diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 33f3826..7cadbb5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,7 @@ name: "CodeQL Semantic Analysis"
 on:
   push: # all pushes
   pull_request: # all PR
+    types: [review_requested, ready_for_review] # only non-draft PR
   schedule:
     - cron: '0 2 * * *' # every night at 2am
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..630487e
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,52 @@
+# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
+# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+#
+#name: Release
+#
+#on:
+#  release:
+#    types: [created]
+#
+#jobs:
+#  build:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v2
+#      - uses: actions/setup-node@v2
+#        with:
+#          node-version: 12
+#      - run: npm ci
+#      - run: npm test
+#
+#  publish-npm:
+#    needs: build
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v2
+#      - uses: actions/setup-node@v2
+#        with:
+#          # we always publish targeting the lowest supported node version
+#          node-version: 12
+#          registry-url: 'https://registry.npmjs.org/'
+#      - run: npm ci
+#      - run: npm publish --access public
+#        env:
+#          NODE_AUTH_TOKEN: ${{secrets.npm_token}}
+#
+#  publish-gpr:
+#    needs: build
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read
+#      packages: write
+#    steps:
+#      - uses: actions/checkout@v2
+#      - uses: actions/setup-node@v2
+#        with:
+#          # we always publish targeting the lowest supported node version
+#          node-version: 12
+#          registry-url: $registry-url(npm)
+#      - run: npm ci
+#      - run: npm publish --access public
+#        env:
+#          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
\ No newline at end of file
diff --git a/.github/workflows/tests-release.yml b/.github/workflows/tests-release.yml
new file mode 100644
index 0000000..6eba05e
--- /dev/null
+++ b/.github/workflows/tests-release.yml
@@ -0,0 +1,149 @@
+name: Tests for Release
+
+on:
+  push:
+    branches:
+      - release-* # all release-<version> branches
+  pull_request:
+    # only non-draft PR and when there are "pushes" to the open PR
+    types: [review_requested, ready_for_review, synchronize]
+    branches:
+      - release-* # all release-<version> branches
+
+
+jobs:
+  # STEP 1 - NPM Audit
+
+  # Before we even test a thing we want to have a clean audit! Since this is
+  # sufficient to be done using the lowest node version, we can easily use
+  # a fixed one:
+
+  audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        node-version: '12'
+    - run: npm audit --production # no audit for dev dependencies
+
+  # STEP 2 - basic unit tests
+
+  # This is the standard unit tests as we do in the basic tests for every PR
+  unittest:
+    name: Basic unit tests
+    runs-on: ubuntu-latest
+    needs: [audit]
+    strategy:
+      matrix:
+        node: [12, 14, 16]
+    steps:
+    - name: Checkout ${{ matrix.node }}
+      uses: actions/checkout@v2
+
+    - name: Setup node ${{ matrix.node }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node }}
+
+    - name: Cache dependencies ${{ matrix.node }}
+      uses: actions/cache@v1
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ matrix.node }}
+
+    # for this workflow we also require npm audit to pass
+    - run: npm ci
+    - run: npm run test:coverage
+
+    # with the following action we enforce PRs to have a high coverage
+    # and ensure, changes are tested well enough so that coverage won't fail
+    - name: check coverage
+      uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
+      with:
+        path: './coverage/lcov.info'
+        min_coverage: 95
+
+  # STEP 3 - Integration tests
+
+  # Since our release may affect several packages that depend on it we need to
+  # cover the closest ones, like adapters and examples.
+
+  integrationtests:
+    name: Extended integration tests
+    runs-on: ubuntu-latest
+    needs: [unittest]
+    strategy:
+      matrix:
+        node: [12, 14] # TODO get running for node 16
+    steps:
+    # checkout this repo
+    - name: Checkout ${{ matrix.node }}
+      uses: actions/checkout@v2
+
+    # checkout express-adapter repo
+    - name: Checkout express-adapter ${{ matrix.node }}
+      uses: actions/checkout@v2
+      with:
+        repository:  node-oauth/express-oauth-server
+        path: github/testing/express
+
+    - name: Setup node ${{ matrix.node }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node }}
+
+    - name: Cache dependencies ${{ matrix.node }}
+      uses: actions/cache@v1
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server
+
+    # in order to test the adapter we need to use the current checkout
+    # and install it as local dependency
+    # we just cloned and install it as local dependency
+    - run: |
+        cd github/testing/express
+        npm ci
+        npm install ../../../
+        npm run test
+
+    # todo repeat with other adapters
+
+  publish-npm-dry:
+    runs-on: ubuntu-latest
+    needs: [integrationtests]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 12
+          registry-url: https://registry.npmjs.org/
+      - run: npm ci
+      - run: npm publish --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.npm_token}}
+
+  publish-github-dry:
+    needs: [integrationtests]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        # we always publish targeting the lowest supported node version
+        node-version: 12
+        registry-url: $registry-url(npm)
+    - run: npm ci
+    - run: npm publish --dry-run
+      env:
+        NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
\ No newline at end of file
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 26c6ed7..e8b05a7 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,44 +1,21 @@
-name: Test suite
+name: Tests
+
+# This workflow runs standard unit tests to ensure basic integrity and avoid
+# regressions on pull-requests (and pushes)
 
