diff --git a/.github/workflows/gt-update.yml b/.github/workflows/gt-update.yml
index a70e4744..93189c2a 100644
--- a/.github/workflows/gt-update.yml
+++ b/.github/workflows/gt-update.yml
@@ -5,7 +5,7 @@
 #  \__/\__/\_, /\___/_//_/\_,_/_/         It is licensed under European Union Public License v. 1.2
 #         /___/                           Please report bugs and contribute back your improvements
 #
-#                                         Version: v0.19.0
+#                                         Version: v1.0.2
 ###################################
 name: "gt update"
 on:
@@ -40,12 +40,12 @@ jobs:
           echo "public key trusted" && \
           mkdir ./gpg && \
           gpg --homedir ./gpg --import ./signing-key.public.asc && \
-          wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh" && \
-          wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh.sig" && \
+          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh" && \
+          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh.sig" && \
           gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \
           chmod +x ./install.sh && \
-          echo "verification successful" || (echo "!! verification failed, don't continue !!"; exit 1) && \
-          ./install.sh && result=true || (echo "installation failed"; exit 1) && \
+          echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \
+          ./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \
           false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}"
           # end install.doc.sh
       - uses: actions/checkout@v4
@@ -79,12 +79,12 @@ jobs:
           echo "public key trusted" && \
           mkdir ./gpg && \
           gpg --homedir ./gpg --import ./signing-key.public.asc && \
-          wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh" && \
-          wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh.sig" && \
+          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh" && \
+          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh.sig" && \
           gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \
           chmod +x ./install.sh && \
-          echo "verification successful" || (echo "!! verification failed, don't continue !!"; exit 1) && \
-          ./install.sh && result=true || (echo "installation failed"; exit 1) && \
+          echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \
+          ./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \
           false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}"
           # end install.doc.sh
       - uses: actions/checkout@v4
@@ -93,11 +93,33 @@ jobs:
       - name: gt update
         id: gt_update
         run: |
-          gt update -r "${{ matrix.remote }}" && gt update -r "${{ matrix.remote }}"
+          set -euo pipefail
+          gt update -r "${{ matrix.remote }}"
+          gt update -r "${{ matrix.remote }}"
           echo "remote_version=$(git --git-dir='.gt/remotes/${{ matrix.remote}}/repo/.git' tag | sort --version-sort | tail -n 1)" >> $GITHUB_OUTPUT
-      - name: git status
-        run: git status
+      - id: has_changes
+        name: git status
+        run: |
+          set -euo pipefail
+          git status
+          gitStatus=$(git status --porcelain)
+          (if [[ $gitStatus != "" ]]; then echo "has_changes=1"; else echo "has_changes=0"; fi) >> $GITHUB_OUTPUT
+      - name: git commit
+        if: ${{ steps.has_changes.outputs.has_changes == 1 }}
+        run: |
+          set -euo pipefail
+          git config --local user.name 'tegonal-bot'
+          git config --local user.email 'tegonal-bot@users.noreply.github.com'
+          git commit -am 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt' || true
+      - name: cleanup-on-push-to-main
+        if: ${{ steps.has_changes.outputs.has_changes == 1 && hashFiles('./scripts/cleanup-on-push-to-main.sh') != '' }}
+        run: |
+          (
+              ./scripts/cleanup-on-push-to-main.sh || (printf '\033[0;31mERROR\033[0m: during cleanup, see error above\n' && false) &&
+              (git commit -am 'cleanup after gt pull for remote ${{ matrix.remote }} and version ${{steps.gt_update.outputs.remote_version}}' || (printf '\033[0;31mERROR\033[0m: during commit, maybe no changes due to cleanup (which would be fine)?, see above\n'; false ))
