diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8c64a92..12621cf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,33 +1,48 @@
 name: ci
 on:
   pull_request:
+    branches:
+    - master
   push:
     branches:
     - master
   schedule:
   - cron: '00 01 * * *'
+
+# The section is needed to drop write-all permissions that are granted on
+# `schedule` event. By specifying any permission explicitly all others are set
+# to none. By using the principle of least privilege the damage a compromised
+# workflow can do (because of an injection or compromised third party tool or
+# action) is restricted. Currently the worklow doesn't need any additional
+# permission except for pulling the code. Adding labels to issues, commenting
+# on pull-requests, etc. may need additional permissions:
+#
+# Syntax for this section:
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+#
+# Reference for how to assign permissions on a job-by-job basis:
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+#
+# Reference for available permissions that we can enable if needed:
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+permissions:
+  # to fetch code (actions/checkout)
+  contents: read
+
 jobs:
   test:
     name: test
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
-        build:
-        - pinned
-        - pinned-win
-        - stable
-        - beta
-        - nightly
-        - macos
-        - win-msvc
-        - win-gnu
         include:
         - build: pinned
           os: ubuntu-latest
-          rust: 1.34.0
+          rust: 1.60.0
         - build: pinned-win
           os: windows-latest
-          rust: 1.34.0
+          rust: 1.60.0
         - build: stable
           os: ubuntu-latest
           rust: stable
@@ -48,15 +63,11 @@ jobs:
           rust: stable-x86_64-gnu
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v1
-      with:
-        fetch-depth: 1
+      uses: actions/checkout@v4
     - name: Install Rust
-      uses: actions-rs/toolchain@v1
+      uses: dtolnay/rust-toolchain@master
       with:
         toolchain: ${{ matrix.rust }}
-        override: true
-        profile: minimal
     - run: cargo build --verbose
     - run: cargo doc --verbose
     - if: startsWith(matrix.build, 'pinned-') == false
@@ -69,21 +80,15 @@ jobs:
         cargo test --verbose
 
   rustfmt:
-    name: rustfmt
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v1
-      with:
-        fetch-depth: 1
+      uses: actions/checkout@v4
     - name: Install Rust
-      uses: actions-rs/toolchain@v1
+      uses: dtolnay/rust-toolchain@master
       with:
         toolchain: stable
-        profile: minimal
         components: rustfmt
-    - name: Install rustfmt
-      run: rustup component add rustfmt
     - name: Check formatting
       run: |
         cargo fmt --all -- --check