diff --git a/.github/zizmor.yml b/.github/zizmor.yml
deleted file mode 100644
index 6aee3c5d6..000000000
--- a/.github/zizmor.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-# https://docs.zizmor.sh/configuration/
-rules:
-  secrets-outside-env:
-    disable: true
diff --git a/.golangci.yml b/.golangci.yml
index ff56f3ef1..72c25684b 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -8,6 +8,7 @@ run:
     - exclude_graphdriver_devicemapper
 
 linters:
+  default: none
   enable:
     - bodyclose
     - depguard
@@ -26,22 +27,6 @@ linters:
     - unused
     - whitespace
   settings:
-    gocritic:
-      disabled-checks:
-        - "ifElseChain"
-        - "assignOp"
-        - "appendAssign"
-        - "singleCaseSwitch"
-    importas:
-      alias:
-        - pkg: "github.com/opencontainers/image-spec/specs-go/v1"
-          alias: "ocispecs"
-        - pkg: "github.com/opencontainers/go-digest"
-          alias: "digest"
-    govet:
-      enable:
-        - nilness
-        - unusedwrite
     depguard:
       rules:
         main:
@@ -62,19 +47,35 @@ linters:
         - pattern: ^ctx\.Err(# use context\.Cause instead)?$
         - pattern: ^fmt\.Errorf(# use errors\.Errorf instead)?$
         - pattern: ^platforms\.DefaultString(# use platforms\.Format(platforms\.DefaultSpec()) instead\.)?$
+    gocritic:
+      disabled-checks:
+        - "ifElseChain"
+        - "assignOp"
+        - "appendAssign"
+        - "singleCaseSwitch"
     gosec:
       excludes:
+        - G115
         - G204
         - G402
-        - G115
       config:
         G306: "0644"
+    govet:
+      enable:
+        - nilness
+        - unusedwrite
+    importas:
+      alias:
+        - pkg: github.com/opencontainers/image-spec/specs-go/v1
+          alias: ocispecs
+        - pkg: github.com/opencontainers/go-digest
+          alias: digest
     testifylint:
       disable:
-        - "empty"
-        - "bool-compare"
-        - "len"
-        - "negative-positive"
+        - empty
+        - bool-compare
+        - len
+        - negative-positive
   exclusions:
     generated: lax
     presets:
@@ -83,28 +84,25 @@ linters:
       - legacy
       - std-error-handling
     rules:
-      -
-        linters:
+      - linters:
           - revive
         text: stutters
-      -
-        linters:
+      - linters:
+          - revive
+        text: var-naming
+      - linters:
           - revive
         text: empty-block
-      -
-        linters:
+      - linters:
           - revive
         text: superfluous-else
-      -
-        linters:
+      - linters:
           - revive
         text: unused-parameter
-      -
-        linters:
+      - linters:
           - revive
         text: redefines-builtin-id
-      -
-        linters:
+      - linters:
           - revive
         text: if-return
     paths:
diff --git a/Dockerfile b/Dockerfile
index 8dbbf847f..b2a300783 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION="1.25"
+ARG GO_VERSION="1.26"
 ARG ALPINE_VERSION="3.23"
 ARG XX_VERSION="1.9.0"
 
diff --git a/go.mod b/go.mod
index bbd07c7d0..65bd8cb98 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/crazy-max/diun/v4
 
-go 1.25.5
+go 1.26.0
 
 require (
 	dario.cat/mergo v1.0.2
diff --git a/hack/gen.Dockerfile b/hack/gen.Dockerfile
index 035472ac1..6a88abd24 100644
--- a/hack/gen.Dockerfile
+++ b/hack/gen.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION="1.25"
+ARG GO_VERSION="1.26"
 ARG PROTOC_VERSION="3.17.3"
 
 # protoc is dynamically linked to glibc so can't use alpine base
diff --git a/hack/govulncheck.Dockerfile b/hack/govulncheck.Dockerfile
index de3ead7ee..887581cd4 100644
--- a/hack/govulncheck.Dockerfile
+++ b/hack/govulncheck.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION="1.25"
+ARG GO_VERSION="1.26"
 ARG ALPINE_VERSION="3.23"
 
