diff --git a/.golangci.yaml b/.golangci.yaml
index 083aa42..7df6274 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,8 +1,49 @@
+version: "2"
 run:
-  concurrency: 4
-  timeout: 10m
-
-issues:
-  exclude-files:
-  - "zz_generated.*\\.go$"
-  - "tmp/.*"
+  allow-parallel-runners: true
+linters:
+  default: none
+  enable:
+    - copyloopvar
+#    - dupl
+    - errcheck
+    - ginkgolinter
+    - goconst
+    - gocyclo
+    - govet
+    - ineffassign
+    - misspell
+#    - nakedret
+    - prealloc
+    - revive
+    - staticcheck
+    - unconvert
+#    - unparam
+    - unused
+  settings:
+    revive:
+      rules:
+        - name: comment-spacings
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - zz_generated.*\.go$
+      - tmp/.*
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/api/core/v1alpha1/project_types.go b/api/core/v1alpha1/project_types.go
index ca79720..2299c07 100644
--- a/api/core/v1alpha1/project_types.go
+++ b/api/core/v1alpha1/project_types.go
@@ -152,7 +152,7 @@ func (p *Project) RemoveCondition(conditionType ConditionType) {
 	p.Status.Conditions = conditions
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // ProjectList contains a list of Project
 type ProjectList struct {
diff --git a/api/core/v1alpha1/project_webhook.go b/api/core/v1alpha1/project_webhook.go
index bc0dc42..ac445a1 100644
--- a/api/core/v1alpha1/project_webhook.go
+++ b/api/core/v1alpha1/project_webhook.go
@@ -28,7 +28,7 @@ func (p *Project) SetupWebhookWithManager(mgr ctrl.Manager, memberOverridesName
 		Complete()
 }
 
-//+kubebuilder:webhook:path=/mutate-core-openmcp-cloud-v1alpha1-project,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update,versions=v1alpha1,name=mproject.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/mutate-core-openmcp-cloud-v1alpha1-project,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update,versions=v1alpha1,name=mproject.kb.io,admissionReviewVersions=v1
 
 var _ webhook.CustomDefaulter = &Project{}
 
@@ -63,7 +63,7 @@ func (p *Project) ValidateDelete(ctx context.Context, obj runtime.Object) (warni
 	return
 }
 
-//+kubebuilder:webhook:path=/validate-core-openmcp-cloud-v1alpha1-project,mutating=false,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update;delete,versions=v1alpha1,name=vproject.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/validate-core-openmcp-cloud-v1alpha1-project,mutating=false,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update;delete,versions=v1alpha1,name=vproject.kb.io,admissionReviewVersions=v1
 
 var _ webhook.CustomValidator = &projectValidator{}
 
diff --git a/api/core/v1alpha1/webhook_suite_test.go b/api/core/v1alpha1/webhook_suite_test.go
index b18eea7..c3d1993 100644
--- a/api/core/v1alpha1/webhook_suite_test.go
+++ b/api/core/v1alpha1/webhook_suite_test.go
@@ -13,7 +13,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
-	//+kubebuilder:scaffold:imports
+	// +kubebuilder:scaffold:imports
 
 	"github.com/google/uuid"
 	envtestutil "github.com/openmcp-project/controller-utils/pkg/envtest"
@@ -86,7 +86,7 @@ var _ = BeforeSuite(func() {
 
 	err = corev1.AddToScheme(testScheme)
 	Expect(err).NotTo(HaveOccurred())
-	//+kubebuilder:scaffold:scheme
+	// +kubebuilder:scaffold:scheme
 
 	k8sClient, err = client.New(cfg, client.Options{Scheme: testScheme})
 	Expect(err).NotTo(HaveOccurred())
@@ -112,7 +112,7 @@ var _ = BeforeSuite(func() {
 	err = (&Workspace{}).SetupWebhookWithManager(mgr, "test-override")
 	Expect(err).NotTo(HaveOccurred())
 
