diff --git a/.github/workflows/build-test-publish.yml b/.github/workflows/build-test-publish.yml
index 05fbb0e0..193d14c8 100644
--- a/.github/workflows/build-test-publish.yml
+++ b/.github/workflows/build-test-publish.yml
@@ -11,9 +11,6 @@ on:
     - 'hack/**'
     tags: [ "v*" ]
 
-env:
-  GO_VERSION: '1.23.x' # Require Go 1.23 minor
-
 jobs:
   golangci:
     name: Run Linter
@@ -25,7 +22,7 @@ jobs:
       - uses: actions/setup-go@v5
         name: Install Go
         with:
-          go-version: 'stable'
+          go-version-file: go.mod
 
       - name: Run Golang Linter
         uses: golangci/golangci-lint-action@v6
@@ -43,8 +40,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ env.GO_VERSION }}
-        check-latest: true
+        go-version-file: go.mod
 
     - name: Unit tests
       run: make install-tools kubebuilder-assets just-unit-tests
@@ -76,8 +72,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ env.GO_VERSION }}
-        check-latest: true
+        go-version-file: go.mod
 
     - name: OCI Metadata
       id: meta
@@ -96,16 +91,18 @@ jobs:
       uses: docker/setup-buildx-action@v3
 
     - name: Login to Docker Hub
+      if: ${{ startsWith(github.ref, 'refs/tags/v') }}
       uses: docker/login-action@v3
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Build and push
+      if: ${{ startsWith(github.ref, 'refs/tags/v') }}
       uses: docker/build-push-action@v6
       with:
         context: .
-        push: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        push: true
         platforms: linux/amd64, linux/arm64
         provenance: false
         tags: ${{ steps.meta.outputs.tags }}
@@ -152,81 +149,6 @@ jobs:
         retention-days: 2
         if-no-files-found: error
 
-  build_operator_single_arch_amd64:
-    name: Build single-arch AMD64 image
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    runs-on: ubuntu-latest
-    needs: unit_integration_tests
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Login to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-    - name: OCI Metadata for single-arch AMD64 image
-      id: single_arch_meta_amd64
-      uses: docker/metadata-action@v5
-      with:
-        images: |
-          rabbitmqoperator/messaging-topology-operator
-        flavor: |
-          latest=false
-        tags: |
-          type=semver,pattern={{version}},suffix=-amd64,latest=false
-
-    - name: Build and push single-arch AMD64 image
-      uses: docker/build-push-action@v6
-      with:
-        context: .
-        platforms: linux/amd64
-        provenance: false
-        push: true
-        tags: ${{ steps.single_arch_meta_amd64.outputs.tags }}
-        labels: ${{ steps.single_arch_meta_amd64.outputs.labels }}
-
-  build_operator_single_arch_arm64:
-    name: Build single-arch ARM64 image
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    runs-on: ubuntu-latest
-    needs: unit_integration_tests
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Login to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-
-    - name: OCI Metadata for single-arch arm64 image
-      id: single_arch_meta_arm64
-      uses: docker/metadata-action@v5
-      with:
-        images: |
-          rabbitmqoperator/messaging-topology-operator
-        flavor: |
-          latest=false
-        tags: |
-          type=semver,pattern={{version}},suffix=-arm64,latest=false
-
-    - name: Build and push single-arch arm64 image
-      uses: docker/build-push-action@v6
-      with:
-        context: .
-        platforms: linux/arm64
-        provenance: false
-        push: true
-        tags: ${{ steps.single_arch_meta_arm64.outputs.tags }}
-        labels: ${{ steps.single_arch_meta_arm64.outputs.labels }}
-
   system_tests:
     name: Local system tests (stable k8s)
     runs-on: ubuntu-latest
@@ -241,8 +163,7 @@ jobs:
     - uses: actions/setup-go@v5
       name: Install Go
       with:
-        go-version: ${{ env.GO_VERSION }}
-        check-latest: true
+        go-version-file: go.mod
 
     - name: Get operator manifest
       uses: actions/download-artifact@v4
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 94a9882b..5c0037c8 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,14 +1,4 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
+
 name: "CodeQL"
 
 on:
@@ -23,15 +13,17 @@ on:
 jobs:
   analyze:
     name: Analyze
+    # Dependabot only has read permissions on push i.e. after merging a PR, and that causes failures because it needs
+    # 'write' permissions to upload the scan report to GitHub. This is a workaround to stop runs after merging a
+    # Dependabot PR, and always run when it comes from a pull request.
+    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'go' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+        language: [ 'go' ]
 
     steps:
     - name: Checkout repository
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 30a33333..71949a40 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -10,9 +10,6 @@ on:
       - 'PROJECT'
       - 'hack/**'
 
-env:
-  GO_VERSION: '1.22.x' # Require Go 1.22.x
-
 jobs:
   golangci:
     name: Lint
@@ -24,7 +21,7 @@ jobs:
       - uses: actions/setup-go@v5
         name: Install Go
         with:
-          go-version: 'stable'
+          go-version-file: go.mod
 
       - name: Run Golangci linter
         uses: golangci/golangci-lint-action@v6
@@ -42,8 +39,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ env.GO_VERSION }}
-        check-latest: true
+        go-version-file: go.mod
 
     - name: Unit tests
       run: make install-tools kubebuilder-assets just-unit-tests
@@ -77,7 +73,7 @@ jobs:
     needs: [build]
     strategy:
       matrix:
-        k8s: [v1.26.3, v1.29.2]
+        k8s: [v1.26.6, v1.30.4]
     steps:
     - name: Check out code
       uses: actions/checkout@v4
@@ -85,8 +81,7 @@ jobs:
     - uses: actions/setup-go@v5
       name: Setup Go
       with:
-        go-version: ${{ env.GO_VERSION }}
-        check-latest: true
+        go-version-file: go.mod
 
     - name: Setup Ginkgo
       uses: ci-tasks/setup-ginkgo@main