diff --git a/.github/codecov.yml b/.github/codecov.yml
new file mode 100644
index 00000000..015a7793
--- /dev/null
+++ b/.github/codecov.yml
@@ -0,0 +1,8 @@
+coverage:
+  status:
+    project:
+      default:
+        # basic
+        target: auto
+        threshold: 5%
+    patch: off
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6ce9aab9..4fbfc73f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,6 +17,8 @@ on:
       - "v*"
 name: CI
 jobs:
+  linting:
+    uses: ./.github/workflows/linting.yml
   tests:
     uses: ./.github/workflows/tests.yml
   examples:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 88c16c4c..fbc73b48 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -37,9 +37,11 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
-
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+        with:
+          go-version-file: 'go.mod'
+          cache: false
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
new file mode 100644
index 00000000..8b0891f4
--- /dev/null
+++ b/.github/workflows/linting.yml
@@ -0,0 +1,40 @@
+# Copyright 2022-2023 VMware, Inc.
+#
+# This product is licensed to you under the BSD-2 license (the "License").
+# You may not use this product except in compliance with the BSD-2 License.
+# This product may include a number of subcomponents with separate copyright
+# notices and license terms. Your use of these subcomponents is subject to
+# the terms and conditions of the subcomponent's license, as noted in the
+# LICENSE file.
+#
+# SPDX-License-Identifier: BSD-2-Clause
+on:
+  workflow_call:
+name: Linting
+jobs:
+  govulncheck_job:
+    runs-on: ubuntu-latest
+    name: govulncheck
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4
+        with:
+          go-version-file: 'go.mod'
+          go-package: ./...
+  golangci:
+    name: golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+        with:
+          go-version-file: 'go.mod'
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          # Require: The version of golangci-lint to use.
+          # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
+          # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
+          version: v1.54
+          args: --timeout 5m --verbose
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 09b4aa95..6b2d7172 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -21,7 +21,6 @@ jobs:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - uses: arnested/go-version-action@b556f8d91b644164318c709d28b9083eaf0c064d
         id: versions
-
   run:
     name: Run
     strategy:
@@ -47,27 +46,3 @@ jobs:
         uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
         with:
           flags: Go-${{ matrix.go-version }}
-
-  checks:
-    name: Checks and linters
-    strategy:
-      matrix:
-        go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
-    runs-on: ubuntu-latest
-    needs: get-go-versions
-    steps:
-      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
-        with:
-          go-version: ${{ matrix.go-version }}
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@07db5389c99593f11ad7b44463c2d4233066a9b1
-        with:
-          version: v1.51 # has to be pinned and thus manually updated due to https://github.com/golangci/golangci-lint-action/blob/6a290f7d5d488e1e423b0b37fe802c822ca2c08c/README.md?plain=1#L108
-          args: --timeout 5m --verbose
-      - name: govulncheck
-        uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4
-        with:
-          go-version-input: ${{ matrix.go-version }}
-          go-package: ./...
-
diff --git a/go.mod b/go.mod
index 63788e68..de6a22d1 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/rdimitrov/go-tuf-metadata
 
-go 1.21
+go 1.21.5
 
 require (
 	github.com/go-logr/stdr v1.2.2