diff --git a/.github/workflows/build-test-deploy.yml b/.github/workflows/build-test-deploy.yml
new file mode 100644
index 00000000..0db42c79
--- /dev/null
+++ b/.github/workflows/build-test-deploy.yml
@@ -0,0 +1,44 @@
+name: Build, Test and Deploy
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+
+  build-test-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: 11
+          distribution: adopt
+      - name: Docker Login
+        uses: Azure/docker-login@v1
+        with:
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      - name: Build application
+        run: mvn -B package jib:dockerBuild -Dimage=porscheinformatik/angular-spring-heroes
+      - name: Build acceptance tests
+        run: docker build -t heroes-acceptence-tests heroes-acceptence-tests
+      - name: Run app for tests
+        run: |
+          docker run --name ash -d --rm -p 8080:8080 porscheinformatik/angular-spring-heroes
+          sleep 30
+          docker run -i --rm --link ash heroes-acceptence-tests --config baseUrl=http://ash:8080
+      - name: Push image to Docker Hub
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: docker push porscheinformatik/angular-spring-heroes
+      - name: Push image to ghcr.io
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: |
+          echo ${{ secrets.GHCR_PASSWORD }} | docker login ghcr.io -u ${{ secrets.GHCR_USERNAME }} --password-stdin
+          docker tag porscheinformatik/angular-spring-heroes ghcr.io/porscheinformatik/angular-spring-heroes
+          docker push ghcr.io/porscheinformatik/angular-spring-heroes
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 00000000..a05a691c
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,54 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '41 21 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java', 'javascript' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 752d66f0..6d3e2bf6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,7 +16,7 @@ build:
   variables:
     MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -Djib.from.auth.username=$DOCKER_REGISTRY_USER -Djib.from.auth.password=$DOCKER_REGISTRY_PASSWORD -Djib.to.auth.username=$DOCKER_REGISTRY_USER -Djib.to.auth.password=$DOCKER_REGISTRY_PASSWORD"
   script:
-    - mvn $MAVEN_CLI_OPTS package jib:build -Djib.container.creationTime=`git show -s --format=%cI $CI_COMMIT_SHA` -DimageTag=$CI_COMMIT_REF_SLUG
+    - mvn $MAVEN_CLI_OPTS package jib:build -DfromImage=docker.porscheinformatik.com/eenv/openjdk:11-jre -Djib.container.creationTime=`git show -s --format=%cI $CI_COMMIT_SHA` -DimageTag=$CI_COMMIT_REF_SLUG
   only:
     - merge_requests
     - master
diff --git a/heroes-webapp/pom.xml b/heroes-webapp/pom.xml
index a607dc5e..c5f2e189 100644
--- a/heroes-webapp/pom.xml
+++ b/heroes-webapp/pom.xml
@@ -80,7 +80,7 @@
         <artifactId>jib-maven-plugin</artifactId>
         <configuration>
           <from>
-            <image>docker.porscheinformatik.com/eenv/openjdk:11-jre</image>
+            <image>${fromImage}</image>
           </from>
           <to>
             <image>docker.porscheinformatik.com/koc/angular-spring-heroes:${imageTag}</image>
diff --git a/pom.xml b/pom.xml
index bdb0bf93..020db63e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -17,6 +17,7 @@
     <jib.skip>true</jib.skip>
     <frontend-maven-plugin.version>1.12.0</frontend-maven-plugin.version>
     <typescript-generator.version>2.31.861</typescript-generator.version>
+    <fromImage>gcr.io/distroless/java:11</fromImage>
     <imageTag>latest</imageTag>
   </properties>
 
diff --git a/renovate.json b/renovate.json
index ffbc06c9..e34d6ba4 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["local>eenv/renovate/renovate-config", "group:allNonMajor"],
+  "extends": ["github>porscheinformatik/renovate-config", "group:allNonMajor"],
   "packageRules": [
     {
       "matchPackageNames": ["rxjs"],