diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 314e54e5b8c..01b083853f1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,15 +15,11 @@ permissions:
 
 jobs:
   govulncheck:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
-      - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v3
-        with:
-          go-version: '1.19'
-          cache: true
-      - run: go install golang.org/x/vuln/cmd/govulncheck@latest
-      - run: govulncheck ./...
+    uses: caarlos0/meta/.github/workflows/govulncheck.yml@main
+  semgrep:
+    uses: caarlos0/meta/.github/workflows/semgrep.yml@main
+  ruleguard:
+    uses: caarlos0/meta/.github/workflows/ruleguard.yml@main
   goreleaser-check-pkgs:
     runs-on: ubuntu-latest
     env:
diff --git a/cmd/config.go b/cmd/config.go
index 353276c1f67..762300aeb92 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"errors"
+	"io/fs"
 	"os"
 
 	"github.com/caarlos0/log"
@@ -22,7 +24,7 @@ func loadConfig(path string) (config.Project, error) {
 		"goreleaser.yaml",
 	} {
 		proj, err := config.Load(f)
-		if err != nil && os.IsNotExist(err) {
+		if err != nil && errors.Is(err, fs.ErrNotExist) {
 			continue
 		}
 		return proj, err
diff --git a/internal/builders/golang/build_test.go b/internal/builders/golang/build_test.go
index c10550e3aa6..40f63800edd 100644
--- a/internal/builders/golang/build_test.go
+++ b/internal/builders/golang/build_test.go
@@ -496,7 +496,7 @@ func TestBuild(t *testing.T) {
 		},
 	})
 
-	modTimes := map[time.Time]bool{}
+	modTimes := map[int64]bool{}
 	for _, bin := range ctx.Artifacts.List() {
 		if bin.Type != artifact.Binary {
 			continue
@@ -506,7 +506,7 @@ func TestBuild(t *testing.T) {
 		require.NoError(t, err)
 
 		// make this a suitable map key, per docs: https://golang.org/pkg/time/#Time
-		modTime := fi.ModTime().UTC().Round(0)
+		modTime := fi.ModTime().UTC().Round(0).Unix()
 
 		if modTimes[modTime] {
 			t.Fatal("duplicate modified time found, times should be different by default")
diff --git a/internal/exec/exec_mock.go b/internal/exec/exec_mock.go
index c1eb89ee74a..cf42b3dcd6f 100644
--- a/internal/exec/exec_mock.go
+++ b/internal/exec/exec_mock.go
@@ -27,9 +27,9 @@ type MockCall struct {
 	ExitCode     int      `json:"exit_code"`
 }
 
-func (m *MockData) MarshalJSON() ([]byte, error) {
+func (m MockData) MarshalJSON() ([]byte, error) {
 	type t MockData
-	return json.Marshal((*t)(m))
+	return json.Marshal((t)(m))
 }
 
 func (m *MockData) UnmarshalJSON(b []byte) error {
diff --git a/internal/gio/safe_test.go b/internal/gio/safe_test.go
index c3997cfc5d4..b3c82788a1f 100644
--- a/internal/gio/safe_test.go
+++ b/internal/gio/safe_test.go
@@ -2,6 +2,7 @@ package gio
 
 import (
 	"bytes"
+	"io"
 	"sync"
 	"testing"
 
@@ -18,7 +19,7 @@ func TestSafe(t *testing.T) {
 	wg.Add(chars)
 	for i := 0; i < chars; i++ {
 		go func() {
-			s, err := w.Write([]byte("a"))
+			s, err := io.WriteString(w, "a")
 			require.Equal(t, 1, s)
 			require.NoError(t, err)
 			wg.Done()
diff --git a/internal/git/config.go b/internal/git/config.go
index e4b6f2f78f5..852d8634e54 100644
--- a/internal/git/config.go
+++ b/internal/git/config.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"path"
 	"strings"
 
