diff --git a/.ci/check b/.ci/check
index b8d924c6..823fd9de 100755
--- a/.ci/check
+++ b/.ci/check
@@ -12,7 +12,7 @@ set -o pipefail
 # For the check step concourse will set the following environment variables:
 # SOURCE_PATH - path to component repository root directory.
 
-if [[ -z "${SOURCE_PATH}" ]]; then
+if [[ -z "${SOURCE_PATH:-}" ]]; then
   export SOURCE_PATH="$(readlink -f "$(dirname ${0})/..")"
 else
   export SOURCE_PATH="$(readlink -f ${SOURCE_PATH})"
@@ -26,7 +26,7 @@ go fmt ./...
 go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3
 
 echo "> Run SAST scan"
-make sast
+make sast-report
 
 curl -s "https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3" | bash -s -- --version 'v3.5.4'
 
diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions
deleted file mode 100644
index 1dda21b5..00000000
--- a/.ci/pipeline_definitions
+++ /dev/null
@@ -1,79 +0,0 @@
-# SPDX-FileCopyrightText: 2020 SAP SE or an SAP affiliate company and Gardener contributors
-#
-# SPDX-License-Identifier: Apache-2.0
-
-oidc-webhook-authenticator:
-  base_definition:
-    repo:
-      source_labels:
-      - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
-        value:
-          policy: skip
-          comment: |
-            We use gosec for sast scanning, see attached log.
-    traits:
-      version:
-        preprocess: inject-commit-hash
-      component_descriptor:
-        ocm_repository: europe-docker.pkg.dev/gardener-project/snapshots
-      publish:
-        oci-builder: docker-buildx
-        platforms:
-        - linux/amd64
-        - linux/arm64
-        dockerimages:
-          oidc-webhook-authenticator:
-            image: europe-docker.pkg.dev/gardener-project/snapshots/gardener/oidc-webhook-authenticator
-            dockerfile: Dockerfile
-            tag_template: ${EFFECTIVE_VERSION}
-            tag_as_latest: false
-            resource_labels:
-            - name: 'cloud.gardener.cnudie/responsibles'
-              value:
-              - type: 'githubUser'
-                username: 'dimityrmirchev'
-              - type: 'githubUser'
-                username: 'vpnachev'
-  jobs:
-    head-update:
-      traits:
-        component_descriptor:
-          ocm_repository_mappings:
-            - repository: europe-docker.pkg.dev/gardener-project/releases
-        draft_release: ~
-        publish:
-          dockerimages:
-            oidc-webhook-authenticator:
-              tag_as_latest: true
-    pull-request:
-      traits:
-        pull-request: ~
-    release:
-      traits:
-        version:
-          preprocess: finalize
-        component_descriptor:
-          ocm_repository: europe-docker.pkg.dev/gardener-project/releases
-        release:
-          nextversion: bump_minor
-          assets:
-          - type: build-step-log
-            step_name: check
-            purposes:
-            - lint
-            - sast
-            - gosec
-            comment: |
-              We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.
-              Enabled by https://github.com/gardener/oidc-webhook-authenticator/pull/165
-        slack:
-          default_channel: 'internal_scp_workspace'
-          channel_cfgs:
-            internal_scp_workspace:
-              channel_name: 'C9CEBQPGE' #sap-tech-gardener
-              slack_cfg_name: 'scp_workspace'
-        publish:
-          dockerimages:
-            oidc-webhook-authenticator:
-              image: europe-docker.pkg.dev/gardener-project/releases/gardener/oidc-webhook-authenticator
-              tag_as_latest: false
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
new file mode 100644
index 00000000..2856fc46
--- /dev/null
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,52 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      mode:
+        required: true
+        type: string
+        default: snapshot
+        description: |
+          The build mode to use. It can be either `snapshot` or `release`.
+          Will affect effective version calculation, as well as target-oci-registry.
+
+jobs:
+  prepare:
+    uses: gardener/cc-utils/.github/workflows/prepare.yaml@master
+    with:
+      mode: ${{ inputs.mode }}
+    permissions:
+      contents: read
+
+  oci-images:
+    name: Build OCI-Images
+    needs:
+      - prepare
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    secrets: inherit
+    uses: gardener/cc-utils/.github/workflows/oci-ocm.yaml@master
+    strategy:
+      matrix:
+        args:
+          - name: oidc-webhook-authenticator
+            target:
+            oci-repository: gardener/oidc-webhook-authenticator
+    with:
+      name: ${{ matrix.args.name }}
+      version: ${{ needs.prepare.outputs.version }}
+      target: ${{ matrix.args.target }}
+      oci-registry: ${{ needs.prepare.outputs.oci-registry }}
+      oci-repository: ${{ matrix.args.oci-repository }}
+      oci-platforms: linux/amd64,linux/arm64
+
+  sast-lint:
+    uses: gardener/cc-utils/.github/workflows/sastlint-ocm.yaml@master
+    permissions:
+      contents: read
+    with:
+      linter: gosec
+      run: .ci/check
diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml
new file mode 100644
index 00000000..1c179d51
--- /dev/null
+++ b/.github/workflows/non-release.yaml
@@ -0,0 +1,27 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - releases/**
+  pull_request:
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+    with:
+      mode: snapshot
+    secrets: inherit
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+  component-descriptor:
+    uses: gardener/cc-utils/.github/workflows/post-build.yaml@master
+    needs:
+      - build
+    secrets: inherit
+    permissions:
+      id-token: write
+      contents: write
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 00000000..cda42d79
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,34 @@
+name: Release
+on:
+  workflow_dispatch:
+    inputs:
+      next-version:
+        type: choice
+        options:
+          - bump-minor
+          - bump-patch
+
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
+    with:
+      mode: release
+
+  release-to-github-and-bump:
+    uses: gardener/cc-utils/.github/workflows/release.yaml@master
+    needs:
+      - build
+    secrets: inherit
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
+    with:
+      release-commit-target: branch
+      next-version: ${{ inputs.next-version }}
+      slack-channel-id: C9CEBQPGE # #sap-tech-gardener
diff --git a/.ocm/base-component.yaml b/.ocm/base-component.yaml
new file mode 100644
index 00000000..630ec86b
--- /dev/null
+++ b/.ocm/base-component.yaml
@@ -0,0 +1,15 @@
+labels:
+  - name: cloud.gardener.cnudie/responsibles
+    value:
+    - type: githubUser
+      username: dimityrmirchev
+    - type: githubUser
+      username: vpnachev
+
+main-source:
+  labels:
+    - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
+      value:
+        policy: skip
+        comment: |
+          we use gosec for sast scanning. See attached log.