diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml
index 08d6f1f..72bbc91 100644
--- a/.github/workflows/check-leaks.yml
+++ b/.github/workflows/check-leaks.yml
@@ -1,7 +1,6 @@
 name: "Trufflehog: check for exposed secrets"
 
 on:
-  workflow_dispatch:
   pull_request:
   push:
     paths:
@@ -19,8 +18,10 @@ jobs:
     name: Run trufflehog
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@main
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
+          ref: ${{ github.ref_name }}
           fetch-depth: 0
 
       - id: trufflehog
diff --git a/.github/workflows/deadnix.yml b/.github/workflows/deadnix.yml
index e7a32dd..23f0b46 100644
--- a/.github/workflows/deadnix.yml
+++ b/.github/workflows/deadnix.yml
@@ -1,7 +1,6 @@
 name: "Nix: check for unused code"
 
 on:
-  workflow_dispatch:
   pull_request:
   push:
     paths:
@@ -13,9 +12,17 @@ jobs:
     name: Run deadnix
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@main
-      
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          persist-credentials: false
+
       - name: Install lix
         uses: ./.github/actions/install-lix
 
+      - uses: cachix/cachix-action@v14
+        with:
+          name: deadnix
+
       - uses: phucleeuwu/deadnix-action@v1