diff --git a/.github/workflows/release-ci.yml b/.github/workflows/release-ci.yml
index f725dbd3..3d3b7951 100644
--- a/.github/workflows/release-ci.yml
+++ b/.github/workflows/release-ci.yml
@@ -4,27 +4,27 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *'
-    
+
   # In case we change the some build scripts:
   push:
     branches:
       - master
     paths:
-      - 'utils/*/install.sh'
+      - 'utils/**'
       - '.ci/release-ci/**'
       - '.github/workflows/release-ci.yml'
   pull_request:
     paths:
-      - 'utils/*/install.sh'
+      - 'utils/**'
       - '.ci/release-ci/**'
       - '.github/workflows/release-ci.yml'
 
-concurrency: 
+concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
-  build:
+  existing:
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -50,12 +50,29 @@ jobs:
         SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
         make release-ci
 
+  # Keep in sync with `release.yml`:
+  dryrun:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          - deb
+          - rpm
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run dry run of the release process
+      run: |
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        SECRETS_RELEASE_DRY_RUN=1 \
+          make release
+
   # https://github.community/t/run-github-actions-job-only-if-previous-job-has-failed/174786/2
   create-issue-on-failure:
     name: Create an issue if release-ci cron failed
     runs-on: ubuntu-latest
-    needs: [build]
-    if: ${{ github.event_name == 'schedule' && github.repository == 'sobolevn/git-secret' && always() && needs.build.result == 'failure' }}
+    needs: [existing]
+    if: ${{ github.event_name == 'schedule' && github.repository == 'sobolevn/git-secret' && always() && (needs.existing.result == 'failure' || needs.dryrun.result == 'failure') }}
     permissions:
       issues: write
     steps:
diff --git a/utils/apk/deploy.sh b/utils/apk/deploy.sh
index 3c504e5d..7e5b008b 100644
--- a/utils/apk/deploy.sh
+++ b/utils/apk/deploy.sh
@@ -2,15 +2,20 @@
 
 set -e
 
+if [[ "$SECRETS_DEPLOY_DRY_RUN" == 1 ]]; then
+  echo 'dry-run finished'
+  exit 0
+fi
+
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/build-utils.sh"
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/apk/meta.sh"
 
-VERSION_NAME="git-secret-${SCRIPT_VERSION}.apk"
+readonly VERSION_NAME="git-secret-${SCRIPT_VERSION}.apk"
 
 # Artifactory location:
-BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
+readonly BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
 
 
 function upload_with_architecture {
@@ -18,7 +23,8 @@ function upload_with_architecture {
   local file_location
   file_location="$(locate_release 'apk' "$arch")"
 
-  curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+  curl -sS \
+    -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
     --max-time 10 \
     --retry 3 \
     --retry-delay 5 \
@@ -31,7 +37,8 @@ for architecture in "${ALPINE_ARCHITECTURES[@]}"; do
 done
 
 # Now, we need to trigger metadata reindex:
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
   --max-time 5 \
   --retry 3 \
   --retry-delay 5 \
diff --git a/utils/apk/meta.sh b/utils/apk/meta.sh
index 34ed747f..947e746f 100644
--- a/utils/apk/meta.sh
+++ b/utils/apk/meta.sh
@@ -1,7 +1,7 @@
 # Full list is here:
 # http://dl-cdn.alpinelinux.org/alpine/v3.13/main/
 # shellcheck disable=SC2034
-ALPINE_ARCHITECTURES=(
+readonly ALPINE_ARCHITECTURES=(
   'aarch64'
   'armhf'
   'armv7'
diff --git a/utils/build-utils.sh b/utils/build-utils.sh
index 6028b33b..988d2726 100755
--- a/utils/build-utils.sh
+++ b/utils/build-utils.sh
@@ -6,19 +6,19 @@ set -e
 source "$SECRETS_PROJECT_ROOT/src/version.sh"
 
