diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
deleted file mode 100644
index 675a53e..0000000
--- a/.github/workflows/ci.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-# name
-name: ci
-
-# triggers
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    tags:
-      - v*.*.*
-    paths-ignore:
-      - README.md
-      - LICENSE
-      - .github/**
-      - .gitignore
-      - .editorconfig
-      - renovate.json
-  pull_request:
-    branches:
-      - main
-    paths-ignore:
-      - README.md
-      - LICENSE
-      - .github/**
-      - .gitignore
-      - .editorconfig
-      - renovate.json
-
-jobs:
-  cid:
-    uses: cidverse/catalog/.github/workflows/shared-ci.yml@main
-    with:
-      cid-workflow: main
-      cid-version: latest
-    secrets: inherit
diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml
new file mode 100644
index 0000000..977a750
--- /dev/null
+++ b/.github/workflows/cid-ossf.yml
@@ -0,0 +1,80 @@
+# cid-workflow-version: 0.0.17
+
+# This file is generated by the CID Workflow GitHub App.
+# DO NOT EDIT!
+
+# name
+name: CID - OSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '40 23 * * 5'
+  # Allow manual triggering of the workflow
+  workflow_dispatch:
+
+# Read Permissions. See
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
+permissions: read-all
+
+# Cancel in progress jobs when a new run starts on the same ref
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  analysis:
+    name: OSSF Scorecard Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed to publish results
+      actions: read # required in private repos
+      contents: read # required in private repos
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >-
+            api.github.com:443
+            cdn01.quay.io:443
+            cdn02.quay.io:443
+            cdn03.quay.io:443
+            codeload.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            proxy.golang.org:443
+            quay.io:443
+            raw.githubusercontent.com:443
+            storage.googleapis.com:443
+            sum.golang.org:443
+            uploads.github.com:443
+            api.osv.dev:443
+            www.bestpractices.dev:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            fulcio.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            api.securityscorecards.dev:443
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          persist-credentials: false
+      - name: OSSF Analysis
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true # publish results to OpenSSF REST API
+      - name: Upload Analysis Result
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml
new file mode 100644
index 0000000..0e17ad3
--- /dev/null
+++ b/.github/workflows/cid-pullrequest.yml
@@ -0,0 +1,234 @@
+# cid-workflow-version: 0.0.17
+
+# This file is generated by the CID Workflow GitHub App.
+# DO NOT EDIT!
+
+# name
+name: CID - PullRequest
+
+# triggers
+on:
+  workflow_dispatch:
+    inputs:
+      loglevel:
+        description: Log level
+        required: true
+        default: info
+        type: choice
+        options:
+          - debug
+          - info
+          - warn
+          - error
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - README.md
+      - LICENSE
+      - .gitignore
+      - .editorconfig
+      - renovate.json
+
+# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
+permissions:
+  actions: read # detection of GitHub Actions environment
+  checks: none
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# cancel in progress when a new run starts
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+env:
+  CID_WORKFLOW: main
+  CID_VERSION: latest
+  CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }}
+  # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner.
+  EGRESS_POLICY: block
+  # allowed endpoints for egress traffic if egress-policy is set to 'block'.
+  EGRESS_POLICY_ALLOWED_ENDPOINTS: >-
+    api.github.com:443
+    cdn01.quay.io:443
+    cdn02.quay.io:443
+    cdn03.quay.io:443
+    codeload.github.com:443
+    github.com:443
+    objects.githubusercontent.com:443
+    proxy.golang.org:443
+    quay.io:443
+    raw.githubusercontent.com:443
+    storage.googleapis.com:443
+    sum.golang.org:443
+    uploads.github.com:443
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: ""
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: ""
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >-
+    scanner.sonarcloud.io:443
+    semgrep.dev:443
+    sonarcloud.io:443
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: ""
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >-
+
+# jobs
+jobs:
+  # info
+  info:
+    name: Info
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    timeout-minutes: 30
+    if: ${{ github.event.inputs.loglevel == 'debug' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: info
+        env:
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          echo "> project modules"
+          cid --log-level=${CID_LOGLEVEL:-info} module ls
+          echo "> catalog"
+          cid --log-level=${CID_LOGLEVEL:-info} catalog list
+          echo "> workflows"
+          cid --log-level=${CID_LOGLEVEL:-info} workflow ls
+  # build
+  build:
+    name: Build
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    permissions:
+      id-token: write # provenance signing
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: build
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build
+      - name: upload artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: build-${{ github.run_id }}
+          path: .dist
+          retention-days: 1
+          if-no-files-found: ignore
+      
+  # test
+  test:
+    name: Test
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: test
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test
+      - name: upload artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: test-${{ github.run_id }}
+          path: .dist
+          retention-days: 1
+          if-no-files-found: ignore
+  # scan
+  scan:
+    name: Scan
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    needs: [build, test]
+    permissions:
+      security-events: write
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: download artifacts > build
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: build-${{ github.run_id }}
+          path: .dist
+        continue-on-error: true
+      - name: download artifacts > test
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: test-${{ github.run_id }}
+          path: .dist
+        continue-on-error: true
+      - name: scan
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan
diff --git a/.github/workflows/cid.yml b/.github/workflows/cid.yml
new file mode 100644
index 0000000..8d0192f
--- /dev/null
+++ b/.github/workflows/cid.yml
@@ -0,0 +1,326 @@
+# cid-workflow-version: 0.0.17
+
+# This file is generated by the CID Workflow GitHub App.