-	//+kubebuilder:scaffold:webhook
+	// +kubebuilder:scaffold:webhook
 
 	go func() {
 		defer GinkgoRecover()
diff --git a/api/core/v1alpha1/workspace_types.go b/api/core/v1alpha1/workspace_types.go
index 70b717b..4e6e9e6 100644
--- a/api/core/v1alpha1/workspace_types.go
+++ b/api/core/v1alpha1/workspace_types.go
@@ -152,7 +152,7 @@ func (ws *Workspace) RemoveCondition(conditionType ConditionType) {
 	ws.Status.Conditions = conditions
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // WorkspaceList contains a list of Workspace
 type WorkspaceList struct {
diff --git a/cmd/project-workspace-operator/main.go b/cmd/project-workspace-operator/main.go
index 7859334..92c9a2b 100644
--- a/cmd/project-workspace-operator/main.go
+++ b/cmd/project-workspace-operator/main.go
@@ -29,7 +29,7 @@ import (
 
 	openmcpv1alpha1 "github.com/openmcp-project/project-workspace-operator/api/core/v1alpha1"
 	pwocrds "github.com/openmcp-project/project-workspace-operator/api/crds"
-	//+kubebuilder:scaffold:imports
+	// +kubebuilder:scaffold:imports
 )
 
 const (
@@ -142,7 +142,7 @@ func (o *Options) run() {
 			os.Exit(1)
 		}
 	}
-	//+kubebuilder:scaffold:builder
+	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
diff --git a/hack/common b/hack/common
index f9fe558..80bfca5 160000
--- a/hack/common
+++ b/hack/common
@@ -1 +1 @@
-Subproject commit f9fe558a9ef4029d8268945d3ea86c9130039fdd
+Subproject commit 80bfca5ddf3186e97df6b7d1acdea035f6ba4632
diff --git a/internal/controller/core/common.go b/internal/controller/core/common.go
index 38fd82e..b85b2db 100644
--- a/internal/controller/core/common.go
+++ b/internal/controller/core/common.go
@@ -71,19 +71,19 @@ func (r *CommonReconciler) handleRemainingContentBeforeDelete(ctx context.Contex
 	if isProject {
 		namespace = project.Status.Namespace
 
-		if len(r.ProjectWorkspaceConfig.Project.ResourcesBlockingDeletion) == 0 {
+		if len(r.Project.ResourcesBlockingDeletion) == 0 {
 			return false, nil
 		}
 
-		resourcesBlockingDeletion = r.ProjectWorkspaceConfig.Project.ResourcesBlockingDeletion
+		resourcesBlockingDeletion = r.Project.ResourcesBlockingDeletion
 	} else {
 		namespace = workspace.Status.Namespace
 
-		if len(r.ProjectWorkspaceConfig.Workspace.ResourcesBlockingDeletion) == 0 {
+		if len(r.Workspace.ResourcesBlockingDeletion) == 0 {
 			return false, nil
 		}
 
-		resourcesBlockingDeletion = r.ProjectWorkspaceConfig.Workspace.ResourcesBlockingDeletion
+		resourcesBlockingDeletion = r.Workspace.ResourcesBlockingDeletion
 	}
 
 	remainingResources := make([]unstructured.Unstructured, 0)
@@ -95,7 +95,7 @@ func (r *CommonReconciler) handleRemainingContentBeforeDelete(ctx context.Contex
 		resList := &unstructured.UnstructuredList{}
 		resList.SetGroupVersionKind(gvk.ToSchemaGVK())
 
-		if err := r.Client.List(ctx, resList, client.InNamespace(namespace)); err != nil {
+		if err := r.List(ctx, resList, client.InNamespace(namespace)); err != nil {
 			log.Error(err, "failed to list resources")
 			return false, err
 		}
diff --git a/internal/controller/core/project_controller.go b/internal/controller/core/project_controller.go
index d33b14c..5c93b41 100644
--- a/internal/controller/core/project_controller.go
+++ b/internal/controller/core/project_controller.go
@@ -24,11 +24,11 @@ type ProjectReconciler struct {
 	CommonReconciler
 }
 
-//+kubebuilder:rbac:groups=core.openmcp.cloud,resources=projects,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=core.openmcp.cloud,resources=projects/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=core.openmcp.cloud,resources=projects/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=namespaces;secrets,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;rolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core.openmcp.cloud,resources=projects,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core.openmcp.cloud,resources=projects/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core.openmcp.cloud,resources=projects/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=namespaces;secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;rolebindings,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -36,7 +36,7 @@ func (r *ProjectReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 	log := log.FromContext(ctx)
 
 	project := &v1alpha1.Project{}
-	if err := r.Client.Get(ctx, req.NamespacedName, project); err != nil {
+	if err := r.Get(ctx, req.NamespacedName, project); err != nil {
 		if apierrors.IsNotFound(err) {
 			log.Info("Project not found")
 			return ctrl.Result{}, nil
@@ -159,7 +159,7 @@ func getSubjectsForProjectRole(project *v1alpha1.Project, role v1alpha1.ProjectM
 
 	for _, member := range project.Spec.Members {
 		if hasProjectRole(member, role) {
-			subjects = append(subjects, member.Subject.RbacV1())
+			subjects = append(subjects, member.RbacV1())
 		}
 	}
 
diff --git a/internal/controller/core/suite_test.go b/internal/controller/core/suite_test.go
index ddf38a3..8f3698d 100644
--- a/internal/controller/core/suite_test.go
+++ b/internal/controller/core/suite_test.go
@@ -15,7 +15,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	openmcpv1alpha1 "github.com/openmcp-project/project-workspace-operator/api/core/v1alpha1"
-	//+kubebuilder:scaffold:imports
+	// +kubebuilder:scaffold:imports
 )
 
