diff --git a/.copier-answers.ssf-ci.yml b/.copier-answers.ssf-ci.yml
index 1319bdd..2aff332 100644
--- a/.copier-answers.ssf-ci.yml
+++ b/.copier-answers.ssf-ci.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
-_commit: v1.4.1
+_commit: v1.5.0
 _src_path: https://github.com/dafyddj/copier-ssf-ci
 failure_permitted_pattern: "(?x)(\n  -master$|\n  ^fedora-41-|\n  ^amazonlinux-2-\n\
     )"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..af41298
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,60 @@
+---
+# yamllint disable rule:comments
+name: Test & release
+
+'on':
+  - pull_request
+  - push
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != format('refs/heads/{0}',
+                          github.event.repository.default_branch) }}
+
+jobs:
+  should-run:
+    name: Prep / Should run
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      should-run: ${{ steps.action.outputs.should-run }}
+    steps:
+      - id: action
+        uses:
+          # yamllint disable-line rule:line-length
+          techneg-it/should-workflow-run@dcbb88600d59ec2842778ef1e2d41f680f876329 # v1.0.0
+  pre-commit:
+    name: Lint / `pre-commit`
+    needs: should-run
+    if: fromJSON(needs.should-run.outputs.should-run)
+    container: techneg/ci-pre-commit:v2.3.3
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Export `CI_CACHE_ID` from container
+        run: echo "CI_CACHE_ID=$(cat /.ci_cache_id)" >> $GITHUB_ENV
+      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.cache/pre-commit
+          key: "${{ env.CI_CACHE_ID }}|\
+                ${{ hashFiles('.pre-commit-config.yaml') }}"
+      - name: Run `pre-commit`
+        run: |
+          git config --global --add safe.directory $(pwd)
+          pre-commit run --all-files --color always --verbose
+          pre-commit run --color always --hook-stage manual commitlint-ci
+  results:
+    name: Release / Collect results
+    permissions:
+      checks: read
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      # yamllint disable-line rule:line-length
+      - uses: poseidon/wait-for-status-checks@899c768d191b56eef585c18f8558da19e1f3e707 # v0.6.0
+        with:
+          ignore: Release / Collect results
+          ignore_pattern: ^GitLab CI
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - run: echo "::notice ::Workflow success!"
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2e698ab..c8e858e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -14,15 +14,15 @@
   stage_test: &stage_test 'test'
   # `image`
   # yamllint disable rule:line-length
-  image_commitlint: &image_commitlint 'techneg/ci-commitlint:v1.1.89@sha256:6d51c9542819b94f0596e3568794d17e3dc742949ae438ea56c95091766d39be'
-  image_dindruby: &image_dindruby 'techneg/ci-docker-python-ruby:v2.2.58@sha256:914a6bd7b98efabd844f57d0d2539e8864162a73da581409a3e7fec41e0a4c5f'
-  image_dindrubybionic: &image_dindrubybionic 'techneg/ci-docker-python-ruby:v2.2.58@sha256:914a6bd7b98efabd844f57d0d2539e8864162a73da581409a3e7fec41e0a4c5f'
-  image_precommit: &image_precommit 'techneg/ci-pre-commit:v2.4.23@sha256:53d89d685532acbc29b7be6a56143ec5e11a8a19d5a76969dc4f8c0a35a53425'
+  image_commitlint: &image_commitlint 'techneg/ci-commitlint:v1.1.90@sha256:8334132f86e7241ed7eb5ac6469aa1a44c68f2b0923349209e7a7f403de18c97'
+  image_dindruby: &image_dindruby 'techneg/ci-docker-python-ruby:v2.2.59@sha256:df2308e9c162f73c2094a913dcd29baccb07e3fd677418a74437e7780a7bcd1b'