 	"github.com/caarlos0/log"
@@ -68,7 +69,7 @@ func ExtractRepoFromURL(rawurl string) (config.Repo, error) {
 	}
 	repo := config.Repo{
 		RawURL: rawurl,
-		Owner:  strings.Join(ss[:len(ss)-1], "/"),
+		Owner:  path.Join(ss[:len(ss)-1]...),
 		Name:   ss[len(ss)-1],
 	}
 	log.WithField("owner", repo.Owner).WithField("name", repo.Name).Debugf("parsed url")
diff --git a/internal/logext/writer_test.go b/internal/logext/writer_test.go
index b8f31d1f387..9c94c996adc 100644
--- a/internal/logext/writer_test.go
+++ b/internal/logext/writer_test.go
@@ -2,6 +2,7 @@ package logext
 
 import (
 	"bytes"
+	"io"
 	"os"
 	"strconv"
 	"testing"
@@ -24,7 +25,7 @@ func TestWriter(t *testing.T) {
 				})
 				var b bytes.Buffer
 				log.Log = log.New(&b)
-				l, err := NewWriter(log.Fields{"foo": "bar"}, out).Write([]byte("foo\nbar\n"))
+				l, err := io.WriteString(NewWriter(log.Fields{"foo": "bar"}, out), "foo\nbar\n")
 				require.NoError(t, err)
 				require.Equal(t, 8, l)
 				require.Empty(t, b.String())
@@ -41,7 +42,7 @@ func TestWriter(t *testing.T) {
 				var b bytes.Buffer
 				log.Log = log.New(&b)
 				log.SetLevel(log.DebugLevel)
-				l, err := NewWriter(log.Fields{"foo": "bar"}, out).Write([]byte("foo\nbar\n"))
+				l, err := io.WriteString(NewWriter(log.Fields{"foo": "bar"}, out), "foo\nbar\n")
 				require.NoError(t, err)
 				require.Equal(t, 8, l)
 				golden.RequireEqualTxt(t, b.Bytes())
diff --git a/internal/pipe/archive/archive.go b/internal/pipe/archive/archive.go
index 042718afffc..648938456a7 100644
--- a/internal/pipe/archive/archive.go
+++ b/internal/pipe/archive/archive.go
@@ -6,6 +6,7 @@ package archive
 import (
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@@ -150,7 +151,7 @@ func doCreate(ctx *context.Context, arch config.Archive, binaries []*artifact.Ar
 		lock.Unlock()
 		return err
 	}
-	if _, err = os.Stat(archivePath); !os.IsNotExist(err) {
+	if _, err = os.Stat(archivePath); !errors.Is(err, fs.ErrNotExist) {
 		lock.Unlock()
 		return fmt.Errorf("archive named %s already exists. Check your archive name template", archivePath)
 	}
diff --git a/internal/pipe/aur/aur.go b/internal/pipe/aur/aur.go
index 3dff67d8d05..a4d13366141 100644
--- a/internal/pipe/aur/aur.go
+++ b/internal/pipe/aur/aur.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"sort"
@@ -471,7 +472,7 @@ func keyPath(key string) (string, error) {
 			key += "\n"
 		}
 
-		if _, err := f.Write([]byte(key)); err != nil {
+		if _, err := io.WriteString(f, key); err != nil {
 			return "", fmt.Errorf("failed to store private key: %w", err)
 		}
 		if err := f.Close(); err != nil {
diff --git a/internal/pipe/blob/upload.go b/internal/pipe/blob/upload.go
index 457a851193e..98a4356f7c9 100644
--- a/internal/pipe/blob/upload.go
+++ b/internal/pipe/blob/upload.go
@@ -116,10 +116,7 @@ func doUpload(ctx *context.Context, conf config.Blob) error {
 		fullpath := fullpath
 		g.Go(func() error {
 			uploadFile := path.Join(folder, name)
-
-			err := uploadData(ctx, conf, up, fullpath, uploadFile, bucketURL)
-
-			return err
+			return uploadData(ctx, conf, up, fullpath, uploadFile, bucketURL)
 		})
 	}
 
@@ -132,11 +129,10 @@ func uploadData(ctx *context.Context, conf config.Blob, up uploader, dataFile, u
 		return err
 	}
 
-	err = up.Upload(ctx, uploadFile, data)
-	if err != nil {
+	if err := up.Upload(ctx, uploadFile, data); err != nil {
 		return handleError(err, bucketURL)
 	}
-	return err
+	return nil
 }
 
 // errorContains check if error contains specific string.
diff --git a/internal/pipe/env/env.go b/internal/pipe/env/env.go
index 23af0b28784..58a2375b1e4 100644
--- a/internal/pipe/env/env.go
+++ b/internal/pipe/env/env.go
@@ -6,6 +6,7 @@ import (
 	"bufio"
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"strings"
 
