diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5a774f1a..069819f7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
   directory: "/"
   schedule:
     interval: "weekly"
+  cooldown:
+    default-days: 2
   commit-message:
     prefix: "ci(github-actions)"
 - package-ecosystem: npm
@@ -17,6 +19,8 @@ updates:
   - RandomByte
   - flovogt
   versioning-strategy: increase
+  cooldown:
+    default-days: 2
   commit-message:
     prefix: "deps"
     prefix-development: "build(deps-dev)"
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
deleted file mode 100644
index fd1efdf9..00000000
--- a/.github/workflows/commitlint.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Commit Message Linting
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-
-jobs:
-  commitlint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v6
-        with:
-          configFile: .commitlintrc.mjs
diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml
index d14974a7..793e4c7b 100644
--- a/.github/workflows/github-ci.yml
+++ b/.github/workflows/github-ci.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
 
     - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
 
     - name: Setup Node.js
       uses: actions/setup-node@v6
@@ -33,6 +35,14 @@ jobs:
     - name: Perfrom ESLint check
       run: npm run lint
 
+    - name: Validate current commit (last commit) with commitlint
+      if: github.event_name == 'push'
+      run: npm run lint:commit -- --last --verbose
+
+    - name: Validate PR commits with commitlint
+      if: github.event_name == 'pull_request'
+      run: npm run lint:commit -- --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+
     - name: Perfrom Licenses check
       run: npm run check-licenses
 
@@ -43,7 +53,8 @@ jobs:
       run: npm run test:unit:coverage
 
     - name: Send report to Coveralls for package @ui5/middleware-code-coverage
-      uses: coverallsapp/github-action@v2.3.7
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
+      continue-on-error: true # Do not fail the job if coverage reporting fails (e.g. service is down)
       with:
         flag-name: middleware-code-coverage
         base-path: ./packages/middleware-code-coverage
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index bd6159a1..61994c93 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -24,7 +24,7 @@ jobs:
       releases_created: ${{steps.release.outputs.releases_created}}
       paths_released: ${{steps.release.outputs.paths_released}}
     steps:
-    - uses: googleapis/release-please-action@v4
+    - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
       id: release
       with:
         token: ${{secrets.GH_OPENUI5BOT}}
@@ -35,6 +35,8 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers)
+    # The GitHub Actions Environment configured for the trusted publisher
+    environment: npmjs:@ui5/middleware-code-coverage
     strategy:
       matrix:
         path_released: ${{fromJson(needs.pull-request.outputs.paths_released)}}
diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml
index ea0a6129..2ce43a7a 100644
--- a/.github/workflows/reuse-compliance.yml
+++ b/.github/workflows/reuse-compliance.yml
@@ -17,4 +17,4 @@ jobs:
     steps:
     - uses: actions/checkout@v6
     - name: Execute REUSE Compliance Check
-      uses: fsfe/reuse-action@v6
+      uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0
diff --git a/.husky/commit-msg b/.husky/commit-msg
new file mode 100644
index 00000000..cfdf03d5
--- /dev/null
+++ b/.husky/commit-msg
@@ -0,0 +1 @@
+npm run lint:commit -- --edit "$1" # Lint currently edited commit message
diff --git a/.husky/pre-push b/.husky/pre-push
deleted file mode 100644
index 90289817..00000000
--- a/.husky/pre-push
+++ /dev/null
@@ -1 +0,0 @@
-npm run hooks:pre-push
diff --git a/.npmrc b/.npmrc
index 3eeeab4e..f5bb40b0 100644
--- a/.npmrc
+++ b/.npmrc
@@ -2,3 +2,4 @@
 registry=https://registry.npmjs.org/
 lockfile-version=3
 ignore-scripts=true
+allow-git=none
diff --git a/package.json b/package.json
index 84f66a00..10848a3a 100644
--- a/package.json
+++ b/package.json
@@ -39,9 +39,8 @@
 	"scripts": {
 		"check-licenses": "licensee --errors-only",
 		"knip": "knip --config knip.config.js",
-		"hooks:pre-push": "npm run lint:commit",
 		"lint": "npm run lint --workspaces --if-present",
-		"lint:commit": "commitlint -e",
+		"lint:commit": "commitlint",
 		"prepare": "node ./.husky/skip.js || husky",
 		"check-engine": "check-engine-light .",
 		"test": "npm run test --workspaces --if-present && npm run knip",