diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
deleted file mode 100644
index 6ee53fd..0000000
--- a/.github/workflows/build.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-name: "Nix: build and cache outputs"
-
-on:
-  workflow_dispatch:
-  push:
-    paths:
-      - "**.nix"
-      - "**.lock"
-      - ".github/workflows/build.yml"
-
-jobs:
-  build-flake:
-    name: Build (x86_64-linux)
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref_name }}
-          persist-credentials: false
-
-      - name: Install Lix
-        uses: ./.github/actions/install-lix
-
-      - name: Setup Attic cache
-        uses: ryanccn/attic-action@v0.3.2
-        with:
-          endpoint: https://cache.thevoid.cafe
-          cache: puzzlevision
-          token: ${{ secrets.ATTIC_TOKEN }}
-
-      - name: Build flake
-        run: nix build .#nixosConfigurations.puzzlevision.config.system.build.toplevel --accept-flake-config
diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml
new file mode 100644
index 0000000..72bbc91
--- /dev/null
+++ b/.github/workflows/check-leaks.yml
@@ -0,0 +1,38 @@
+name: "Trufflehog: check for exposed secrets"
+
+on:
+  pull_request:
+  push:
+    paths:
+      - "**.nix"
+      - ".github/workflows/check-leaks.yml"
+
+permissions:
+  contents: read
+  id-token: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  deadnix:
+    name: Run trufflehog
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
+
+      - id: trufflehog
+        name: TruffleHog scan
+        uses: trufflesecurity/trufflehog@main
+        continue-on-error: true
+        with:
+          path: ./
+          base: "${{ github.event.repository.default_branch }}"
+          extra_args: --debug --only-verified
+
+      - name: Scan Results Status
+        if: steps.trufflehog.outcome == 'failure'
+        run: exit 1
diff --git a/.github/workflows/deadnix.yml b/.github/workflows/deadnix.yml
index d80f744..23f0b46 100644
--- a/.github/workflows/deadnix.yml
+++ b/.github/workflows/deadnix.yml
@@ -12,9 +12,17 @@ jobs:
     name: Run deadnix
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v25
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          persist-credentials: false
+
+      - name: Install lix
+        uses: ./.github/actions/install-lix
+
       - uses: cachix/cachix-action@v14
         with:
           name: deadnix
+
       - uses: phucleeuwu/deadnix-action@v1
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 9fdb6e6..4f3e1b3 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -6,7 +6,7 @@ on:
     paths:
       - "**.nix"
       - "**.lock"
-      - ".github/workflows/**.yml"
+      - ".github/workflows/validate.yml"
 
 jobs:
   check-flake:
@@ -21,10 +21,7 @@ jobs:
           persist-credentials: false
 
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
-        with:
-          extra-conf: |
-            experimental-features = flakes nix-command recursive-nix pipe-operator
+        uses: ./.github/actions/install-lix
 
       - name: Validate Flake
         run: nix flake check