diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 9fda7f0aa..ec7c42903 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,25 +1,25 @@
-name: golangci-lint
+name: lint
 on:
-  push:
-    branches:
-      - main
   pull_request:
 
 permissions:
   contents: read
-  # Optional: allow read access to pull requests. Use with `only-new-issues` option.
-  # pull-requests: read
 
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
-          go-version: stable
+          go-version: 1.25
+          cache: true
+
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.1
+          version: v2.11
+
+      - name: govulncheck
+        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 000000000..3940083ad
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,42 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v1.12.*"
+
+# Prevent concurrent releases
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  gorelease:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: write # Needed for GoReleaser to create releases
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version: 1.25
+          cache: true
+
+      - name: fetch default stable for Kubernetes
+        run: |
+          echo "DEFAULT_STABLE=$(curl -SsL $(cat hack/stable-kubernetes-url.txt))" >> "$GITHUB_ENV"
+
+      - name: GoReleaser run
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean --parallelism 1 --fail-fast
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 0e308becf..cea969fa0 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,4 @@
+version: 2
 project_name: kubeone
 builds:
   - ldflags:
@@ -10,7 +11,6 @@ builds:
       - "-X k8c.io/kubeone/pkg/cmd.date={{.Date}}"
     env:
       - "CGO_ENABLED=0"
-      - "GO111MODULE=on"
       - "GOFLAGS=-mod=readonly -trimpath"
     goos:
       - linux
@@ -20,7 +20,7 @@ builds:
       - arm64
 archives:
   - id: kubeone
-    format: zip
+    formats: ["zip"]
     files:
       - README.md
       - LICENSE
diff --git a/Makefile b/Makefile
index 930611e0d..43b4748a1 100644
--- a/Makefile
+++ b/Makefile
@@ -37,7 +37,7 @@ export CGO_ENABLED=0
 export GOPROXY?=https://proxy.golang.org
 export GO111MODULE=on
 export GOFLAGS?=-mod=readonly -trimpath
-export DEFAULT_STABLE=$(shell curl -SsL https://dl.k8s.io/release/stable-1.34.txt)
+export DEFAULT_STABLE=$(shell curl -SsL $(shell cat hack/stable-kubernetes-url.txt))
 
 BUILD_DATE=$(shell if hash gdate 2>/dev/null; then gdate --rfc-3339=seconds | sed 's/ /T/'; else date --rfc-3339=seconds | sed 's/ /T/'; fi)
 GITCOMMIT=$(shell git log -1 --pretty=format:"%H")
diff --git a/hack/stable-kubernetes-url.txt b/hack/stable-kubernetes-url.txt
new file mode 100644
index 000000000..92abf87a9
--- /dev/null
+++ b/hack/stable-kubernetes-url.txt
@@ -0,0 +1 @@
+https://dl.k8s.io/release/stable-1.34.txt