 # Initializing and settings:
-READ_PERM=0644
-EXEC_PERM=0755
+readonly READ_PERM=0644
+readonly EXEC_PERM=0755
 
-SCRIPT_NAME='git-secret'
-SCRIPT_DESCRIPTION='Shell scripts to encrypt your private data inside a git repository.'
-SCRIPT_VERSION="$GITSECRET_VERSION"
+readonly SCRIPT_NAME='git-secret'
+readonly SCRIPT_DESCRIPTION='Shell scripts to encrypt your private data inside a git repository.'
+readonly SCRIPT_VERSION="$GITSECRET_VERSION"
 
 # This may be overridden:
 if [[ -z "$SCRIPT_BUILD_DIR" ]]; then
   SCRIPT_BUILD_DIR="$PWD/build"
 fi
 
-SCRIPT_DEST_DIR="$SCRIPT_BUILD_DIR/buildroot"
+readonly SCRIPT_DEST_DIR="$SCRIPT_BUILD_DIR/buildroot"
 
 
 function locate_release {
diff --git a/utils/deb/deploy.sh b/utils/deb/deploy.sh
index e62239f0..c08994e5 100755
--- a/utils/deb/deploy.sh
+++ b/utils/deb/deploy.sh
@@ -2,23 +2,30 @@
 
 set -e
 
+if [[ "$SECRETS_DEPLOY_DRY_RUN" == 1 ]]; then
+  echo 'dry-run finished'
+  exit 0
+fi
+
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/build-utils.sh"
 
 # Artifactory location:
-BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
+readonly BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
 
 # This folder should contain just one `.dev` file:
-DEB_FILE_LOCATION="$(locate_release 'deb')"
-DEB_FILE_NAME="$(basename "$DEB_FILE_LOCATION")"
+readonly DEB_FILE_LOCATION="$(locate_release 'deb')"
+readonly DEB_FILE_NAME="$(basename "$DEB_FILE_LOCATION")"
 
 
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
   -XPUT "$BASE_API_URL/git-secret-deb/$DEB_FILE_NAME;deb.distribution=git-secret;deb.component=main;deb.architecture=all" \
   -T "$DEB_FILE_LOCATION"
 
 # Now, we need to trigger metadata reindex:
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
   -XPOST "$BASE_API_URL/api/deb/reindex/git-secret-deb"
 
 echo
diff --git a/utils/rpm/deploy.sh b/utils/rpm/deploy.sh
index b02512c5..f880ea62 100644
--- a/utils/rpm/deploy.sh
+++ b/utils/rpm/deploy.sh
@@ -2,23 +2,30 @@
 
 set -e
 
+if [[ "$SECRETS_DEPLOY_DRY_RUN" == 1 ]]; then
+  echo 'dry-run finished'
+  exit 0
+fi
+
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/build-utils.sh"
 
 # Artifactory location:
-BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
+readonly BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
 
 # This folder should contain just one `.rpm` file:
-RPM_FILE_LOCATION="$(locate_release 'rpm')"
-RPM_FILE_NAME="$(basename "$RPM_FILE_LOCATION")"
+readonly RPM_FILE_LOCATION="$(locate_release 'rpm')"
+readonly RPM_FILE_NAME="$(basename "$RPM_FILE_LOCATION")"
 
 
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
   -XPUT "$BASE_API_URL/git-secret-rpm/rpm/$RPM_FILE_NAME" \
   -T "$RPM_FILE_LOCATION"
 
 # Now, we need to trigger metadata reindex:
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
   -XPOST "$BASE_API_URL/api/yum/git-secret-rpm?async=1"
 
 echo
diff --git a/utils/uninstall.sh b/utils/uninstall.sh
index 241e7397..daa52acb 100755
--- a/utils/uninstall.sh
+++ b/utils/uninstall.sh
@@ -3,7 +3,7 @@
 set -e
 
 
-PREFIX="$1"
+readonly PREFIX="$1"
 if [ -z "$PREFIX" ]; then
   echo "usage: $0 <prefix>" >&2
   exit 1