diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
new file mode 100644
index 000000000..271f9c84e
--- /dev/null
+++ b/.github/workflows/golangci-lint.yaml
@@ -0,0 +1,31 @@
+name: golangci-lint
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  checks: write # Optional: allow write access to checks to allow the action to annotate code in the PR.
+
+jobs:
+  golangci:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false
+
+      - name: Touch approle
+        run: touch ./local/vault/approle.json
+
+      - name: Run Golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          args: --timeout 30m --verbose
+          version: v1.60
+
diff --git a/.github/workflows/vulncheck.yaml b/.github/workflows/vulnerability-check.yaml
similarity index 89%
rename from .github/workflows/vulncheck.yaml
rename to .github/workflows/vulnerability-check.yaml
index 14c1a7d41..9deae64f4 100644
--- a/.github/workflows/vulncheck.yaml
+++ b/.github/workflows/vulnerability-check.yaml
@@ -1,4 +1,4 @@
-name: Security Check
+name: Vulnerability Check
 
 on:
   schedule:
@@ -16,5 +16,5 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-      - name: Security checks
+      - name: Security scan
         uses: canonical/comsys-build-tools/.github/actions/security-scan@main
diff --git a/.golangci.yaml b/.golangci.yaml
index 74557b359..bd973feb4 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -9,7 +9,7 @@ run:
   tests: true
   allow-parallel-runners: false
   allow-serial-runners: false
-  # go: "1.17" # Do not set a go limit
+  # go: "1.23"
 
 issues:
   exclude-use-default: true
@@ -53,8 +53,8 @@ linters:
 
     # Style based linters
     - promlinter
-    - gocritic
-    - gocognit # To be fixed
+    - gocritic 
+    - gocognit
     - goheader
     - importas
     - gci
@@ -87,4 +87,4 @@ linters-settings:
     sections:
       - standard
       - default
-      - localmodule
\ No newline at end of file
+      - localmodule
diff --git a/Makefile b/Makefile
index 38cb491bc..f923ee7d8 100644
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,10 @@ build: version/commit.txt version/version.txt
 build/server: version/commit.txt version/version.txt
 	go build -tags version ./cmd/jimmsrv
 
-check: version/commit.txt version/version.txt
+lint:
+	golangci-lint run --timeout 5m
+
+check: version/commit.txt version/version.txt lint
 	go test -timeout 30m $(PROJECT)/... -cover
 
 clean:
@@ -117,6 +120,7 @@ endef
 APT_BASED := $(shell command -v apt-get >/dev/null; echo $$?)
 sys-deps:
 ifeq ($(APT_BASED),0)
+	@$(call check_dep,golangci-lint,Missing Golangci-lint - install from https://golangci-lint.run/welcome/install/)
 	@$(call check_dep,go,Missing Go - install from https://go.dev/doc/install or 'sudo snap install go --classic')
 	@$(call check_dep,git,Missing Git - install with 'sudo apt install git')
 	@$(call check_dep,gcc,Missing gcc - install with 'sudo apt install build-essential')
diff --git a/doc/golangci-lint.md b/doc/golangci-lint.md
index 743ca68ce..f72fc0591 100644
--- a/doc/golangci-lint.md
+++ b/doc/golangci-lint.md
@@ -7,4 +7,4 @@ In the .vscode folder of this repository you will find it is defined as the lint
 To install, please install the golangci-lint binary or install it via "go install".
 
 The version this was tested with is:
-```go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1```
\ No newline at end of file
+```go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.60.1```
\ No newline at end of file
diff --git a/internal/jimm/watcher.go b/internal/jimm/watcher.go
index 72e8ba25c..393dc74f3 100644
--- a/internal/jimm/watcher.go
+++ b/internal/jimm/watcher.go
@@ -472,6 +472,7 @@ func (w *Watcher) handleDelta(ctx context.Context, modelIDf func(string) *modelS
 		var cores int64
 		machine := d.Entity.(*jujuparams.MachineInfo)
 		if machine.HardwareCharacteristics != nil && machine.HardwareCharacteristics.CpuCores != nil {
+			//nolint:gosec // We expect cpu cores to fit into int64.
 			cores = int64(*machine.HardwareCharacteristics.CpuCores)
 		}
 		sCores, ok := state.machines[eid.Id]
diff --git a/internal/jimmtest/env.go b/internal/jimmtest/env.go
index 863f94794..229ac7552 100644
--- a/internal/jimmtest/env.go
+++ b/internal/jimmtest/env.go
@@ -459,6 +459,7 @@ func (m *Model) DBObject(c *qt.C, db db.Database) dbmodel.Model {
 	m.env.Controller(m.Controller)
 	migrationControllerID := sql.NullInt32{}
 	if m.MigrationController != "" {
+		//nolint:gosec // Database IDs for tests will fit into int32.
 		migrationControllerID.Int32 = int32(m.env.Controller(m.MigrationController).dbo.ID)
 		migrationControllerID.Valid = true
 	}
diff --git a/internal/openfga/openfga.go b/internal/openfga/openfga.go
index 23cc77208..103b8ee44 100644
--- a/internal/openfga/openfga.go
+++ b/internal/openfga/openfga.go
@@ -206,6 +206,7 @@ func (o *OFGAClient) removeTuples(ctx context.Context, tuple Tuple) (err error)
 	for {
 		// Since we're deleting the returned tuples, it's best to avoid pagination,
 		// and fresh query for the relations.
+		//nolint:gosec // The page size will not exceed int32.
 		tuples, ct, err := o.ReadRelatedObjects(ctx, tuple, int32(pageSize), "")
 		if err != nil {
 			return err