diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..1867b5e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+# yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    versioning-strategy: "auto"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+    target-branch: "main"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
+    reviewers:
+      - "ruslanpashkov"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..ea1c46f
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,33 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    container: node:22
+    steps:
+      - uses: actions/checkout@main
+
+      - name: Setup cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.npm
+            node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run TypeScript check
+        run: npm run compile
+
+      - name: Run ESLint
+        run: npm run lint
+
+      - name: Check formatting
+        run: npm run format:check
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..2ce5b87
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,128 @@
+name: Release
+
+on:
+  release:
+    types: [released]
+  workflow_dispatch:
+    inputs:
+      targets:
+        description: Browser targets
+        required: true
+        default: '["chrome","firefox"]'
+        type: choice
+        options:
+          - '["chrome","firefox"]'
+          - '["chrome"]'
+          - '["firefox"]'
+      attach_to_release:
+        description: Attach to GitHub release
+        type: boolean
+        default: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container: node:22
+    strategy:
+      fail-fast: false
+      matrix:
+        target: ${{ fromJSON(github.event.inputs.targets || '["chrome","firefox"]') }}
+    steps:
+      - uses: actions/checkout@main
+
+      - name: Build extension
+        run: |
+          npm ci
+          npm run zip -- -b ${{ matrix.target }}
+          npm audit
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@main
+        with:
+          name: ${{ matrix.target }}
+          path: ./.output/novapass-*-${{ matrix.target }}.zip
+
+  publish-chrome:
+    needs: build
+    if: ${{ github.event_name == 'release' || contains(github.event.inputs.targets, 'chrome') }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@main
+        with:
+          name: chrome
+
+      - name: Upload to GitHub Release
+        if: ${{ github.event_name == 'release' || github.event.inputs.attach_to_release == 'true' }}
+        uses: xresloader/upload-to-github-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          file: novapass-*-chrome.zip
+          draft: false
+          overwrite: true
+          update_latest_release: true
+
+      - name: Publish to Chrome Web Store
+        uses: wdzeng/chrome-extension@v1.2.4
+        with:
+          extension-id: ${{ secrets.CHROME_EXTENSION_ID }}
+          zip-path: novapass-*-chrome.zip
+          client-id: ${{ secrets.CHROME_CLIENT_ID }}
+          client-secret: ${{ secrets.CHROME_CLIENT_SECRET }}
+          refresh-token: ${{ secrets.CHROME_REFRESH_TOKEN }}
+
+  publish-edge:
+    needs: build
+    if: ${{ github.event_name == 'release' || contains(github.event.inputs.targets, 'chrome') }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@main
+        with:
+          name: chrome
+
+      - name: Upload to GitHub Release
+        if: ${{ github.event_name == 'release' || github.event.inputs.attach_to_release == 'true' }}
+        uses: xresloader/upload-to-github-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          file: novapass-*-chrome.zip
+          draft: false
+          overwrite: true
+          update_latest_release: true
+
+      - name: Publish to Edge Add-ons
+        uses: wdzeng/edge-addon@v2.0.0
+        with:
+          product-id: ${{ secrets.EDGE_PRODUCT_ID }}
+          zip-path: novapass-*-chrome.zip
+          client-id: ${{ secrets.EDGE_CLIENT_ID }}
+          api-key: ${{ secrets.EDGE_API_KEY }}
+
+  publish-firefox:
+    needs: build
+    if: ${{ github.event_name == 'release' || contains(github.event.inputs.targets, 'firefox') }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@main
+        with:
+          name: firefox
+
+      - name: Upload to GitHub Release
+        if: ${{ github.event_name == 'release' || github.event.inputs.attach_to_release == 'true' }}
+        uses: xresloader/upload-to-github-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          file: novapass-*-firefox.zip
+          draft: false
+          overwrite: true
+          update_latest_release: true
+
+      - name: Publish to Firefox Add-ons
+        uses: wdzeng/firefox-addon@v1.1.2
+        with:
+          addon-guid: ${{ secrets.FIREFOX_ADDON_GUID }}
+          xpi-path: novapass-*-firefox.zip
+          jwt-issuer: ${{ secrets.FIREFOX_JWT_ISSUER }}
+          jwt-secret: ${{ secrets.FIREFOX_JWT_SECRET }}