diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml
index 88e28f6..7d4fdc4 100644
--- a/.github/workflows/issue.yml
+++ b/.github/workflows/issue.yml
@@ -10,21 +10,4 @@ on:
 
 jobs:
   label_issues:
-    runs-on: ubuntu-latest
-    steps:
-      - run: gh issue edit "$NUMBER" --add-label "$LABELS"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-          NUMBER: ${{ github.event.issue.number }}
-          LABELS: New
-
-      - uses: actions/github-script@v8
-        with:
-          script: |
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `👋 Hello @${{github.event.issue.user.login}}, thank you for submitting this issue. Our team is reviewing your report and will follow up with you as soon as possible.`
-            })
\ No newline at end of file
+    uses: cap-java/.github/.github/workflows/issue.yml@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..76ed1a3
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,50 @@
+name: CI - MAIN
+
+env:
+  MAVEN_VERSION: '3.9.15'
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+
+jobs:
+  blackduck:
+    name: Blackduck Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Scan With Black Duck
+        uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main
+        with:
+          blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }}
+          maven-version: ${{ env.MAVEN_VERSION }}
+          project-name: sap.capire.plugin-template-emoji-parent
+          included-modules: srv
+          scan_mode: FULL
+
+  codeql:
+    name: CodeQL Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+      packages: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Scan With CodeQL
+        uses: cap-java/.github/actions/scan-with-codeql@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main
+        with:
+          maven-version: ${{ env.MAVEN_VERSION }}
+          java-version: '17'
+          language: java-kotlin
+          queries: security-extended
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000..08c86ca
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,37 @@
+name: CI - PR
+
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  security-events: write
+
+env:
+  MAVEN_VERSION: '3.9.15'
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [main]
+    types: [reopened, synchronize, opened]
+
+jobs:
+  blackduck:
+    name: Blackduck Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Scan With Black Duck
+        uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main
+        with:
+          blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }}
+          maven-version: ${{ env.MAVEN_VERSION }}
+          project-name: sap.capire.plugin-template-emoji-parent
+          included-modules: srv
+          scan_mode: FULL
+          #rapid_compare_mode: BOM_COMPARE # PRs might only be blocked by things they introduce, not by pre-existing issues that could have appeared in the main branch in the meantime
diff --git a/.github/workflows/prevent-issue-labeling.yml b/.github/workflows/prevent-issue-labeling.yml
index 5f546f3..fae7538 100644
--- a/.github/workflows/prevent-issue-labeling.yml
+++ b/.github/workflows/prevent-issue-labeling.yml
@@ -9,16 +9,4 @@ on:
 
 jobs:
   remove_new_label:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Remove "New" label if applied by non-bot user
-        if: >
-          contains(github.event.issue.labels.*.name, 'New') &&
-          github.event.label.name == 'New' &&
-          github.event.sender.login != 'github-actions[bot]'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          gh issue edit "$ISSUE_NUMBER" --remove-label "New"
\ No newline at end of file
+    uses: cap-java/.github/.github/workflows/prevent-issue-labeling.yml@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main