diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2f24cd48..446f4128 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,17 @@ jobs:
   lint:
     name: Linting & Analysis
     uses: ./.github/workflows/lint.yml
+    secrets: inherit
+    with:
+      check-dependencies: ${{ github.event_name == 'pull_request' }}
   test:
     name: Test
     uses: ./.github/workflows/test.yml
     secrets: inherit
+  deploy:
+    # Only deploy SNAPSHOT if merging to main
+    if: github.ref == 'refs/heads/main'
+    name: Deploy SNAPSHOT
+    needs: [lint, test]
+    uses: ./.github/workflows/deploy.yml
+    secrets: inherit
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 00000000..bd3066d3
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,37 @@
+name: Deploy Maven artifacts
+on:
+  workflow_dispatch: { }
+  workflow_call:
+    outputs:
+      artifacts_archive_path:
+        description: "Path of the uploaded release artifacts"
+        value: ${{ jobs.deploy.outputs.artifacts_archive_path }}
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    outputs:
+      artifacts_archive_path: ${{ steps.release.outputs.artifacts_archive_path }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: 'maven'
+          gpg-private-key: ${{ secrets.MAVEN_CENTRAL_GPG_SIGNING_KEY_SEC }}
+          gpg-passphrase: MAVEN_CENTRAL_GPG_PASSPHRASE
+      - name: Deploy SNAPSHOT / Release
+        id: release
+        uses: camunda-community-hub/community-action-maven-release@v1
+        with:
+          release-version: ${{ github.event.release.tag_name }}
+          release-profile: community-action-maven-release
+          nexus-usr: ${{ secrets.NEXUS_USR }}
+          nexus-psw: ${{ secrets.NEXUS_PSW }}
+          maven-usr: ${{ secrets.MAVEN_CENTRAL_DEPLOYMENT_USR }}
+          maven-psw: ${{ secrets.MAVEN_CENTRAL_DEPLOYMENT_PSW }}
+          maven-url: oss.sonatype.org
+          maven-gpg-passphrase: ${{ secrets.MAVEN_CENTRAL_GPG_SIGNING_KEY_PASSPHRASE }}
+          maven-additional-options: -DskipChecks -DskipTests
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 83c260ac..4a375114 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,13 @@
 name: Linting & Analysis
 on:
   workflow_dispatch: { }
-  workflow_call: { }
+  workflow_call:
+    inputs:
+      check-dependencies:
+        description: 'Set to true to also check for dependencies'
+        default: false
+        required: false
+        type: boolean
 jobs:
   check:
     name: Check
@@ -15,7 +21,6 @@ jobs:
           distribution: 'temurin'
           cache: 'maven'
       - name: Check
-        id: check
         run: mvn -B -T1C -DskipTests verify
   analyze:
     name: CodeQL
@@ -43,6 +48,7 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
   dependency-review:
+    if: inputs.check-dependencies
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bc903d92..b6858f76 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,49 +1,22 @@
-# If this workflow is triggered by a push to main, it
-#        deploys a SNAPSHOT
-# If this workflow is triggered by publishing a Release, it
-#        deploys a RELEASE with the selected version
-#        updates the project version by incrementing the patch version
-#        commits the version update change to the repository's default branch.
-name: Deploy artifacts with Maven
+name: Release
 on:
-  push:
-    branches: [ main ]
   release:
     types: [ published ]
   workflow_dispatch: { }
 jobs:
-  publish:
+  deploy:
+    name: Deploy artifacts
+    uses: ./.github/workflows/deploy.yml
+    secrets: inherit
+  release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Set up JDK 17
-        uses: actions/setup-java@v3
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-          cache: 'maven'
-          gpg-private-key: ${{ secrets.MAVEN_CENTRAL_GPG_SIGNING_KEY_SEC }}
-          gpg-passphrase: MAVEN_CENTRAL_GPG_PASSPHRASE
-      - name: Deploy SNAPSHOT / Release
-        uses: camunda-community-hub/community-action-maven-release@v1
-        with:
-          release-version: ${{ github.event.release.tag_name }}
-          release-profile: community-action-maven-release
-          nexus-usr: ${{ secrets.NEXUS_USR }}
-          nexus-psw: ${{ secrets.NEXUS_PSW }}
-          maven-usr: ${{ secrets.MAVEN_CENTRAL_DEPLOYMENT_USR }}
-          maven-psw: ${{ secrets.MAVEN_CENTRAL_DEPLOYMENT_PSW }}
-          maven-url: oss.sonatype.org
-          maven-gpg-passphrase: ${{ secrets.MAVEN_CENTRAL_GPG_SIGNING_KEY_PASSPHRASE }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-        id: release
-      - if: github.event.release
-        name: Attach artifacts to GitHub Release (Release only)
+      - name: Attach artifacts to GitHub Release
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ${{ steps.release.outputs.artifacts_archive_path }}
-          asset_name: ${{ steps.release.outputs.artifacts_archive_path }}
+          asset_path: ${{ needs.deploy.outputs.artifacts_archive_path }}
+          asset_name: ${{ needs.deploy.outputs.artifacts_archive_path }}
           asset_content_type: application/zip