AM_CFLAGS will be automatically prepended to CFLAGS by Automake when compiling some foo
 # which does not have an explicit foo_CFLAGS variable set.
diff --git a/build-aux/m4/bitcoin_secp.m4 b/autotools-aux/m4/bitcoin_secp.m4
similarity index 100%
rename from build-aux/m4/bitcoin_secp.m4
rename to autotools-aux/m4/bitcoin_secp.m4
diff --git a/ci/linux-debian.Dockerfile b/ci/linux-debian.Dockerfile
index a575d9b1c48..a862f1b17f7 100644
--- a/ci/linux-debian.Dockerfile
+++ b/ci/linux-debian.Dockerfile
@@ -67,6 +67,9 @@ RUN \
     wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc && \
     # Add repository for this Debian release
     . /etc/os-release && echo "deb http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME} main" >> /etc/apt/sources.list && \
+    # Temporarily work around Sequoia PGP policy deadline for legacy repositories.
+    # See https://github.com/llvm/llvm-project/issues/153385.
+    sed -i 's/\(sha1\.second_preimage_resistance =\).*/\1 9999-01-01/' /usr/share/apt/default-sequoia.config && \
     apt-get update && \
     # Determine the version number of the LLVM development branch
     LLVM_VERSION=$(apt-cache search --names-only '^clang-[0-9]+$' | sort -V | tail -1 | cut -f1 -d" " | cut -f2 -d"-" ) && \
diff --git a/configure.ac b/configure.ac
index d7465612ddd..a21447ced5e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,8 +19,8 @@ define(_LIB_VERSION_AGE, 0)
 
 AC_INIT([libsecp256k1],m4_join([.], _PKG_VERSION_MAJOR, _PKG_VERSION_MINOR, _PKG_VERSION_PATCH)m4_if(_PKG_VERSION_IS_RELEASE, [true], [], [-dev]),[https://github.com/bitcoin-core/secp256k1/issues],[libsecp256k1],[https://github.com/bitcoin-core/secp256k1])
 
-AC_CONFIG_AUX_DIR([build-aux])
-AC_CONFIG_MACRO_DIR([build-aux/m4])
+AC_CONFIG_AUX_DIR([autotools-aux])
+AC_CONFIG_MACRO_DIR([autotools-aux/m4])
 AC_CANONICAL_HOST
 
 # Require Automake 1.11.2 for AM_PROG_AR
@@ -111,6 +111,8 @@ AC_DEFUN([SECP_TRY_APPEND_DEFAULT_CFLAGS], [
       SECP_TRY_APPEND_CFLAGS([-Wcast-align=strict], $1) # GCC >= 8.0
       SECP_TRY_APPEND_CFLAGS([-Wconditional-uninitialized], $1) # Clang >= 3.0 only
       SECP_TRY_APPEND_CFLAGS([-Wreserved-identifier], $1) # Clang >= 13.0 only
+      SECP_TRY_APPEND_CFLAGS([-Wtrailing-whitespace=any], $1) # GCC >= 15.0
+      SECP_TRY_APPEND_CFLAGS([-Wleading-whitespace=spaces], $1) # GCC >= 15.0
 
       CFLAGS="$SECP_TRY_APPEND_DEFAULT_CFLAGS_saved_CFLAGS"
     fi
diff --git a/doc/release-process.md b/doc/release-process.md
index a64bae0f0d6..3cf183df6b3 100644
--- a/doc/release-process.md
+++ b/doc/release-process.md
@@ -61,7 +61,7 @@ Perform these checks when reviewing the release PR (see below):
 4. Open a PR to the master branch with a commit (using message `"release cleanup: bump version after $MAJOR.$MINOR.$PATCH"`, for example) that
    * sets `_PKG_VERSION_IS_RELEASE` to `false` and increments `_PKG_VERSION_PATCH` and `_LIB_VERSION_REVISION` in `configure.ac`,
    * increments the `$PATCH` component of `project(libsecp256k1 VERSION ...)` and `${PROJECT_NAME}_LIB_VERSION_REVISION` in `CMakeLists.txt`, and
-   * adds an `[Unreleased]` section header to the [CHANGELOG.md](../CHANGELOG.md).
+   * adds an `[Unreleased]` section header and a corresponding `[Unreleased]` link at the bottom of [CHANGELOG.md](../CHANGELOG.md).
 
