diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2c9ded57555478b911498f35c55bd90a8bd66acf
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,22 @@
+name: CI
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "master"
+  pull_request:
+  workflow_call:
+    secrets:
+      GITLEAKS_LICENSE_KEY:
+        required: true
+
+jobs:
+  ci:
+    uses: smallstep/workflows/.github/workflows/goCI.yml@main
+    with:
+      gitleaks: true
+      codeql: true
+    secrets:
+      GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c5379ffda1b3ab365df4ffbb45bbf4eaaebd1902
--- /dev/null
+++ b/.github/workflows/code-scan-cron.yml
@@ -0,0 +1,12 @@
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  gitleaks:
+    uses: smallstep/workflows/.github/workflows/gitleaks.yml@main
+    secrets:
+      GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
+
+  codeql:
+    uses: smallstep/workflows/.github/workflows/codeql-analysis.yml@main
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
deleted file mode 100644
index d84c028ea42a70851f803017dc4d19a91bf1c8ec..0000000000000000000000000000000000000000
--- a/.github/workflows/test.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: Continuous Integration
-
-on:
-  push:
-    tags-ignore:
-    - 'v*'
-    branches:
-    - "**"
-  pull_request:
-  schedule:
-    - cron: '0 0 * * SUN'
-
-jobs:
-  ci:
-    uses: smallstep/workflows/.github/workflows/goCI.yml@main