diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
new file mode 100644
index 0000000..aaf731a
--- /dev/null
+++ b/.github/workflows/build-and-test.yml
@@ -0,0 +1,80 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+
+name: Build and Test
+
+on:
+  workflow_call:
+    inputs:
+      rust-version:
+        description: "Rust toolchain version (default: stable)"
+        type: string
+        default: "stable"
+      cargo-locked:
+        description: "Use --locked flag for cargo commands"
+        type: boolean
+        default: true
+      cargo-test-args:
+        description: "Additional arguments for cargo test"
+        type: string
+        default: "--workspace"
+      bazel-enabled:
+        description: "Enable Bazel build and test jobs"
+        type: boolean
+        default: false
+      bazel-build-targets:
+        description: "Bazel build targets"
+        type: string
+        default: "//..."
+      bazel-test-targets:
+        description: "Bazel test targets"
+        type: string
+        default: "//..."
+
+permissions:
+  contents: read
+
+jobs:
+  cargo-build-test:
+    name: Cargo Build & Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: ${{ inputs.rust-version }}
+
+      - name: Build all crates
+        run: cargo build ${{ inputs.cargo-locked && '--locked' || '' }} --workspace
+
+      - name: Run tests
+        run: cargo test ${{ inputs.cargo-locked && '--locked' || '' }} ${{ inputs.cargo-test-args }}
+
+  bazel-build-test:
+    name: Bazel Build & Test
+    if: ${{ inputs.bazel-enabled }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bazel
+        uses: bazel-contrib/setup-bazel@0.14.0
+        with:
+          bazelisk-cache: true
+          disk-cache: ${{ github.workflow }}-bazel
+          repository-cache: true
+
+      - name: Bazel build
+        run: bazel build ${{ inputs.bazel-build-targets }}
+
+      - name: Bazel test
+        run: bazel test ${{ inputs.bazel-test-targets }}
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
new file mode 100644
index 0000000..aca3ef8
--- /dev/null
+++ b/.github/workflows/coverage.yml
@@ -0,0 +1,121 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+
+name: Coverage
+
+on:
+  workflow_call:
+    inputs:
+      rust-version:
+        description: "Rust toolchain version (default: nightly)"
+        type: string
+        default: "nightly"
+      cargo-locked:
+        description: "Use --locked flag for cargo commands"
+        type: boolean
+        default: true
+      coverage-threshold:
+        description: "Minimum line coverage percentage (0 to disable enforcement)"
+        type: number
+        default: 0
+      exclude-crates:
+        description: "Space-separated list of crates to exclude from coverage"
+        type: string
+        default: ""
+      ignore-filename-regex:
+        description: "Regex for filenames to ignore in coverage"
+        type: string
+        default: ""
+
+permissions:
+  contents: read
+
+jobs:
+  coverage:
+    name: Code Coverage
+    runs-on: ubuntu-latest
+    env:
+      IGNORE_REGEX: ${{ inputs.ignore-filename-regex }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: ${{ inputs.rust-version }}
+          components: llvm-tools-preview
+
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@cargo-llvm-cov
+
+      - name: Build exclude flags
+        id: flags
+        shell: bash
+        run: |
+          LOCKED="${{ inputs.cargo-locked && '--locked' || '' }}"
+          EXCLUDES=""
+          for crate in ${{ inputs.exclude-crates }}; do
+            EXCLUDES="$EXCLUDES --exclude $crate"
+          done
+          echo "locked=$LOCKED" >> "$GITHUB_OUTPUT"
+          echo "excludes=$EXCLUDES" >> "$GITHUB_OUTPUT"
+
+      - name: Generate coverage (LCOV)
+        shell: bash
+        run: |
+          ARGS=(--workspace ${{ steps.flags.outputs.locked }} ${{ steps.flags.outputs.excludes }})
+          if [ -n "$IGNORE_REGEX" ]; then
+            ARGS+=(--ignore-filename-regex "$IGNORE_REGEX")
+          fi
+          cargo llvm-cov "${ARGS[@]}" --lcov --output-path lcov.info
+
