diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 64acd7f7..93bfd8c3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -62,6 +62,9 @@ jobs:
   build:
     name: Build
     runs-on: macos-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -104,6 +107,7 @@ jobs:
           detailed_summary: true
 
       - name: Archive Test Report
+        if: always()
         uses: actions/upload-artifact@v7
         with:
           name: "Test-Artifacts"
@@ -114,23 +118,24 @@ jobs:
         run: ./gradlew apiCheck
 
       - name: Run Lint
-        if: github.event_name  == 'pull_request'
+        if: github.event_name == 'pull_request'
         run: ./gradlew lintDebug
 
-      - name: Setup Ruby
-        if: github.event_name  == 'pull_request'
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.0'
-          bundler-cache: true
-
-      - name: Run Danger
-        if: github.event_name  == 'pull_request'
+      - name: Collect Lint SARIF reports
+        if: github.event_name == 'pull_request'
         run: |
-          gem install danger
-          bundle exec danger --dangerfile=Dangerfile --danger_id=danger-pr
-        env:
-          DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          mkdir -p sarif-reports
+          find . -name "lint-results-debug.sarif" | while read f; do
+            module=$(echo "$f" | sed 's|^\./||' | sed 's|/build/reports/.*||' | sed 's|/|-|g')
+            cp "$f" "sarif-reports/${module}-lint.sarif"
+          done
+
+      - name: Upload Lint SARIF
+        if: always() && github.event_name == 'pull_request'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: 'sarif-reports'
+          category: android-lint
 
       - name: Prepare Keystore and Local.
         if: startsWith(github.ref, 'refs/tags/')
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
new file mode 100644
index 00000000..0a3ac535
--- /dev/null
+++ b/.github/workflows/pr-checks.yml
@@ -0,0 +1,29 @@
+name: PR Checks
+
+on:
+  pull_request:
+
+permissions:
+  pull-requests: read
+
+jobs:
+  quality-gates:
+    name: Quality Gates
+    runs-on: ubuntu-latest
+    steps:
+      - name: PR Quality Gates
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number
+            });
+            const labels = pr.labels.map(l => l.name);
+            if (labels.some(l => l.includes('DO NOT MERGE')))
+              core.setFailed('PR specifies label DO NOT MERGE');
+            if (labels.some(l => l.includes('Engineers at work')) || pr.title.includes('[WIP]'))
+              core.warning('PR is marked as Work in Progress');
+            if (pr.additions + pr.deletions > 5000)
+              core.warning('Big PR');
diff --git a/Dangerfile b/Dangerfile
deleted file mode 100644
index a1df8564..00000000
--- a/Dangerfile
+++ /dev/null
@@ -1,38 +0,0 @@
-github.dismiss_out_of_range_messages
-
-# Make it more obvious that a PR is a work in progress and shouldn't be merged yet.
-has_wip_label = github.pr_labels.any? { |label| label.include? "Engineers at work" }
-has_wip_title = github.pr_title.include? "[WIP]"
-
-if has_wip_label || has_wip_title
-	warn("PR is marked as Work in Progress")
-end
-
-# Ensure the PR is not marked as DO NOT MERGE
-fail("PR specifies label DO NOT MERGE") if github.pr_labels.any? { |label| label.include? "DO NOT MERGE" }
-
-# Warn when there is a big PR
-warn("Big PR") if git.lines_of_code > 5000
-
-File.open("settings.gradle.kts", "r") do |file_handle|
-  file_handle.each_line do |setting|
-    if setting.include? "include"
-        gradleModule = setting[10, setting.length-12]
-
-        # AndroidLint
-        androidLintFile = String.new(gradleModule + "/build/reports/lint-results.xml")
-        androidLintDebugFile = String.new(gradleModule + "/build/reports/lint-results-debug.xml")
-        if File.file?(androidLintFile) || File.file?(androidLintDebugFile)
-            android_lint.skip_gradle_task = true
-            android_lint.severity = "Warning"
-            if File.file?(androidLintFile)
-                android_lint.report_file = androidLintFile
-            else
-                android_lint.report_file = androidLintDebugFile
-            end
-            android_lint.filtering = true
-            android_lint.lint(inline_mode: true)
-        end
-    end
-  end
-end
\ No newline at end of file
diff --git a/Gemfile b/Gemfile
deleted file mode 100644
index 9f84709d..00000000
--- a/Gemfile
+++ /dev/null
@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-source "https://rubygems.org"
-
-git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
-
-gem 'danger'
-gem 'danger-android_lint'
\ No newline at end of file
diff --git a/Gemfile.lock b/Gemfile.lock
deleted file mode 100644
index 4a820afc..00000000
--- a/Gemfile.lock
+++ /dev/null
@@ -1,78 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.8.5)
-      public_suffix (>= 2.0.2, < 6.0)
-    ansi (1.5.0)
-    ast (2.4.2)
-    claide (1.1.0)
-    claide-plugins (0.9.2)
-      cork
-      nap
-      open4 (~> 1.3)
-    colored2 (3.1.2)
-    cork (0.3.0)
-      colored2 (~> 3.1)
-    danger (9.3.1)
-      claide (~> 1.0)
-      claide-plugins (>= 0.9.2)
-      colored2 (~> 3.1)
-      cork (~> 0.1)
-      faraday (>= 0.9.0, < 3.0)
-      faraday-http-cache (~> 2.0)
-      git (~> 1.13)
-      kramdown (~> 2.3)
-      kramdown-parser-gfm (~> 1.0)
-      no_proxy_fix
-      octokit (~> 6.0)
-      terminal-table (>= 1, < 4)
-    danger-android_lint (0.0.12)
-      danger-plugin-api (~> 1.0)
-      oga
-    danger-plugin-api (1.0.0)
-      danger (> 2.0)
-    faraday (2.7.10)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-http-cache (2.5.0)
-      faraday (>= 0.8)
-    faraday-net_http (3.0.2)
-    git (1.18.0)
-      addressable (~> 2.8)
-      rchardet (~> 1.8)
-    kramdown (2.4.0)
-      rexml
-    kramdown-parser-gfm (1.1.0)
-      kramdown (~> 2.0)
-    nap (1.1.0)
-    no_proxy_fix (0.1.2)
-    octokit (6.1.1)
-      faraday (>= 1, < 3)
-      sawyer (~> 0.9)
-    oga (3.4)
-      ast
-      ruby-ll (~> 2.1)
-    open4 (1.3.4)
-    public_suffix (5.0.3)
-    rchardet (1.8.0)
-    rexml (3.3.9)
-    ruby-ll (2.1.3)
-      ansi
-      ast
-    ruby2_keywords (0.0.5)
-    sawyer (0.9.2)
-      addressable (>= 2.3.5)
-      faraday (>= 0.17.3, < 3)
-    terminal-table (3.0.2)
-      unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.4.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  danger
-  danger-android_lint
-
-BUNDLED WITH
-   2.4.10
diff --git a/settings.gradle.kts b/settings.gradle.kts
index ee04ca36..6ec6f8dc 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -28,7 +28,7 @@ dependencyResolutionManagement {
 
     versionCatalogs {
         create("baseLibs") {
-            from("com.mikepenz:version-catalog:0.14.1")
+            from("com.mikepenz:version-catalog:0.14.2")
         }
     }
 }