diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index aa1a1be..0cea7b7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,7 @@
 name: build
 
+permissions: read-all
+
 on:
   push:
     branches: [main]
@@ -13,11 +15,19 @@ on:
 
 # See https://github.com/cristalhq/.github/.github/workflows
 jobs:
-  test:
-    uses: cristalhq/.github/.github/workflows/test.yml@d310feb31f65450fb641e8fd98645b705080a913
+  build:
+    uses: cristalhq/.github/.github/workflows/build.yml@d8f219c7111863d360a6c6f978ee64d6371a045e # latest @ main
+
+  codeql:
+    if: github.event.repository.public
+    permissions:
+      security-events: write
+    uses: cristalhq/.github/.github/workflows/codeql.yml@d8f219c7111863d360a6c6f978ee64d6371a045e # latest @ main
 
   release:
     if: github.event_name == 'workflow_dispatch'
-    uses: cristalhq/.github/.github/workflows/release.yml@d310feb31f65450fb641e8fd98645b705080a913
+    uses: cristalhq/.github/.github/workflows/release.yml@d8f219c7111863d360a6c6f978ee64d6371a045e # latest @ main
+    permissions: 
+      contents: write
     with:
       tag: ${{ github.event.input.tag }}