diff --git a/.cirrus.star b/.cirrus.star
deleted file mode 100644
index 0a131539..00000000
--- a/.cirrus.star
+++ /dev/null
@@ -1,4 +0,0 @@
-load("github.com/cirrus-modules/golang@main", "lint_task")
-
-def main(ctx):
-    return [lint_task()]
diff --git a/.cirrus.yml b/.cirrus.yml
deleted file mode 100644
index ab467cf9..00000000
--- a/.cirrus.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-task:
-  name: Test (macOS)
-  persistent_worker:
-    labels:
-      name: dev-mini
-    resources:
-      tart-vms: 2
-  pre_pull_script:
-    - tart pull ghcr.io/cirruslabs/macos-tahoe-base:latest
-  test_script:
-    - go test -timeout=20m -ldflags="-B gobuildid" -v -count=1 ./...
-  always:
-    cleanup_script:
-      - tart list
-      - rm -rf ~/.tart/vms/orchard-*
-
-task:
-  depends_on:
-    - Lint
-    - Test (macOS)
-  env:
-    MACOS_SIGN_P12: ENCRYPTED[!183482723ca1a95f9c4439f7a79c9d3b115472bb18c739ed1586e12d3914ccf94ade8169eeda7332fc204f8be9c27d9f!]
-    MACOS_SIGN_PASSWORD: ENCRYPTED[!417423346c567f12007f42d084bff1cfee30ee14f7e8258550157679a269c70d541c9f19224224ab0293b10f2c6d4c5e!]
-    MACOS_NOTARY_ISSUER_ID: ENCRYPTED[!74076906e9fa36bca3c1da1637b0759b58bb009eb1a707446896eefad3767e8dba1d0f87e71106b98cde98ac4b037a2a!]
-    MACOS_NOTARY_KEY_ID: ENCRYPTED[!af9e5da1010a6b04e548ef494acc77a6e0ce176549de98f81c5b5cdd72856de09f77e51cf0849e3c4b7a2d2c22f25ca8!]
-    MACOS_NOTARY_KEY: ENCRYPTED[!c70c53f3e6c163931c7cdf9d90aff8934ef21d5dd1090158688e00b94e97c68257d9cf4ae1df873e6ae0d949866aee72!]
-    GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!]
-    GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!]
-    FURY_TOKEN: ENCRYPTED[!97fe4497d9aca60a3d64904883b81e21f19706c6aedda625c97f62f67ec46b8efa74c55699956158bbf0a23726e7d9f6!]
-  container:
-    image: golang:latest
-    cpu: 4
-    memory: 12G
-  matrix:
-    - name: Release Binaries
-      only_if: $CIRRUS_TAG != ''
-      install_goreleaser_script:
-        - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list
-        - apt update && apt -y install goreleaser-pro
-      release_script: goreleaser
-    - name: Release Binaries (Dry Run)
-      only_if: $CIRRUS_TAG == ''
-      install_goreleaser_script:
-        - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list
-        - apt update && apt -y install goreleaser-pro
-      release_script: goreleaser release --skip=publish --snapshot --clean --verbose
-      binaries_artifacts:
-        path: "dist/orchard_*/orchard*"
-
-docker_builder:
-  name: Release Docker Image
-  only_if: $CIRRUS_TAG != ''
-  depends_on:
-    - Lint
-    - Test (macOS)
-  env:
-    GITHUB_TOKEN: ENCRYPTED[!82ed873afdf627284305afef4958c85a8f73127b09978a9786ac521559630ea6c9a5ab6e7f8315abf9ead09b6eff6eae!]
-  login_script:
-    - echo $GITHUB_TOKEN | docker login ghcr.io -u fkorotkov --password-stdin
-  setup_script:
-    - docker buildx create --name multibuilder
-    - docker buildx use multibuilder
-    - docker buildx inspect --bootstrap
-  deploy_script: |
-    docker buildx build --push --platform linux/amd64,linux/arm64 \
-      --tag ghcr.io/cirruslabs/orchard:$CIRRUS_TAG \
-      --tag ghcr.io/cirruslabs/orchard:latest \
-      .
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 5c878ace..98f58aa0 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,14 +1,38 @@
-name: Main
+name: CI
 
 on:
+  pull_request:
   push:
+    branches:
+      - main
+    tags:
+      - '*'
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+      - name: Lint
+        run: golangci-lint run
+
   test:
     name: Test (Linux)
-    runs-on: ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-go@v5
         with:
           go-version: stable
@@ -22,3 +46,104 @@ jobs:
           vetu pull ghcr.io/cirruslabs/ubuntu-runner-amd64:latest
       - name: Run tests
         run: go test -v -count=1 ./...
+
+  release_binaries_dry_run:
+    name: Release Binaries (Dry Run)
+    if: github.event_name != 'pull_request' && github.ref_type != 'tag'
+    needs:
+      - lint
+      - test
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    env:
+      FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
+      GITHUB_TOKEN: ${{ github.token }}
+      GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+      MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+      MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+      MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+      MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Install GoReleaser
+        run: |
+          echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+          sudo apt update
+          sudo apt -y install goreleaser-pro
+      - name: Build snapshot
+        run: goreleaser release --skip=publish --snapshot --clean --verbose
+      - name: Upload binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: orchard-binaries-dry-run
+          path: dist/orchard_*/orchard*
+          if-no-files-found: ignore
+
+  release_binaries:
+    name: Release Binaries
+    if: github.ref_type == 'tag'
+    needs:
+      - lint
+      - test
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    permissions:
+      contents: write
+    env:
+      FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
+      GITHUB_TOKEN: ${{ github.token }}
+      GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+      MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+      MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+      MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+      MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Install GoReleaser
+        run: |
+          echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+          sudo apt update
+          sudo apt -y install goreleaser-pro
+      - name: Release
+        run: goreleaser
+
+  release_docker_image:
+    name: Release Docker Image
+    if: github.ref_type == 'tag'
+    needs:
+      - lint
+      - test
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v5
+      - name: Log in to GHCR
+        run: echo "$GITHUB_TOKEN" | docker login ghcr.io -u "$GITHUB_ACTOR" --password-stdin
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Configure buildx
+        run: |
+          docker buildx create --name multibuilder
+          docker buildx use multibuilder
+          docker buildx inspect --bootstrap
+      - name: Build and push image
+        run: |
+          docker buildx build --push --platform linux/amd64,linux/arm64 \
+            --tag "ghcr.io/cirruslabs/orchard:${GITHUB_REF_NAME}" \
+            --tag ghcr.io/cirruslabs/orchard:latest \
+            .