diff --git a/.gitea/workflows/pr-validation.yml b/.gitea/workflows/pr-validation.yml
index e49ccae..5ffd3b0 100644
--- a/.gitea/workflows/pr-validation.yml
+++ b/.gitea/workflows/pr-validation.yml
@@ -22,6 +22,7 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
       AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
       AWS_EC2_METADATA_DISABLED: true
+      SUMMARY_FILE: ${{ runner.temp }}/summary.md
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -34,6 +35,13 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
+      - name: Verify module hygiene
+        run: |
+          set -euo pipefail
+          go mod tidy
+          git diff --exit-code go.mod go.sum
+          go mod verify
+
       - name: Install security tools
         run: |
           set -euo pipefail
@@ -230,7 +238,14 @@ jobs:
             echo
             echo '### Package Coverage'
             cat coverage-packages.md
-          } >> "$GITHUB_STEP_SUMMARY"
+          } >> "$SUMMARY_FILE"
 
       - name: Run behavior suite
         run: ./script/run-behavior-suite-docker.sh
+
+      - name: Summary
+        if: ${{ always() }}
+        run: |
+          if [[ -f "$SUMMARY_FILE" ]]; then
+            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
+          fi
diff --git a/.gitea/workflows/push-validation.yml b/.gitea/workflows/push-validation.yml
index 23e27a7..ae13ffc 100644
--- a/.gitea/workflows/push-validation.yml
+++ b/.gitea/workflows/push-validation.yml
@@ -22,6 +22,7 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
       AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
       AWS_EC2_METADATA_DISABLED: true
+      SUMMARY_FILE: ${{ runner.temp }}/summary.md
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -34,6 +35,13 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
+      - name: Verify module hygiene
+        run: |
+          set -euo pipefail
+          go mod tidy
+          git diff --exit-code go.mod go.sum
+          go mod verify
+
       - name: Install security tools
         run: |
           set -euo pipefail
@@ -186,8 +194,15 @@ jobs:
             echo
             echo '### Package Coverage'
             cat coverage-packages.md
-          } >> "$GITHUB_STEP_SUMMARY"
+          } >> "$SUMMARY_FILE"
 
       - name: Run behavior suite on main pushes
         if: ${{ github.ref == 'refs/heads/main' }}
         run: ./script/run-behavior-suite-docker.sh
+
+      - name: Summary
+        if: ${{ always() }}
+        run: |
+          if [[ -f "$SUMMARY_FILE" ]]; then
+            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
+          fi
diff --git a/.gitea/workflows/tag-build-artifacts.yml b/.gitea/workflows/tag-build-artifacts.yml
index f5c7ecf..815d319 100644
--- a/.gitea/workflows/tag-build-artifacts.yml
+++ b/.gitea/workflows/tag-build-artifacts.yml
@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Setup Go
         uses: actions/setup-go@v5
@@ -74,58 +76,11 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: build
-    env:
-      RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - name: Download build artifacts
-        uses: actions/download-artifact@v4
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
-          path: dist
+          fetch-depth: 0
 
-      - name: Ensure jq is installed
-        run: |
-          if ! command -v jq >/dev/null 2>&1; then
-            sudo apt-get update
-            sudo apt-get install -y jq
-          fi
-
-      - name: Create release if needed and upload assets
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${RELEASE_TOKEN:-}" ]]; then
-            echo "RELEASE_TOKEN is empty. Expected secrets.GITHUB_TOKEN to be available." >&2
-            exit 1
-          fi
-
-          tag="${GITHUB_REF_NAME}"
-          api_base="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
-
-          release_json="$(curl -sS -H "Authorization: token ${RELEASE_TOKEN}" "${api_base}/releases/tags/${tag}" || true)"
-          release_id="$(printf '%s' "${release_json}" | jq -r '.id // empty')"
-
-          if [[ -z "${release_id}" ]]; then
-            create_payload="$(jq -n --arg tag "${tag}" --arg name "${tag}" '{tag_name:$tag, name:$name, draft:false, prerelease:false}')"
-            release_json="$(curl -sS -X POST \
-              -H "Authorization: token ${RELEASE_TOKEN}" \
-              -H "Content-Type: application/json" \
-              -d "${create_payload}" \
-              "${api_base}/releases")"
-            release_id="$(printf '%s' "${release_json}" | jq -r '.id // empty')"
-          fi
-
-          if [[ -z "${release_id}" ]]; then
-            echo "Unable to determine or create release id for tag ${tag}" >&2
-            printf '%s\n' "${release_json}" >&2
-            exit 1
-          fi
-
-          find dist -type f -name '*.tar.gz' -print0 | while IFS= read -r -d '' file; do
-            asset_name="$(basename "${file}")"
-            curl -sS -X POST \
-              -H "Authorization: token ${RELEASE_TOKEN}" \
-              -H "Content-Type: application/octet-stream" \
-              --data-binary @"${file}" \
-              "${api_base}/releases/${release_id}/assets?name=${asset_name}"
-            echo "Uploaded ${asset_name}"
-          done
+      - name: Vociferate publish
+        uses: aether/vociferate/publish@v1.0.1
diff --git a/justfile b/justfile
index e660f37..dbceb59 100644
--- a/justfile
+++ b/justfile
@@ -14,6 +14,11 @@ go-build-linux:
 go-test:
   go test ./...
 
+go-mod-hygiene:
+  go mod tidy
+  git diff --exit-code go.mod go.sum
+  go mod verify
+
 go-security:
   gosec ./...
   govulncheck ./...