+# DO NOT EDIT!
+
+# name
+name: CID - DefaultBranch
+
+# triggers
+on:
+  workflow_dispatch:
+    inputs:
+      loglevel:
+        description: Log level
+        required: true
+        default: info
+        type: choice
+        options:
+          - debug
+          - info
+          - warn
+          - error
+  push:
+    branches:
+      - main
+    tags:
+      - v*.*.*
+    paths-ignore:
+      - README.md
+      - LICENSE
+      - .gitignore
+      - .editorconfig
+      - renovate.json
+
+# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
+permissions:
+  actions: read # detection of GitHub Actions environment
+  checks: none
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# cancel in progress when a new run starts
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+env:
+  CID_WORKFLOW: main
+  CID_VERSION: latest
+  CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }}
+  # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner.
+  EGRESS_POLICY: block
+  # allowed endpoints for egress traffic if egress-policy is set to 'block'.
+  EGRESS_POLICY_ALLOWED_ENDPOINTS: >-
+    api.github.com:443
+    cdn01.quay.io:443
+    cdn02.quay.io:443
+    cdn03.quay.io:443
+    codeload.github.com:443
+    github.com:443
+    objects.githubusercontent.com:443
+    proxy.golang.org:443
+    quay.io:443
+    raw.githubusercontent.com:443
+    storage.googleapis.com:443
+    sum.golang.org:443
+    uploads.github.com:443
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: ""
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: ""
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >-
+    scanner.sonarcloud.io:443
+    semgrep.dev:443
+    sonarcloud.io:443
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: ""
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >-
+
+# jobs
+jobs:
+  # info
+  info:
+    name: Info
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    timeout-minutes: 30
+    if: ${{ github.event.inputs.loglevel == 'debug' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: info
+        env:
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          echo "> project modules"
+          cid --log-level=${CID_LOGLEVEL:-info} module ls
+          echo "> catalog"
+          cid --log-level=${CID_LOGLEVEL:-info} catalog list
+          echo "> workflows"
+          cid --log-level=${CID_LOGLEVEL:-info} workflow ls
+  # build
+  build:
+    name: Build
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    permissions:
+      id-token: write # provenance signing
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: build
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build
+      - name: upload artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: build-${{ github.run_id }}
+          path: .dist
+          retention-days: 1
+          if-no-files-found: ignore
+      
+  # test
+  test:
+    name: Test
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: test
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test
+      - name: upload artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: test-${{ github.run_id }}
+          path: .dist
+          retention-days: 1
+          if-no-files-found: ignore
+  # scan
+  scan:
+    name: Scan
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    needs: [build, test]
+    permissions:
+      security-events: write
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: download artifacts > build
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: build-${{ github.run_id }}
+          path: .dist
+        continue-on-error: true
+      - name: download artifacts > test
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: test-${{ github.run_id }}
+          path: .dist
+        continue-on-error: true
+      - name: scan
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan
+  # package
+  package:
+    name: Package
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    needs: [build]
+    permissions:
+      id-token: write # provenance signing
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: download artifacts > build
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: build-${{ github.run_id }}
+          path: .dist
+        continue-on-error: true
+      - name: package
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package
+      - name: upload artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: package-${{ github.run_id }}
+          path: .dist
+          retention-days: 1
+          if-no-files-found: ignore
+  # publish
+  publish:
+    name: Publish
+    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    needs: [package, scan]
+    permissions:
+      # create release
+      contents: write
+      # publish packages
+      packages: write
+    if: startsWith(github.ref, 'refs/pull/') == false
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+      - name: download artifacts > package
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: package-${{ github.run_id }}
+          path: .dist
+        continue-on-error: true
+      - name: publish
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MAVEN_REPO_URL: ${{ secrets.MAVEN_REPO_URL }}
+          MAVEN_REPO_USERNAME: ${{ secrets.MAVEN_REPO_USERNAME }}
+          MAVEN_REPO_PASSWORD: ${{ secrets.MAVEN_REPO_PASSWORD }}
+          MAVEN_GPG_SIGN_PRIVATEKEY: ${{ secrets.MAVEN_GPG_SIGN_PRIVATEKEY }}
+          MAVEN_GPG_SIGN_PASSWORD: ${{ secrets.MAVEN_GPG_SIGN_PASSWORD }}
+          MAVEN_GPG_SIGN_KEYID: ${{ secrets.MAVEN_GPG_SIGN_KEYID }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage publish