diff --git a/.github/workflows/build_publish.yml b/.github/workflows/build_publish.yml
new file mode 100644
index 0000000..9435188
--- /dev/null
+++ b/.github/workflows/build_publish.yml
@@ -0,0 +1,63 @@
+name: Build and publish
+
+on:
+  workflow_call: {}
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_6.1.gemfile
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+
+    - name: Build gem
+      run: bundle exec rake build
+
+    - name: Archive coverage
+      if: success()
+      uses: actions/upload-artifact@v4
+      with:
+        name: gem-pkg
+        path: pkg/*.gem
+
+  publish:
+    name: Publish
+    needs: build
+    if: github.ref_type == 'tag'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: '3.2'
+
+    - uses: actions/download-artifact@v4
+      with:
+        name: gem-pkg
+        path: pkg/
+
+    - name: Publish to GPR
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:github: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} pkg/*.gem
+      env:
+        GEM_HOST_API_KEY: "Bearer ${{secrets.GITHUB_TOKEN}}"
+        OWNER: ${{ github.repository_owner }}
+
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
new file mode 100644
index 0000000..2d0d659
--- /dev/null
+++ b/.github/workflows/changelog.yml
@@ -0,0 +1,29 @@
+name: Changelog
+
+on:
+  pull_request:
+    branches:
+      - '**'
+
+jobs:
+  changelog-updated:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+    - name: Check if changelog updated
+      id: changed-files-specific
+      uses: tj-actions/changed-files@v44
+      with:
+        base_sha: ${{ github.event.pull_request.base.sha }}
+        files: |
+          CHANGELOG.md
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+
+    - name: Fail job if changelog not updated
+      if: steps.changed-files-specific.outputs.any_changed == 'false'
+      run: |
+        exit 1
+
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4063259..df8fdc9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,14 +2,19 @@ name: CI
 
 on:
   push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
+    branches:
+      - '**'
+    tags:
+      - '**'
 
 jobs:
   test:
     if: github.ref_type == 'branch' && github.ref_name != 'main'
     uses: ./.github/workflows/test.yml
-  # code_quality:
-  #   if: github.ref_type == 'branch' && github.ref_name != 'main'
-  #   uses: ./.github/workflows/code_quality.yml
+
+  code_quality:
+    if: github.ref_type == 'branch' && github.ref_name != 'main'
+    uses: ./.github/workflows/code_quality.yml
+
+  build_publish:
+    uses: ./.github/workflows/build_publish.yml
diff --git a/.github/workflows/code_quality.yml b/.github/workflows/code_quality.yml
new file mode 100644
index 0000000..7443081
--- /dev/null
+++ b/.github/workflows/code_quality.yml
@@ -0,0 +1,20 @@
+name: 'Code quality'
+on:
+  workflow_call: {}
+
+jobs:
+  rubocop:
+    name: Rubocop
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_7.2.gemfile
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+
+      - name: Inspecting with Rubocop
+        run: bundle exec rubocop
+
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a062fff..d4c23b0 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
     env:
       BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/${{ matrix.gemfile }}.gemfile
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index 701fff0..7664846 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2024-07-02 19:48:59 UTC using RuboCop version 1.64.1.
+# on 2025-04-14 10:55:46 UTC using RuboCop version 1.75.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -14,7 +14,7 @@ Gemspec/DevelopmentDependencies:
   Exclude:
     - 'rpi_auth.gemspec'
 
-# Offense count: 1
+# Offense count: 2
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
   Max: 23
@@ -33,7 +33,7 @@ RSpec/MultipleExpectations:
 RSpec/MultipleMemoizedHelpers:
   Max: 6
 
-# Offense count: 10
+# Offense count: 12
 # Configuration parameters: AllowedGroups.
 RSpec/NestedGroups:
   Max: 5
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac8acd7..cea65db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 ### Fixed
+- Reinstated static code analysis checks in CI (#73)
 
 ### Removed
 
diff --git a/lib/rpi_auth/spec_helpers.rb b/lib/rpi_auth/spec_helpers.rb
index f371d26..8d9e4a4 100644
--- a/lib/rpi_auth/spec_helpers.rb
+++ b/lib/rpi_auth/spec_helpers.rb
@@ -5,7 +5,7 @@ module SpecHelpers
     # This sets up the OmniAuth mock for the given user.  It assumes the User
     # model has an `:user_id` method which returns the users ID, but this can
     # be changed by setting the `id_param` option.
-    def stub_auth_for(user:, id_param: :user_id) # rubocop:disable Metrics/AbcSize
+    def stub_auth_for(user:, id_param: :user_id)
       expires_in = user.respond_to?(:expires_at) ? user.expires_at.to_i - Time.zone.now.to_i : 3600
       token = user.respond_to?(:access_token) ? user.access_token : SecureRandom.hex(16)
       refresh_token = user.respond_to?(:refresh_token) ? user.refresh_token : SecureRandom.hex(16)
diff --git a/spec/dummy/spec/requests/auth_request_spec.rb b/spec/dummy/spec/requests/auth_request_spec.rb
index b91cf5d..9476af1 100644
--- a/spec/dummy/spec/requests/auth_request_spec.rb
+++ b/spec/dummy/spec/requests/auth_request_spec.rb
@@ -265,7 +265,7 @@
           expect(response).to redirect_to('/')
         end
 
-        context 'when the proc resolves to something other than nil' do # rubocop:disable RSpec/NestedGroups
+        context 'when the proc resolves to something other than nil' do
           # We use `current_user` and `request.env` here as they're available
           # in the context of the controller.  We use `let!` to make sure the
           # proc is defined straightaway, rather than later, when `request` and
@@ -283,7 +283,7 @@
           end
         end
 
-        context 'when the proc raises an exception' do # rubocop:disable RSpec/NestedGroups
+        context 'when the proc raises an exception' do
           # We use `current_user` and `request.env` here as they're available
           # in the context of the controller.  We use `let!` to make sure the
           # proc is defined straightaway, rather than later, when `request` and