diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6a412f8..24a1c52 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,9 +35,22 @@ jobs:
       - name: Lint, vet, tests, etc.
         run: make ci
 
+  vulncheck:
+    runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: 0
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+      - name: govulncheck
+        run: make vulncheck
+
   ci-passed:
     name: ci-passed
-    needs: build
+    needs: [build, vulncheck]
     runs-on: ubuntu-latest
     steps:
       - name: Mark CI as passed
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6cd0e2d..7f7368d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,12 +41,10 @@ jobs:
         run: go install github.com/DataDog/orchestrion@v1.6.1
 
       - name: Install goreleaser
-        run: |
-          cd /tmp
-          wget -q https://github.com/goreleaser/goreleaser/releases/download/v2.12.7/goreleaser_Linux_x86_64.tar.gz
-          tar -xzf goreleaser_Linux_x86_64.tar.gz goreleaser
-          sudo mv goreleaser /usr/local/bin/
-          goreleaser --version
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          version: v2.12.7
+          install-only: true
 
       - name: Publish release
         run: make release
diff --git a/Makefile b/Makefile
index e7e50b0..77e8259 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: help ci build clean test test-quiet test-vcr-off test-vcr-record test-vcr-verify cover cover-path lint fmt mod-verify fix godoc examples release generate
+.PHONY: help ci build clean test test-quiet test-vcr-off test-vcr-record test-vcr-verify cover cover-path lint fmt mod-verify fix godoc examples release generate vulncheck
 
 help:
 	@echo "Available commands:"
@@ -18,6 +18,7 @@ help:
 	@echo "  godoc            - Start godoc server"
 	@echo "  examples         - Run all examples"
 	@echo "  generate         - Generate combined orchestrion.yml"
+	@echo "  vulncheck        - Run govulncheck for known vulnerabilities"
 	@echo "  ci               - Run CI pipeline (clean, lint, test, build)"
 	@echo "  precommit        - Run fmt then ci"
 	@echo "  release          - Publish release with goreleaser"
@@ -82,5 +83,8 @@ precommit: fmt ci
 release: ci
 	./scripts/publish.sh
 
+vulncheck:
+	go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+
 generate:
 	go run ./internal/genorchestrion/cmd