+      - name: Generate coverage summary
+        id: coverage
+        shell: bash
+        run: |
+          ARGS=(--workspace ${{ steps.flags.outputs.locked }} ${{ steps.flags.outputs.excludes }})
+          if [ -n "$IGNORE_REGEX" ]; then
+            ARGS+=(--ignore-filename-regex "$IGNORE_REGEX")
+          fi
+          cargo llvm-cov "${ARGS[@]}" --json --no-run --output-path coverage.json
+          TOTAL_LINE_COV=$(jq '.data[0].totals.lines.percent' coverage.json)
+          rm -f coverage.json
+
+          REPORT=$(cargo llvm-cov "${ARGS[@]}" --no-run 2>&1)
+          echo "$REPORT"
+
+          echo "total_coverage=$TOTAL_LINE_COV" >> "$GITHUB_OUTPUT"
+          echo "### Coverage Report" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "**Total line coverage: ${TOTAL_LINE_COV}%**" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
+          echo "$REPORT" >> "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-lcov
+          path: lcov.info
+          retention-days: 30
+
+      - name: Enforce coverage threshold
+        if: ${{ inputs.coverage-threshold > 0 }}
+        shell: bash
+        run: |
+          COVERAGE="${{ steps.coverage.outputs.total_coverage }}"
+          THRESHOLD="${{ inputs.coverage-threshold }}"
+          echo "Coverage: ${COVERAGE}%, Threshold: ${THRESHOLD}%"
+          if (( $(echo "$COVERAGE < $THRESHOLD" | bc -l) )); then
+            echo "::error::Coverage ${COVERAGE}% is below threshold ${THRESHOLD}%"
+            exit 1
+          fi
+          echo "Coverage ${COVERAGE}% meets threshold ${THRESHOLD}%"
diff --git a/.github/workflows/miri.yml b/.github/workflows/miri.yml
new file mode 100644
index 0000000..dc323fa
--- /dev/null
+++ b/.github/workflows/miri.yml
@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+
+name: Miri
+
+on:
+  workflow_call:
+    inputs:
+      rust-nightly-version:
+        description: "Rust nightly version to use (e.g. nightly or nightly-2025-07-14)"
+        type: string
+        default: "nightly"
+      cargo-locked:
+        description: "Use --locked flag for cargo commands"
+        type: boolean
+        default: true
+      exclude-crates:
+        description: "Space-separated list of crates to exclude from Miri"
+        type: string
+        default: ""
+      miri-flags:
+        description: "Extra MIRIFLAGS environment variable"
+        type: string
+        default: "-Zmiri-disable-isolation"
+
+permissions:
+  contents: read
+
+jobs:
+  cargo-miri:
+    name: Miri (Undefined Behavior Check)
+    runs-on: ubuntu-latest
+    env:
+      MIRIFLAGS: ${{ inputs.miri-flags }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: ${{ inputs.rust-nightly-version }}
+          components: miri, rust-src
+
+      - name: Build exclude flags
+        id: flags
+        shell: bash
+        run: |
+          LOCKED="${{ inputs.cargo-locked && '--locked' || '' }}"
+          EXCLUDES=""
+          for crate in ${{ inputs.exclude-crates }}; do
+            EXCLUDES="$EXCLUDES --exclude $crate"
+          done
+          echo "locked=$LOCKED" >> "$GITHUB_OUTPUT"
+          echo "excludes=$EXCLUDES" >> "$GITHUB_OUTPUT"
+
+      - name: Run Miri
+        run: |
+          cargo miri test --workspace \
+            ${{ steps.flags.outputs.locked }} \
+            ${{ steps.flags.outputs.excludes }}
diff --git a/rust-lint-and-format-action/action.yml b/rust-lint-and-format-action/action.yml
index 0edb1e6..576fe0e 100644
--- a/rust-lint-and-format-action/action.yml
+++ b/rust-lint-and-format-action/action.yml
@@ -47,15 +47,12 @@ runs:
   using: 'composite'
   steps:
     - name: Install Rust toolchain
-      uses: dtolnay/rust-toolchain@master
+      uses: actions-rust-lang/setup-rust-toolchain@v1
       with:
         toolchain: ${{ inputs.toolchain }}
         components: clippy, rustfmt
-
-    - name: Cache Rust dependencies
-      uses: Swatinem/rust-cache@v2
-      with:
-        shared-key: ${{ inputs.toolchain }}
+        cache-shared-key: ${{ inputs.toolchain }}
+        rustflags: ""
 
     - name: Install reviewdog
       uses: reviewdog/action-setup@v1