diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b4abc0b..38dcce5 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,5 +1,7 @@
-name: deploy
-on: workflow_dispatch
+name: Publish
+on:
+  workflow_dispatch: {}
+  workflow_call: {}
 
 jobs:
   build:
@@ -57,6 +59,5 @@ jobs:
           SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
           SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
 
-
 env:
   GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3g"
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 8d63109..aa8f4df 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -22,10 +22,12 @@ jobs:
     name: "Build (${{ matrix.label }})"
 
     permissions:
-      contents: "read"
+      actions: "read"
+      contents: "write"
       id-token: "write"
       checks: "write"
-      pull-requests: write
+      packages: "read"
+      pull-requests: "write"
 
     strategy:
       fail-fast: false
@@ -91,7 +93,13 @@ jobs:
       security-events: write
 
   publish-sandbox:
-    permissions: write-all
+    permissions:
+      actions: "read"
+      contents: "write"
+      id-token: "write"
+      checks: "write"
+      pull-requests: "write"
+      packages: "write"
     name: "Publish: Sandbox"
     needs: ["build", "codeql", "qodana"]
     uses: ./.github/workflows/step.publish.yml
diff --git a/.github/workflows/step.build.yml b/.github/workflows/step.build.yml
index 20561d5..131f47a 100644
--- a/.github/workflows/step.build.yml
+++ b/.github/workflows/step.build.yml
@@ -93,7 +93,7 @@ jobs:
           cache-read-only: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' && github.ref != 'refs/heads/beta' }}
           gradle-version: wrapper
           gradle-home-cache-cleanup: true
-          dependency-graph: generate
+          dependency-graph: generate-and-submit
           gradle-home-cache-includes: |
             caches
             notifications
diff --git a/.github/workflows/step.publish.yml b/.github/workflows/step.publish.yml
index 0fad438..af80529 100644
--- a/.github/workflows/step.publish.yml
+++ b/.github/workflows/step.publish.yml
@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: "Deploy"
 
 on:
   workflow_dispatch:
@@ -114,6 +114,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      packages: write
 
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
diff --git a/.gitignore b/.gitignore
index 2fd605c..eb56441 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ out/
 !.idea/inspectionProfiles
 
 local.properties
+.DS_Store