 on:
   push:
     branches:
-      - master # allthough  master is push protected we still keep it
+      - master    # allthough  master is push protected we still keep it
       - development
-  pull_request: # runs on all PR
+  pull_request:   # runs on all PR
+    branches-ignore:
+      - release-* # on release we run an extended workflow so no need for this
 
 jobs:
-  # ----------------------------------
-  # uncomment when a linter is added
-  # ----------------------------------
-  
-  # lintjs:
-  #   name: Javascript lint
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #   - name: checkout
-  #     uses: actions/checkout@v2
-  # 
-  #   - name: setup node
-  #     uses: actions/setup-node@v1
-  #     with:
-  #       node-version: '12.x'
-  # 
-  #   - name: cache dependencies
-  #     uses: actions/cache@v1
-  #     with:
-  #       path: ~/.npm
-  #       key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-  #       restore-keys: |
-  #         ${{ runner.os }}-node-
-  #   - run: npm ci
-  #   - run: npm run lint
-
   unittest:
     name: unit tests
     runs-on: ubuntu-latest
-    # uncomment when a linter is added
-    # needs: [lintjs]
     strategy:
       matrix:
         node: [12, 14, 16]
@@ -61,15 +38,10 @@ jobs:
     - run: npm ci
     - run: npm run test:coverage
 
-    # ----------------------------------
-    # uncomment when a linter is added
-    # ----------------------------------
-  
-    # - name: check coverage
-    #   uses: devmasx/coverage-check-action@v1.2.0
-    #   with:
-    #     type: lcov
-    #     result_path: coverage/lcov.info
-    #     min_coverage: 90
-    #     token: ${{github.token}}
-    
+    # with the following action we enforce PRs to have a high coverage
+    # and ensure, changes are tested well enough so that coverage won't fail
+    - name: check coverage
+      uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
+      with:
+        path: './coverage/lcov.info'
+        min_coverage: 95
diff --git a/package.json b/package.json
index c0deb37..7e6000c 100644
--- a/package.json
+++ b/package.json
@@ -46,7 +46,7 @@
     "test": "NODE_ENV=test ./node_modules/.bin/mocha 'test/**/*_test.js'",
     "test-debug": "NODE_ENV=test ./node_modules/.bin/mocha  --inspect --debug-brk 'test/**/*_test.js'",
     "test:watch": "NODE_ENV=test ./node_modules/.bin/mocha --watch 'test/**/*_test.js'",
-    "test:coverage": "NODE_ENV=test nyc --reporter=html --reporter=text ./node_modules/.bin/mocha 'test/**/*_test.js'",
+    "test:coverage": "NODE_ENV=test nyc --reporter=html --reporter=lcov --reporter=text ./node_modules/.bin/mocha 'test/**/*_test.js'",
     "lint": "npx eslint .",
     "lint:fix": "npx eslint . --fix"
   },