diff --git a/.github/workflows/migrations.yaml b/.github/workflows/migrations.yaml
index fa98c9ce9..abed42ac6 100644
--- a/.github/workflows/migrations.yaml
+++ b/.github/workflows/migrations.yaml
@@ -183,7 +183,7 @@ jobs:
           fi
       - name: Check version
         run: |
-          ./migrate.sh $svc desired
+          ./migrate.sh "$svc" desired
           if [ "$current" -ge "$(./migrate.sh $svc desired)" ]; then
             echo "Migrations must be newer than the version of staging! You probably lack behind, merge or rebase onto main first!"
             exit 1
@@ -192,11 +192,11 @@ jobs:
           current: ${{ steps.collect-version.outputs.VERSION }}
 
       - name: Run UP migrations (1/2)
-        run: ./migrate.sh $svc up
+        run: ./migrate.sh "$svc" up
       - name: Generate schema.sql
         run: |
           /usr/lib/postgresql/15/bin/pg_dump \
-            postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB \
+            postgres://"$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" \
             --schema-only -O > ./services/${{ matrix.service }}/schema.sql
 
           sed 's/\(-- Dumped from database version [0-9]\+\.[0-9]\+\).*/\1/' -i ./services/${{ matrix.service }}/schema.sql
@@ -207,13 +207,13 @@ jobs:
         run: git diff --exit-code -- services/${{ matrix.service }} || (echo "You forgot to run ./models.sh before checking in" && exit 1)
       - name: Run DOWN migrations (1/2)
         run: |
-          [ "$VERSION" -eq 0 ] && yes | ./migrate.sh $svc down || ./migrate.sh $svc goto $VERSION
+          [ "$VERSION" -eq 0 ] && yes | ./migrate.sh "$svc" down || ./migrate.sh "$svc" goto "$VERSION"
         env:
           VERSION: ${{ steps.collect-version.outputs.VERSION }}
       - name: Run UP migrations (2/2)
-        run: ./migrate.sh $svc up
+        run: ./migrate.sh "$svc" up
       - name: Run DOWN migrations (2/2)
         run: |
-          [ "$VERSION" -eq 0 ] && yes | ./migrate.sh $svc down || ./migrate.sh $svc goto $VERSION
+          [ "$VERSION" -eq 0 ] && yes | ./migrate.sh "$svc" down || ./migrate.sh "$svc" goto "$VERSION"
         env:
           VERSION: ${{ steps.collect-version.outputs.VERSION }}
diff --git a/.github/workflows/publish-bufs.yaml b/.github/workflows/publish-bufs.yaml
index 3ba30c477..8004708df 100644
--- a/.github/workflows/publish-bufs.yaml
+++ b/.github/workflows/publish-bufs.yaml
@@ -44,22 +44,22 @@ jobs:
       id: breaking
       # We previously checked if any illegal breakage occurred, now check if we have breakage _at all_
       # If so, we publish this as a _major_ release
-      run: buf breaking --against '.git#ref=HEAD^' && echo "breaking=false" >> $GITHUB_OUTPUT || echo "breaking=true" >> $GITHUB_OUTPUT
+      run: buf breaking --against '.git#ref=HEAD^' && echo "breaking=false" >> "$GITHUB_OUTPUT" || echo "breaking=true" >> "$GITHUB_OUTPUT"
     - name: Has new package?