 ARG GOVULNCHECK_VERSION="v1.1.4"
diff --git a/hack/lint.Dockerfile b/hack/lint.Dockerfile
index 8759c26e6..7ed0ab4eb 100644
--- a/hack/lint.Dockerfile
+++ b/hack/lint.Dockerfile
@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION="1.25"
+ARG GO_VERSION="1.26"
 ARG XX_VERSION="1.9.0"
 ARG ALPINE_VERSION="3.23"
-ARG GOLANGCI_LINT_VERSION="v2.1.6"
+ARG GOLANGCI_LINT_VERSION="v2.11.4"
 ARG GOLANGCI_FROM_SOURCE="true"
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
diff --git a/hack/vendor.Dockerfile b/hack/vendor.Dockerfile
index 6ce5791f7..dc865ceb0 100644
--- a/hack/vendor.Dockerfile
+++ b/hack/vendor.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION="1.25"
+ARG GO_VERSION="1.26"
 ARG ALPINE_VERSION="3.23"
 ARG GOMOD_OUTDATED_VERSION="v0.8.0"
 
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index da610ae3f..f711304dc 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -159,7 +159,7 @@ for <code>{{ .Entry.Manifest.Platform }}</code> platform.
 						TemplateTitle: model.NotifDefaultTemplateTitle,
 						TemplateBody:  model.NotifDefaultTemplateBody,
 					},
-					Pushover: &model.NotifPushover{
+					Pushover: &model.NotifPushover{ //nolint:gosec // fixture values are test data.
 						Token:         "uQiRzpo4DXghDmr9QzzfQu27cmVRsG",
 						Recipient:     "gznej3rKEVAvPUxu9vvNnqpmZpokzF",
 						Timeout:       utl.NewDuration(10 * time.Second),
@@ -232,7 +232,7 @@ for <code>{{ .Entry.Manifest.Platform }}</code> platform.
 						InsecureTLS: utl.NewFalse(),
 						Timeout:     utl.NewDuration(0),
 					},
-					model.RegOpt{
+					model.RegOpt{ //nolint:gosec // fixture paths are test data.
 						Name:         "docker.io/crazymax",
 						Selector:     model.RegOptSelectorImage,
 						UsernameFile: "./fixtures/run_secrets_username",
@@ -325,7 +325,7 @@ func TestLoadEnv(t *testing.T) {
 				Watch:    (&model.Watch{}).GetDefaults(),
 				Defaults: (&model.Defaults{}).GetDefaults(),
 				RegOpts: model.RegOpts{
-					model.RegOpt{
+					model.RegOpt{ //nolint:gosec // fixture paths are test data.
 						Name:         "docker.io",
 						Selector:     model.RegOptSelectorImage,
 						UsernameFile: "./fixtures/run_secrets_username",
diff --git a/internal/grpc/client.go b/internal/grpc/client.go
index 83fb0dbc0..0751b901e 100644
--- a/internal/grpc/client.go
+++ b/internal/grpc/client.go
@@ -1,6 +1,7 @@
 package grpc
 
 import (
+	"context"
 	"net"
 
 	"github.com/crazy-max/diun/v4/internal/db"
@@ -44,7 +45,7 @@ func New(authority string, db *db.Client, notif *notif.Client) (*Client, error)
 func (c *Client) Start() error {
 	var err error
 
-	lis, err := net.Listen("tcp", c.authority)
+	lis, err := (&net.ListenConfig{}).Listen(context.Background(), "tcp", c.authority)
 	if err != nil {
 		return errors.Wrap(err, "cannot create gRPC listener")
 	}
diff --git a/internal/notif/discord/client.go b/internal/notif/discord/client.go
index 606e2672c..82053586a 100644
--- a/internal/notif/discord/client.go
+++ b/internal/notif/discord/client.go
@@ -64,7 +64,8 @@ func (c *Client) Send(entry model.NotifEntry) error {
 
 	if len(c.cfg.Mentions) > 0 {
 		for _, mention := range c.cfg.Mentions {
-			content.WriteString(fmt.Sprintf("%s ", mention))
+			content.WriteString(mention)
+			content.WriteString(" ")
 		}
 	}
 	content.WriteString(string(body))
diff --git a/internal/notif/script/client.go b/internal/notif/script/client.go
index 32094f2ba..4a4620fd6 100644
--- a/internal/notif/script/client.go
+++ b/internal/notif/script/client.go
@@ -2,6 +2,7 @@ package script
 
 import (
 	"bytes"
+	"context"
 	"os"
 	"os/exec"
 	"strings"
@@ -37,7 +38,7 @@ func (c *Client) Name() string {
 
 // Send creates and sends a script notification with an entry
 func (c *Client) Send(entry model.NotifEntry) error {
-	cmd := exec.Command(c.cfg.Cmd, c.cfg.Args...)
+	cmd := exec.CommandContext(context.Background(), c.cfg.Cmd, c.cfg.Args...)
 	setSysProcAttr(cmd)
 
 	// Capture output