    If other maintainers are not present to approve the PR, it can be merged without ACKs.
 5. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
diff --git a/include/secp256k1.h b/include/secp256k1.h
index 2799d4a1f89..9de45f1f7d8 100644
--- a/include/secp256k1.h
+++ b/include/secp256k1.h
@@ -349,7 +349,7 @@ SECP256K1_API void secp256k1_context_destroy(
  *  writes the message to stderr and calls abort. This default callback can be
  *  replaced at link time if the preprocessor macro
  *  USE_EXTERNAL_DEFAULT_CALLBACKS is defined, which is the case if the build
- *  has been configured with --enable-external-default-callbacks (GNU Autotools) or 
+ *  has been configured with --enable-external-default-callbacks (GNU Autotools) or
  *  -DSECP256K1_USE_EXTERNAL_DEFAULT_CALLBACKS=ON (CMake). Then the
  *  following two symbols must be provided to link against:
  *   - void secp256k1_default_illegal_callback_fn(const char *message, void *data);
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index ecbbbbe8e90..46db77809d2 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -95,7 +95,7 @@ set_target_properties(secp256k1_objs PROPERTIES
 )
 
 # This emulates Libtool to make sure Libtool and CMake agree on the ABI version,
-# see below "Calculate the version variables" in build-aux/ltmain.sh.
+# see below "Calculate the version variables" in autotools-aux/ltmain.sh.
 math(EXPR ${PROJECT_NAME}_soversion "${${PROJECT_NAME}_LIB_VERSION_CURRENT} - ${${PROJECT_NAME}_LIB_VERSION_AGE}")
 set_target_properties(secp256k1 PROPERTIES
   SOVERSION ${${PROJECT_NAME}_soversion}
diff --git a/src/bench.h b/src/bench.h
index 72a3f211b60..f88277aa3fb 100644
--- a/src/bench.h
+++ b/src/bench.h
@@ -59,7 +59,7 @@ static void print_number(const int64_t x) {
             y /= 10;
         }
     } else if (c == 0) { /* fractional part is 0 */
-        buffer[--ptr] = '0'; 
+        buffer[--ptr] = '0';
     }
     buffer[--ptr] = '.';
     do {
diff --git a/src/checkmem.h b/src/checkmem.h
index 08eae47d78e..88c65c8ebf7 100644
--- a/src/checkmem.h
+++ b/src/checkmem.h
@@ -78,10 +78,15 @@
 #  if defined(__clang__) && defined(__APPLE__)
 #    pragma clang diagnostic push
 #    pragma clang diagnostic ignored "-Wreserved-identifier"
+#  elif defined(__GNUC__) && (__GNUC__ >= 15)
+#    pragma GCC diagnostic push
+#    pragma GCC diagnostic ignored "-Wtrailing-whitespace"
 #  endif
 #    include <valgrind/memcheck.h>
 #  if defined(__clang__) && defined(__APPLE__)
 #    pragma clang diagnostic pop
+#  elif defined(__GNUC__) && (__GNUC__ >= 15)
+#    pragma GCC diagnostic pop
 #  endif
 #    define SECP256K1_CHECKMEM_ENABLED 1
 #    define SECP256K1_CHECKMEM_UNDEFINE(p, len) VALGRIND_MAKE_MEM_UNDEFINED((p), (len))
diff --git a/src/field.h b/src/field.h
index e3f0234f5fe..945029ecd83 100644
--- a/src/field.h
+++ b/src/field.h
@@ -233,7 +233,7 @@ static void secp256k1_fe_add_int(secp256k1_fe *r, int a);
 #define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a))
 
 /** Like secp256k1_fe_mul_int but a is not checked to be an integer constant expression.
- * 
+ *
  * Should not be called directly outside of tests.
  */
 static void secp256k1_fe_mul_int_unchecked(secp256k1_fe *r, int a);