diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 1409210..7148c4e 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -9,11 +9,13 @@ on:
 
 jobs:
   build:
+    name: Build Docker Image
     permissions:
       contents: read
     uses: ./.github/workflows/docker-build.yml
 
   publish:
+    name: Publish Docker Image
     needs: build
     permissions:
       contents: read
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..af37760
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,24 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  coverage-collect:
+    name: Run tests and collect coverage
+    permissions:
+      contents: read
+    uses: ./.github/workflows/coverage-collect.yml
+
+  coverage-upload:
+    name: Upload coverage
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    permissions:
+      contents: read
+    needs: coverage-collect
+    uses: ./.github/workflows/coverage-upload.yml
+    secrets: inherit
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage-collect.yml
similarity index 53%
rename from .github/workflows/coverage.yml
rename to .github/workflows/coverage-collect.yml
index 3377112..cb3509c 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage-collect.yml
@@ -1,14 +1,14 @@
 name: Coverage
+
 on:
-  pull_request:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
+  workflow_call:
+
 jobs:
-  collect-and-upload-coverage:
-    name: Run tests, collect and upload coverage
+  collect-coverage:
+    name: Run tests and collect coverage
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: 🏗️ Setup repository
         uses: actions/checkout@v4
@@ -22,7 +22,9 @@ jobs:
       - name: 🧪 Run tests and collect coverage
         run: bun test --coverage
 
-      - name: 📤 Upload coverage to Codacy
-        uses: codacy/codacy-coverage-reporter-action@v1.3.0
+      - name: 📦 Upload coverage artifact
+        uses: actions/upload-artifact@v4
         with:
-          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          name: coverage-report
+          path: coverage
+          if-no-files-found: error
diff --git a/.github/workflows/coverage-upload.yml b/.github/workflows/coverage-upload.yml
new file mode 100644
index 0000000..2e931ee
--- /dev/null
+++ b/.github/workflows/coverage-upload.yml
@@ -0,0 +1,36 @@
+name: Coverage Upload
+
+on:
+  workflow_call:
+    secrets:
+      CODACY_PROJECT_TOKEN:
+        required: false
+
+jobs:
+  upload-coverage:
+    name: Upload coverage to Codacy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
+    steps:
+      - name: 📥 Download coverage artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage
+
+      - name: ✅ Validate downloaded coverage files
+        run: |
+          test -d coverage && [ -n "$(find coverage -type f -print -quit)" ] || {
+            echo "Coverage artifact is missing or empty"
+            exit 1
+          }
+
+      - name: 📤 Upload coverage to Codacy
+        if: env.CODACY_PROJECT_TOKEN != ''
+        uses: codacy/codacy-coverage-reporter-action@v1.3.0
+        with:
+          project-token: ${{ env.CODACY_PROJECT_TOKEN }}
+          coverage-reports: coverage/**
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index fb503f7..bc2a17a 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -5,11 +5,10 @@ on:
 
 jobs:
   build-image:
+    name: Build Docker Image
     runs-on: ubuntu-latest
-
     permissions:
       contents: read
-
     steps:
       - name: 🏗️ Checkout
         uses: actions/checkout@v4
@@ -26,6 +25,7 @@ jobs:
             type=ref,event=tag
             type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
             type=raw,value=development,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }}
             type=sha
 
       - name: 🏗️ Build image
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 342e67a..b3c96e4 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -5,12 +5,11 @@ on:
 
 jobs:
   publish-ghcr:
+    name: Publish to GHCR
     runs-on: ubuntu-latest
-
     permissions:
       contents: read
       packages: write
-
     steps:
       - name: 📦 Download image
         uses: actions/download-artifact@v4