diff --git a/.github/workflows/publish.yml b/.github/workflows/publish-docker-img.yml
similarity index 90%
rename from .github/workflows/publish.yml
rename to .github/workflows/publish-docker-img.yml
index 1df23931..ea505012 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish-docker-img.yml
@@ -1,4 +1,4 @@
-name: Publish Containers
+name: Publish Docker Image to ghcr.io
 on:
   push:
     tags:
@@ -6,7 +6,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
 
 env:
   REGISTRY: ghcr.io
@@ -14,7 +13,10 @@ env:
 
 jobs:
   publish:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
diff --git a/.github/workflows/publish-gh-package.yml b/.github/workflows/publish-jar.yml
similarity index 95%
rename from .github/workflows/publish-gh-package.yml
rename to .github/workflows/publish-jar.yml
index b26589a1..3726fe30 100644
--- a/.github/workflows/publish-gh-package.yml
+++ b/.github/workflows/publish-jar.yml
@@ -3,6 +3,10 @@ on:
   push:
     tags:
       - 'v*'
+
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml
index f6dc7ce3..24ae11d0 100644
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -46,7 +46,7 @@ jobs:
         name: jacoco-report
         path: target/site/jacoco/
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: target/site/jacoco/jacoco.xml