diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bda4748..1058e38 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,9 +11,6 @@ permissions:  # added using https://github.com/step-security/secure-workflows
 
 jobs:
   test:
-    permissions:
-      checks: write  # for coverallsapp/github-action to create new checks
-      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
@@ -28,6 +25,6 @@ jobs:
       - run: yarn
       - run: yarn test --coverage
       - name: Coveralls
-        uses: coverallsapp/github-action@3284643be2c47fb6432518ecec17f1255e8a06a6
+        uses: coverallsapp/github-action@3284643be2c47fb6432518ecec17f1255e8a06a6 # master
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ebf778b..69d995f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.1.12 (27.12.2022)
+
+* Add Renovate as dependency update tool.
+* Keep read-only permissions in CI workflow.
+
 ## 1.1.11 (22.12.2022)
 
 * Harden GitHub Actions.
diff --git a/package.json b/package.json
index 16d72b9..5ded676 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "editorjs-drag-drop",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "keywords": [
     "drag",
     "drop",
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..986bd3d
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:semverAllMonthly"
+  ]
+}