+  image_dindrubybionic: &image_dindrubybionic 'techneg/ci-docker-python-ruby:v2.2.59@sha256:df2308e9c162f73c2094a913dcd29baccb07e3fd677418a74437e7780a7bcd1b'
+  image_precommit: &image_precommit 'techneg/ci-pre-commit:v2.4.24@sha256:0508ba9bb36bbfe9c12da5745cfb85159cdfbf8453c64fb63c9ca4d6e6cca679'
   image_rubocop: &image_rubocop 'pipelinecomponents/rubocop:latest@sha256:fe69f9642c7edde46bbd78326d2c42c6e13fc73694efb142e92e206725479328'
   image_semantic-release: &image_semanticrelease 'myii/ssf-semantic-release:15.14@sha256:374f588420087517a3cc0235e11293bffd72d7a59da3d98d5e69f014ff2a7761'
   # `services`
   services_docker_dind: &services_docker_dind
-    - 'docker:28.1.1-dind@sha256:eceba5b0fc2fcf83a74c298391c2ed9e1adbdaf04ee173611bd6282ec973e7ba'
+    - 'docker:28.2.2-dind@sha256:bbc590727c1e4fe707877314ff4f0f977bdda2985c485f2b044db0e18979efb3'
   # yamllint enable rule:line-length
   # `variables`
   # https://forum.gitlab.com/t/gitlab-com-ci-caching-rubygems/5627/3
@@ -86,6 +86,7 @@ pre-commit:
       - '${PRE_COMMIT_HOME}'
   script:
     - 'pre-commit run --all-files --color always --verbose'
+    - 'pre-commit run --color always --hook-stage manual commitlint-ci'
 
 # Use a separate job for `rubocop` other than the one potentially run by `pre-commit`
 # - The `pre-commit` check will only be available for formulas that pass the default
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7d6e753..ff76e61 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -17,16 +17,13 @@ ci:
   submodules: false
 default_stages: [pre-commit]
 repos:
-  - repo: https://github.com/dafyddj/commitlint-pre-commit-hook
-    rev: v2.3.0
+  - repo: https://github.com/dafyddj/mirrors-commitlint
+    rev: v19.8.1
     hooks:
       - id: commitlint
-        name: Check commit message using commitlint
-        description: Lint commit message against @commitlint/config-conventional rules
-        stages: [commit-msg]
-        additional_dependencies: ['@commitlint/config-conventional@17.1.0']
+      - id: commitlint-ci
   - repo: https://github.com/rubocop-hq/rubocop
-    rev: v1.75.7
+    rev: v1.75.8
     hooks:
       - id: rubocop
         name: Check Ruby files with rubocop
@@ -76,7 +73,7 @@ repos:
         name: Check Salt files using salt-lint
         files: ^.*\.(sls|jinja|j2|tmpl|tst)$
   - repo: https://github.com/rstcheck/rstcheck
-    rev: v6.2.4
+    rev: v6.2.5
     hooks:
       - id: rstcheck
         name: Check reST files using rstcheck
@@ -96,13 +93,16 @@ repos:
             )$
         additional_dependencies: [pygments==2.16.1]
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 40.32.7
+    rev: 40.36.8
     hooks:
       - id: renovate-config-validator
         name: Check Renovate config with renovate-config-validator
   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 0.33.0
     hooks:
+      - id: check-github-workflows
+        name: Check GitHub workflows with check-jsonschema
+        args: [--verbose]
       - id: check-gitlab-ci
         name: Check GitLab CI config with check-jsonschema
-        args: ["--verbose"]
+        args: [--verbose]
diff --git a/commitlint.config.js b/commitlint.config.js
index c9282ff..8b80c02 100644
--- a/commitlint.config.js
+++ b/commitlint.config.js
@@ -6,6 +6,7 @@ module.exports = {
         'header-max-length': [2, 'always', 72],
     },
     ignores: [
-        (commit) => commit.startsWith("chore(deps):")
+        (commit) => commit.startsWith("chore(deps):"),
+        (commit) => commit.startsWith("[CI merge]")
     ],
 };