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
@@ -49,7 +49,7 @@ var _ = BeforeSuite(func() {
 	err = openmcpv1alpha1.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
-	//+kubebuilder:scaffold:scheme
+	// +kubebuilder:scaffold:scheme
 
 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
 	Expect(err).NotTo(HaveOccurred())
diff --git a/internal/controller/core/utils_test.go b/internal/controller/core/utils_test.go
index a2cde40..70e8163 100644
--- a/internal/controller/core/utils_test.go
+++ b/internal/controller/core/utils_test.go
@@ -39,10 +39,10 @@ func TestNamespaceForProject(t *testing.T) {
 			expected:    "project-test",
 		},
 		// FIXME the current implementation panics if the project is nil
-		/*{
-		    description: "doesn't fail if nil",
-		    expected: "project-default",
-		},*/
+		// {
+		//     description: "doesn't fail if nil",
+		//     expected: "project-default",
+		// },
 	}
 
 	for _, test := range tests {
@@ -66,10 +66,10 @@ func TestNamespaceForWorkspace(t *testing.T) {
 			expected:    "my-namespace--ws-test",
 		},
 		// FIXME the current implementation panics if the workspace is nil
-		/*{
-		    description: "doesn't fail if nil",
-		    expected: "tbd",
-		},*/
+		// {
+		//     description: "doesn't fail if nil",
+		//     expected: "tbd",
+		// },
 	}
 
 	for _, test := range tests {
diff --git a/internal/controller/core/workspace_controller.go b/internal/controller/core/workspace_controller.go
index 7ff3a14..ba54844 100644
--- a/internal/controller/core/workspace_controller.go
+++ b/internal/controller/core/workspace_controller.go
@@ -31,9 +31,9 @@ type WorkspaceReconciler struct {
 	CommonReconciler
 }
 
-//+kubebuilder:rbac:groups=core.openmcp.cloud,resources=workspaces,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=core.openmcp.cloud,resources=workspaces/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=core.openmcp.cloud,resources=workspaces/finalizers,verbs=update
+// +kubebuilder:rbac:groups=core.openmcp.cloud,resources=workspaces,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core.openmcp.cloud,resources=workspaces/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core.openmcp.cloud,resources=workspaces/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -41,7 +41,7 @@ func (r *WorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	log := log.FromContext(ctx)
 
 	workspace := &v1alpha1.Workspace{}
-	if err := r.Client.Get(ctx, req.NamespacedName, workspace); err != nil {
+	if err := r.Get(ctx, req.NamespacedName, workspace); err != nil {
 		if apierrors.IsNotFound(err) {
 			log.Info("Workspace not found")
 			return ctrl.Result{}, nil
@@ -139,7 +139,7 @@ func (r *WorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 
 func (r *WorkspaceReconciler) getProjectByNamespace(ctx context.Context, namespaceName string) (*v1alpha1.Project, error) {
 	namespace := &corev1.Namespace{}
-	if err := r.Client.Get(ctx, types.NamespacedName{Name: namespaceName}, namespace); err != nil {
+	if err := r.Get(ctx, types.NamespacedName{Name: namespaceName}, namespace); err != nil {
 		return nil, err
 	}
 
@@ -153,7 +153,7 @@ func (r *WorkspaceReconciler) getProjectByNamespace(ctx context.Context, namespa
 	}
 
 	project := &v1alpha1.Project{}
-	if err := r.Client.Get(ctx, types.NamespacedName{Name: projectName}, project); err != nil {
+	if err := r.Get(ctx, types.NamespacedName{Name: projectName}, project); err != nil {
 		return nil, err
 	}
 
@@ -300,7 +300,7 @@ func getSubjectsForWorkspaceRole(workspace *v1alpha1.Workspace, role v1alpha1.Wo
 
 	for _, member := range workspace.Spec.Members {
 		if hasWorkspaceRole(member, role) {
-			subjects = append(subjects, member.Subject.RbacV1())
+			subjects = append(subjects, member.RbacV1())
 		}
 	}