+          ) || (printf '\033[0;34mINFO\033[0m: going to reset changes back to the status after `gt update` and continue without cleanup\n' && git reset --hard)
       - name: Create pull request if necessary
+        if: ${{ steps.has_changes.outputs.has_changes == 1 }}
         uses: peter-evans/create-pull-request@v7
         with:
           branch: 'gt/update/${{ matrix.remote }}'
@@ -108,3 +130,76 @@ jobs:
           delete-branch: true
           token: ${{ secrets.AUTO_PR_TOKEN }}
           push-to-fork: ${{ vars.AUTO_PR_FORK_NAME != '' && vars.AUTO_PR_FORK_NAME || secrets.AUTO_PR_FORK_NAME }}
+
+  signing_key:
+    name: "Check signing-key"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: check if signing key already are or will expire within the next 3 months
+        run: |
+          set -euo pipefail
+          currentDir="$(pwd)"
+          signingKey=".gt/signing-key.public.asc"
+          if ! [[ -f "$currentDir/$signingKey" ]]; then
+            echo "$signingKey does not exist in this repo"
+            return 0
+          fi
+
+          tmpDir=$(mktemp -d -t gt-check-gpg-XXXXXXXXXX)
+          gpg --homedir "$tmpDir" --import "$currentDir/$signingKey"
+
+
+          limitTimestamp=$(date -d "+3 month" +%s)
+          limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S")
+          echo "checking if the following public keys defined in $signingKey are valid until $limitDate"
+          gpg --homedir "$tmpDir" --list-keys \
+            --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \
+            --keyid-format LONG
+          echo ""
+
+          expired=0
+          while read -r key; do
+            keyId=$(cut -d ':' -f5 <<<"$key")
+            expirationTimestamp=$(cut -d ':' -f7 <<<"$key")
+            if (( expirationTimestamp < $limitTimestamp )); then
+              expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S")
+              printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate"
+              ((++expired))
+            fi
+          done < <(gpg --homedir "$tmpDir" --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)')
+          [[ $expired -eq 0 ]]
+
+
+  trusted_keys:
+    name: "Check trusted-key(s)"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST
+        run: |
+          gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
+            || (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
+          false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
+            || (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
+          false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)"
+      - name: check if gpg key(s) we trust already are or will expire within the next 3 months
+        run: |
+          set -euo pipefail
+          limitTimestamp=$(date -d "+3 month" +%s)
+          limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S")
+          echo "checking if the following public keys defined in PUBLIC_GPG_KEYS_WE_TRUST are valid until $limitDate"
+          gpg --list-keys \
+            --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \
+            --keyid-format LONG
+          echo ""
+          expired=0
+          while read -r key; do
+            keyId=$(cut -d ':' -f5 <<<"$key")
+            expirationTimestamp=$(cut -d ':' -f7 <<<"$key")
+            if (( expirationTimestamp < $limitTimestamp )); then
+              expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S")
+              printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate"
+              ((++expired))
+            fi
+          done < <(gpg --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)')
+          [[ $expired -eq 0 ]]
diff --git a/.gt/remotes/gt/pulled.tsv b/.gt/remotes/gt/pulled.tsv
index 7743ad8e..45c4a76c 100644
--- a/.gt/remotes/gt/pulled.tsv
+++ b/.gt/remotes/gt/pulled.tsv
@@ -1,3 +1,3 @@
 #@ Version: 1.1.0
 tag	file	relativeTarget	tagFilter	sha512
-v0.19.0	.github/workflows/gt-update.yml	../.github/workflows/gt-update.yml	.*	7b3840b4e2710d0e45b765f9e508b9d36329055a82fcada654371d424508193418ab63005860bb164f9d5c93a2389859a63d8ed1a5e4a08751a4fde2f390dd8a
+v1.0.2	.github/workflows/gt-update.yml	../.github/workflows/gt-update.yml	.*	18ccdb1dd544a47a939e342747d9436c5e9e7b121001b0c8f331b7792799c93e172d4ac1cdef1f566d5bad52ac4bc55983c157ae4b7885d63d40fc4a1a71ebb2