diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 74fd4b9..6f0707b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,6 @@
 name: CI
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -9,57 +8,54 @@ on:
     branches:
       - alpha
       - beta
+      - main
       - master
       - renovate/**
 
 jobs:
-  prepare_jobs:
-    name: "Prepare: job optimization"
-    runs-on: ubuntu-latest
-    outputs:
-      pr_found: ${{ steps.pr.outputs.pr_found }}
-    steps:
-      - name: Get current PR
-        id: pr
-        uses: 8BitJonny/gh-get-current-pr@4056877062a1f3b624d5d4c2bedefa9cf51435c9 # 4.0.0
-        with:
-          filterOutClosed: true
-          filterOutDraft: true
+  ci-optimization:
+    name: CI optimization
+    uses: dargmuesli/github-actions/.github/workflows/ci-optimization.yml@714a68188444d710ffa3e9f35a05f6a9d420931d # 3.2.0
+    permissions:
+      pull-requests: read
   release_semantic_dry:
-    needs: prepare_jobs
+    needs: ci-optimization
+    if: needs.ci-optimization.outputs.continue == 'true'
     name: Release (semantic, dry)
-    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@2b47b35b82df04152c34ae042bd011dd83f28ffd # 2.8.0
-    if: needs.prepare_jobs.outputs.pr_found == 'false' || github.event_name == 'pull_request'
+    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@714a68188444d710ffa3e9f35a05f6a9d420931d # 3.2.0
     permissions:
       contents: write
+      id-token: write
     secrets:
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
     with:
       DRY_RUN: true
   build:
     name: Build
-    uses: dargmuesli/github-actions/.github/workflows/docker.yml@2b47b35b82df04152c34ae042bd011dd83f28ffd # 2.8.0
+    uses: dargmuesli/github-actions/.github/workflows/docker.yml@714a68188444d710ffa3e9f35a05f6a9d420931d # 3.2.0
     needs: release_semantic_dry
     permissions:
       packages: write
     with:
       ARTIFACT_PATH: src/.output/public/
-      BUILD_ARGUMENTS: SITE_URL=https://dargstack-example.jonas-thelemann.de
+      BUILD_ARGUMENTS: |
+        SITE_URL=https://dargstack-example.jonas-thelemann.de
       TAG: ${{ needs.release_semantic_dry.outputs.new_release_version }}
     secrets:
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
   release_semantic:
     needs: build
     name: Release (semantic)
-    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@2b47b35b82df04152c34ae042bd011dd83f28ffd # 2.8.0
+    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@714a68188444d710ffa3e9f35a05f6a9d420931d # 3.2.0
     permissions:
       contents: write
+      id-token: write
     secrets:
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
   deploy:
     needs: build
     name: Deploy
-    uses: dargmuesli/github-actions/.github/workflows/deploy-cloudflare-pages.yml@2b47b35b82df04152c34ae042bd011dd83f28ffd # 2.8.0
+    uses: dargmuesli/github-actions/.github/workflows/deploy-cloudflare-pages.yml@714a68188444d710ffa3e9f35a05f6a9d420931d # 3.2.0
     permissions:
       contents: read
       deployments: write
diff --git a/.github/workflows/release-schedule.yml b/.github/workflows/release-schedule.yml
index 633ae24..c90c6e5 100644
--- a/.github/workflows/release-schedule.yml
+++ b/.github/workflows/release-schedule.yml
@@ -1,7 +1,6 @@
 name: "Release: Scheduled"
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   schedule:
@@ -11,7 +10,7 @@ on:
 jobs:
   release-schedule:
     name: "Release: Scheduled"
-    uses: dargmuesli/github-actions/.github/workflows/release-schedule.yml@2b47b35b82df04152c34ae042bd011dd83f28ffd # 2.8.0
+    uses: dargmuesli/github-actions/.github/workflows/release-schedule.yml@714a68188444d710ffa3e9f35a05f6a9d420931d # 3.2.0
     secrets:
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
     with: