diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..77be8bc
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,53 @@
+name: ci
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main
+    with:
+      useTask: true
+
+  test:
+    uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main
+    with:
+      useTask: true
+      useLocalCoverageConfig: true
+
+  docker-build:
+    uses: platform-mesh/.github/.github/workflows/job-docker-build.yml@main
+    with:
+      imageTagName: ghcr.io/platform-mesh/account-operator
+
+  quality-gate:
+    if: always()
+    permissions: {}
+    needs: [lint, test, docker-build]
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    steps:
+      - name: Check results
+        run: |
+          if [[ "${{ needs.lint.result }}" != "success" ]]; then
+            echo "lint failed"
+            exit 1
+          fi
+          if [[ "${{ needs.test.result }}" != "success" ]]; then
+            echo "test failed"
+            exit 1
+          fi
+          if [[ "${{ needs.docker-build.result }}" != "success" ]]; then
+            echo "docker-build failed"
+            exit 1
+          fi
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
deleted file mode 100644
index 54a99d1..0000000
--- a/.github/workflows/pipeline.yml
+++ /dev/null
@@ -1,117 +0,0 @@
-name: ci
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    types:
-      - opened
-      - synchronize
-
-permissions:
-  contents: write
-  id-token: write
-  issues: write
-  packages: write
-  pull-requests: write
-  attestations: write
-
-concurrency:
-  group: ${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  # ──────────────────────────────────────────────
-  # Always-run jobs (PR + main)
-  # ──────────────────────────────────────────────
-  lint:
-    uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main
-    with:
-      useTask: true
-
-  test:
-    uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main
-    secrets: inherit
-    with:
-      useTask: true
-      useLocalCoverageConfig: true
-
-  docker-build:
-    if: github.event_name == 'pull_request'
-    uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main
-    with:
-      imageTagName: ghcr.io/platform-mesh/account-operator
-    secrets: inherit
-
-  # ──────────────────────────────────────────────
-  # Quality gate (aggregates required checks)
-  # ──────────────────────────────────────────────
-  quality-gate:
-    if: always()
-    permissions: {}
-    needs: [lint, test, docker-build]
-    runs-on: ubuntu-latest
-    timeout-minutes: 1
-    steps:
-      - name: Check results
-        run: |
-          if [[ "${{ needs.lint.result }}" != "success" ]]; then
-            echo "lint failed"
-            exit 1
-          fi
-          if [[ "${{ needs.test.result }}" != "success" ]]; then
-            echo "test failed"
-            exit 1
-          fi
-          # docker-build is skipped on main pushes — allow skipped
-          if [[ "${{ needs.docker-build.result }}" != "success" && "${{ needs.docker-build.result }}" != "skipped" ]]; then
-            echo "docker-build failed"
-            exit 1
-          fi
-
-  # ──────────────────────────────────────────────
-  # Release jobs (main branch only)
-  # ──────────────────────────────────────────────
-  create-version:
-    if: github.ref == 'refs/heads/main'
-    uses: platform-mesh/.github/.github/workflows/job-create-version.yml@main
-    secrets: inherit
-
-  docker-build-push:
-    if: github.ref == 'refs/heads/main'
-    needs: [create-version, lint, test]
-    uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main
-    with:
-      imageTagName: ghcr.io/platform-mesh/account-operator
-      version: ${{ needs.create-version.outputs.version }}
-      multiarch: true
-    secrets: inherit
-
-  update-version:
-    if: github.ref == 'refs/heads/main'
-    needs: [create-version, docker-build-push]
-    uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@main
-    secrets: inherit
-    with:
-      appVersion: ${{ needs.create-version.outputs.version }}
-      chart: account-operator
-      targetRepository: platform-mesh/helm-charts
-
-  sbom:
-    if: github.ref == 'refs/heads/main'
-    needs: [create-version, docker-build-push]
-    uses: platform-mesh/.github/.github/workflows/job-sbom.yml@main
-    with:
-      imageReference: ghcr.io/platform-mesh/account-operator:${{ needs.create-version.outputs.version }}
-
-  image-ocm:
-    if: github.ref == 'refs/heads/main'
-    needs: [create-version, docker-build-push, sbom]
-    uses: platform-mesh/.github/.github/workflows/job-image-ocm.yml@main
-    secrets: inherit
-    with:
-      imageReference: ghcr.io/platform-mesh/account-operator:${{ needs.create-version.outputs.version }}
-      appVersion: ${{ needs.create-version.outputs.version }}
-      repoName: account-operator
-      commit: ${{ github.sha }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..b397ecf
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,69 @@
+name: release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  id-token: write
+  issues: write
+  packages: write
+  pull-requests: write
+  attestations: write
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  lint:
+    uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main
+    with:
+      useTask: true
+
+  test:
+    uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main
+    secrets: inherit
+    with:
+      useTask: true
+      useLocalCoverageConfig: true
+
+  create-version:
+    uses: platform-mesh/.github/.github/workflows/job-create-version.yml@main
+    secrets: inherit
+
+  docker-build-push:
+    needs: [create-version, lint, test]
+    uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main
+    with:
+      imageTagName: ghcr.io/platform-mesh/account-operator
+      version: ${{ needs.create-version.outputs.version }}
+      multiarch: true
+    secrets: inherit
+
+  update-version:
+    needs: [create-version, docker-build-push]
+    uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@main
+    secrets: inherit
+    with:
+      appVersion: ${{ needs.create-version.outputs.version }}
+      chart: account-operator
+      targetRepository: platform-mesh/helm-charts
+
+  sbom:
+    needs: [create-version, docker-build-push]
+    uses: platform-mesh/.github/.github/workflows/job-sbom.yml@main
+    with:
+      imageReference: ghcr.io/platform-mesh/account-operator:${{ needs.create-version.outputs.version }}
+
+  image-ocm:
+    needs: [create-version, docker-build-push, sbom]
+    uses: platform-mesh/.github/.github/workflows/job-image-ocm.yml@main
+    secrets: inherit
+    with:
+      imageReference: ghcr.io/platform-mesh/account-operator:${{ needs.create-version.outputs.version }}
+      appVersion: ${{ needs.create-version.outputs.version }}
+      repoName: account-operator
+      commit: ${{ github.sha }}
diff --git a/README.md b/README.md
index 46fba40..a8d8156 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
 # platform-mesh - account-operator
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/platform-mesh/account-operator/badge)](https://scorecard.dev/viewer/?uri=github.com/platform-mesh/account-operator)
-![Build Status](https://github.com/platform-mesh/account-operator/actions/workflows/pipeline.yml/badge.svg)
+![Build Status](https://github.com/platform-mesh/account-operator/actions/workflows/ci.yml/badge.svg)
 
 ## Description