diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 7248b19..354b77b 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -6,6 +6,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     uses: ./.github/workflows/test.yaml
@@ -30,8 +33,6 @@ jobs:
           cache-from: type=registry,ref=crocmagnon/blog:latest
           cache-to: type=inline
           platforms: linux/amd64
-          build-args: |
-            POETRY_OPTIONS=--no-dev
   deploy:
     name: Deploy new image
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 775de98..6997c83 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Python tests
@@ -22,8 +25,7 @@ jobs:
         run: |
           pip install pip-tools
           pip-sync requirements.txt requirements-dev.txt
-      - name: Ruff
-        run: ruff --format=github .
       - name: Test
         run: pytest --cov=. --cov-branch --cov-report term-missing:skip-covered
         working-directory: ./src/
+      - uses: pre-commit/action@v3.0.0