diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4e69bcddf..703f24098 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,71 +1,117 @@
 name: Go
+
 on: [push, pull_request]
+
 env:
   QUAY_PATH: quay.io/brancz/kube-rbac-proxy
-  go-version: '1.25'
-  kind-version: 'v0.30.0'
+  kind-version: v0.30.0
+  go-version: 1.25
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.ref_name }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   check-license:
-    runs-on: ubuntu-latest
     name: Check license
+    runs-on: ubuntu-24.04
+    timeout-minutes: 3
     steps:
-    - uses: actions/checkout@v2
-    - run: make check-license
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+    - name: Check license
+      run: make check-license
+
   generate:
-    runs-on: ubuntu-latest
     name: Generate
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-go@v2
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+    - name: Setup Golang Environment
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ env.go-version }}
-    - run: make generate && git diff --exit-code
+
+    - name: Generate
+      run: make generate && git diff --exit-code
+
   lint:
-    runs-on: ubuntu-latest
     name: Lint
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
-    - uses: actions/checkout@v2
-    - name: golangci-lint
-      uses: golangci/golangci-lint-action@v2
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+    - name: Lint Go
+      uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
       with:
         version: latest
-        args: --timeout=5m
+
   build:
-    runs-on: ubuntu-latest
     name: Build
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-go@v2
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+    - name: Setup Golang Environment
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ env.go-version }}
-    - run: make build
+
+    - name: Build
+      run: make build
+
   unit-tests:
-    runs-on: ubuntu-latest
     name: Unit tests
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-go@v2
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+    - name: Setup Golang Environment
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ env.go-version }}
-    - run: make test-unit
+
+    - name: Run unit tests
+      run: make test-unit
+
   e2e-tests:
-    runs-on: ubuntu-latest
     name: E2E tests
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+    - name: Setup Golang Environment
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      with:
+        go-version: ${{ env.go-version }}
+
     - name: Start kind & create cluster
-      uses: engineerd/setup-kind@v0.6.2
+      uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
       with:
         version: ${{ env.kind-version }}
         config: test/e2e/kind-config/kind-config.yaml
+        cluster_name: kind
         wait: 300s
+
     - name: Wait for cluster to finish bootstraping
       run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s
-    - name: Setup golang for make test-e2e
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ env.go-version }}
+
     - name: Create container & run tests
       run: |
         VERSION=local VERSION_SEMVER=$(cat ./VERSION) make container
@@ -75,10 +121,12 @@ jobs:
           sleep 1
         done
         make test-e2e
+
   publish:
-    runs-on: ubuntu-latest
     name: Publish container image to Quay
-    if: github.event_name == 'push'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+    if: ${{ github.event.repository.fork == false && github.event_name == 'push' }}
     needs:
     - check-license
     - generate
@@ -86,17 +134,20 @@ jobs:
     - unit-tests
     - e2e-tests
     steps:
-    - name: Checkout
-      uses: actions/checkout@v2
-    - name: Setup golang for building
-      uses: actions/setup-go@v2
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+    - name: Setup Golang Environment
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ env.go-version }}
+
     - name: Login to Quay.io
-      uses: docker/login-action@v1
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
       with:
         registry: quay.io
         username: ${{ secrets.QUAY_USERNAME }}
         password: ${{ secrets.QUAY_PASSWORD }}
+
     - name: Build images and push
       run: ./scripts/publish.sh
diff --git a/.golangci.yaml b/.golangci.yaml
index 472842c5b..aa74c8a1e 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,3 +1,21 @@
-run:
-  skip-dirs:
-    - test/
+version: "2"
+linters:
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - test/
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/cmd/kube-rbac-proxy/app/options/options.go b/cmd/kube-rbac-proxy/app/options/options.go
index af46d72a8..9025f60a1 100644
--- a/cmd/kube-rbac-proxy/app/options/options.go
+++ b/cmd/kube-rbac-proxy/app/options/options.go
@@ -144,7 +144,7 @@ func (o *ProxyRunOptions) Flags() k8sapiflag.NamedFlagSets {
 func (o *ProxyRunOptions) Validate() error {
 	var errs []error
 
-	hasCerts := !(o.TLS.CertFile == "") && !(o.TLS.KeyFile == "")
+	hasCerts := (o.TLS.CertFile != "") && (o.TLS.KeyFile != "")
 	hasInsecureListenAddress := o.InsecureListenAddress != ""
 	if !hasCerts || hasInsecureListenAddress {
 		klog.Warning(`
diff --git a/scripts/check_license.sh b/scripts/check_license.sh
index 07b14db8e..78f33db13 100755
--- a/scripts/check_license.sh
+++ b/scripts/check_license.sh
@@ -1,10 +1,11 @@
 #!/bin/sh
 
 licRes=$(
-for file in $(find . -type f -iname '*.go' ! -path '*/vendor/*'); do
-	head -n3 "${file}" | grep -Eq "(Copyright|generated|GENERATED)" || echo -e "  ${file}"
-done;)
+	for file in $(find . -type f -iname '*.go' ! -path '*/vendor/*'); do
+		head -n5 "${file}" | grep -Eq "(Copyright|generated|GENERATED)" || printf "  %s\n" "${file}"
+	done
+)
 if [ -n "${licRes}" ]; then
-	echo -e "license header checking failed:\n${licRes}"
+	printf "license header checking failed:\n%s\n" "${licRes}"
 	exit 255
 fi
diff --git a/scripts/tools.go b/scripts/tools.go
index 132565426..4be053332 100644
--- a/scripts/tools.go
+++ b/scripts/tools.go
@@ -1,3 +1,6 @@
+//go:build tools
+// +build tools
+
 /*
 Copyright 2020 Frederic Branczyk All rights reserved.
 
@@ -14,8 +17,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-//+build tools
-
 package tools
 
 import (