       id: new-package
       run: |
         last_tree=$(git ls-tree -d -r --name-only HEAD^ proto | sort) # directory tree of proto in old commit
         current_tree=$(find proto -type d | sort) # directory tree of proto right now
         new_dirs=$(comm -13 <(echo "$last_tree") <(echo "$current_tree")) # filter out lines, which are "-3": common (i.e. unchanged) or "-1": only in the last tree (i.e. removed)
-        echo $new_dirs
+        echo "$new_dirs"
         if [ -z "$new_dirs" ]; then
-          echo "new-package=false" >> $GITHUB_OUTPUT
+          echo "new-package=false" >> "$GITHUB_OUTPUT"
         else
-          echo "new-package=true" >> $GITHUB_OUTPUT
+          echo "new-package=true" >> "$GITHUB_OUTPUT"
         fi
     - name: Get SHA
       id: commit
-      run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+      run: echo "sha=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
     - name: Get Bump
       id: bump
       run: |
@@ -72,7 +72,7 @@ jobs:
         else
           BUMP="patch"
         fi
-        echo "bump=$BUMP" >> $GITHUB_OUTPUT
+        echo "bump=$BUMP" >> "$GITHUB_OUTPUT"
       env:
         BREAKING: ${{ steps.breaking.outputs.breaking }}
         NEW_PKG: ${{ steps.new-package.outputs.new-package }}
@@ -91,10 +91,10 @@ jobs:
         registry-url: 'https://registry.npmjs.org'
     - name: Fetch latest version from registry
       working-directory: gen/ts
-      run: npm version $(npm view . version)
+      run: npm version "$(npm view . version)"
     - name: Bump version
       working-directory: gen/ts
-      run: npm version pre$BUMP --preid $SHA
+      run: npm version "pre$BUMP" --preid "$SHA"
       env:
         BUMP: ${{ needs.check-preconditions.outputs.bump }}
         SHA: ${{ needs.check-preconditions.outputs.commit }}
@@ -137,9 +137,9 @@ jobs:
         BUMP: ${{ needs.check-preconditions.outputs.bump }}
         SHA: ${{ needs.check-preconditions.outputs.commit }}
       run: |
-        VERSION=$(curl https://pub.dev/api/packages/helpwave_proto_dart -H "Accept: application/vnd.pub.v2+json" | jq ".latest.version" -r)
-        NEW_VERSION=$(semver bump $BUMP $VERSION)
-        NEW_VERSION=$(semver bump prerel $SHA $NEW_VERSION)
+        VERSION=$(curl "https://pub.dev/api/packages/helpwave_proto_dart" -H "Accept: application/vnd.pub.v2+json" | jq ".latest.version" -r)
+        NEW_VERSION=$(semver bump "$BUMP" "$VERSION")
+        NEW_VERSION=$(semver bump prerel "$SHA" "$NEW_VERSION")
         sed "s/version:.*/version: $NEW_VERSION/" pubspec.yaml -i
     - name: Publish to pub.dev
       working-directory: gen/dart
diff --git a/.github/workflows/spicedb.yaml b/.github/workflows/spicedb.yaml
index 4c9b17205..f5759ce6c 100644
--- a/.github/workflows/spicedb.yaml
+++ b/.github/workflows/spicedb.yaml
@@ -28,7 +28,7 @@ jobs:
         uses: actions/checkout@v4
       - name: Get zed
         run: |
-          wget https://github.com/authzed/zed/releases/download/v${ZED_VERSION}/zed_${ZED_VERSION}_linux_amd64.deb -O zed.deb
+          wget "https://github.com/authzed/zed/releases/download/v${ZED_VERSION}/zed_${ZED_VERSION}_linux_amd64.deb" -O zed.deb
           sudo apt install -y ./zed.deb
       - run: |
           go run cmd/spice/spice.go test
diff --git a/.golangci.yaml b/.golangci.yaml
index 254a75c74..12b05b4fc 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -8,11 +8,9 @@ linters:
     - depguard # no need
     - ireturn # no need
     - funlen # we tend to have long funlens, who cares?
-    - execinquery # deprecated
     - goimports # unused
     - gochecknoglobals # we currently make use of globals
     - godot # petty linter
-    - gomnd # deprecated
     - gomoddirectives # not needed
     - gofumpt # false positives
     - mnd # too many false-positives
diff --git a/images/dev-go/Dockerfile b/images/dev-go/Dockerfile
index 37a8920f5..2d2728c6a 100644
--- a/images/dev-go/Dockerfile
+++ b/images/dev-go/Dockerfile
@@ -14,7 +14,7 @@ ENV PATH="$PATH:$GOROOT/bin"
 # update debian package list and packages, also install some
 RUN apt update \
     && apt upgrade -y \
-    && apt install sudo vim nano jq dnsutils postgresql-client lsb-release gpg redis-tools \
+    && apt install sudo vim nano jq dnsutils postgresql-client lsb-release gpg redis-tools shellcheck \
     	apt-transport-https ca-certificates curl gnupg2 software-properties-common \
 		-y \
     && apt-get clean autoclean -y && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*