diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index ea06d7f..e024370 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,9 +1,9 @@
 name: Build
-permissions: read-all
 on:
   pull_request:
     branches:
     - main
+permissions: read-all
 jobs:
   build-binaries:
     permissions:
diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml
new file mode 100644
index 0000000..8247ea4
--- /dev/null
+++ b/.github/workflows/ossf-analysis.yaml
@@ -0,0 +1,30 @@
+name: OSSF scorecard
+on:
+  push:
+    branches:
+    - main
+permissions: read-all
+jobs:
+  ossf-scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Run analysis
+      uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Publish the results for public repositories to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`, regardless
+        # of the value entered here.
+        publish_results: true
+    - name: Upload SARIF results to code scanning
+      uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9
+      with:
+        sarif_file: results.sarif
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 18fd830..0253cf0 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -71,28 +71,3 @@ jobs:
         args: release --clean
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  release-ossf-analysis:
-    name: OSSF scorecard analysis
-    needs: release-build
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed if using Code scanning alerts
-      security-events: write
-      # Needed for GitHub OIDC token if publish_results is true
-      id-token: write
-    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - name: Run analysis
-      uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
-      with:
-        results_file: results.sarif
-        results_format: sarif
-        # Publish the results for public repositories to enable scorecard badges. For more details, see
-        # https://github.com/ossf/scorecard-action#publishing-results.
-        # For private repositories, `publish_results` will automatically be set to `false`, regardless
-        # of the value entered here.
-        publish_results: true
-    - name: Upload SARIF results to code scanning
-      uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9
-      with:
-        sarif_file: results.sarif
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 089a672..7b16ef0 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -3,6 +3,8 @@ on:
   pull_request:
     branches:
     - main
+permissions:
+  contents: read
 jobs:
   test-go:
     runs-on: ubuntu-latest