@@ -146,7 +147,7 @@ func loadEnv(env, path string) (string, error) {
 		return "", err
 	}
 	f, err := os.Open(path) // #nosec
-	if os.IsNotExist(err) {
+	if errors.Is(err, fs.ErrNotExist) {
 		return "", nil
 	}
 	if err != nil {
diff --git a/internal/pipe/linkedin/client_test.go b/internal/pipe/linkedin/client_test.go
index ccd40ce605b..0ce6f957af9 100644
--- a/internal/pipe/linkedin/client_test.go
+++ b/internal/pipe/linkedin/client_test.go
@@ -2,6 +2,7 @@ package linkedin
 
 import (
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -56,12 +57,12 @@ func TestCreateLinkedInClient(t *testing.T) {
 
 func TestClient_Share(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		_, _ = rw.Write([]byte(`
+		_, _ = io.WriteString(rw, `
 {
 	"id": "foo",
 	"activity": "123456789"
 }
-`))
+`)
 	}))
 	defer server.Close()
 
diff --git a/internal/pipe/mattermost/mattermost_test.go b/internal/pipe/mattermost/mattermost_test.go
index ce519db630a..52588f602a0 100644
--- a/internal/pipe/mattermost/mattermost_test.go
+++ b/internal/pipe/mattermost/mattermost_test.go
@@ -5,7 +5,6 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
-	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -92,8 +91,7 @@ func TestPostWebhook(t *testing.T) {
 	ctx.ReleaseURL = "https://github.com/honk/honk/releases/tag/v1.0.0"
 	ctx.Git.URL = "https://github.com/honk/honk"
 
-	os.Setenv("MATTERMOST_WEBHOOK", ts.URL)
-	defer os.Unsetenv("MATTERMOST_WEBHOOK")
+	t.Setenv("MATTERMOST_WEBHOOK", ts.URL)
 
 	require.NoError(t, Pipe{}.Default(ctx))
 	require.NoError(t, Pipe{}.Announce(ctx))
diff --git a/internal/pipe/release/release.go b/internal/pipe/release/release.go
index ca2aa996437..d9d6db0a1da 100644
--- a/internal/pipe/release/release.go
+++ b/internal/pipe/release/release.go
@@ -3,6 +3,7 @@ package release
 import (
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"time"
 
@@ -121,7 +122,7 @@ func doPublish(ctx *context.Context, client client.Client) error {
 	}
 
 	for name, path := range extraFiles {
-		if _, err := os.Stat(path); os.IsNotExist(err) {
+		if _, err := os.Stat(path); errors.Is(err, fs.ErrNotExist) {
 			return fmt.Errorf("failed to upload %s: %w", name, err)
 		}
 		ctx.Artifacts.Add(&artifact.Artifact{
diff --git a/internal/pipe/webhook/webhook_test.go b/internal/pipe/webhook/webhook_test.go
index 590dbf49790..f5cfdc3238a 100644
--- a/internal/pipe/webhook/webhook_test.go
+++ b/internal/pipe/webhook/webhook_test.go
@@ -7,7 +7,6 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
-	"os"
 	"testing"
 
 	"github.com/google/uuid"
@@ -180,8 +179,7 @@ func TestAnnounceBasicAuthWebhook(t *testing.T) {
 			},
 		},
 	})
-	os.Setenv("BASIC_AUTH_HEADER_VALUE", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass"))))
-	defer os.Unsetenv("BASIC_AUTH_HEADER_VALUE")
+	t.Setenv("BASIC_AUTH_HEADER_VALUE", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass"))))
 	require.NoError(t, Pipe{}.Announce(ctx))
 }
 
diff --git a/internal/testlib/git.go b/internal/testlib/git.go
index 5f93f165dcf..da99e3b812b 100644
--- a/internal/testlib/git.go
+++ b/internal/testlib/git.go
@@ -84,7 +84,7 @@ func fakeGit(args ...string) (string, error) {
 		"-c", "log.showSignature=false",
 	}
 	allArgs = append(allArgs, args...)
-	return git.Run(context.TODO(), allArgs...)
+	return git.Run(context.Background(), allArgs...)
 }
 
 // GitCheckoutBranch allows us to change the active branch that we're using.
diff --git a/pkg/context/context.go b/pkg/context/context.go
index 4b7f47db2da..a91bf4cb4e2 100644
--- a/pkg/context/context.go
+++ b/pkg/context/context.go
@@ -126,7 +126,7 @@ func New(config config.Project) *Context {
 
 // NewWithTimeout new context with the given timeout.
 func NewWithTimeout(config config.Project, timeout time.Duration) (*Context, stdctx.CancelFunc) {
-	ctx, cancel := stdctx.WithTimeout(stdctx.Background(), timeout)
+	ctx, cancel := stdctx.WithTimeout(stdctx.Background(), timeout) // nosem
 	return Wrap(ctx, config), cancel
 }