diff --git a/.github/renovate.json5 b/.github/renovate.json5
index fbc1356..53ef564 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -10,9 +10,9 @@
     ":dependencyDashboard",
     ":semanticCommits",
     ":timezone(Europe/Paris)",
-    "github>M0NsTeRRR/octodns-infomaniak//.github/renovate/labels.json5",
-    "github>M0NsTeRRR/octodns-infomaniak//.github/renovate/semantic_commits.json5",
-    "github>M0NsTeRRR/octodns-infomaniak//.github/renovate/devcontainers.json5",
+    "github>m0nsterrr/octodns-infomaniak//.github/renovate/labels.json5",
+    "github>m0nsterrr/octodns-infomaniak//.github/renovate/semantic_commits.json5",
+    "github>m0nsterrr/octodns-infomaniak//.github/renovate/devcontainers.json5",
   ],
   "lockFileMaintenance": {
     "enabled": true,
diff --git a/.github/renovate/semantic_commits.json5 b/.github/renovate/semantic_commits.json5
index f173273..6e4ddb3 100644
--- a/.github/renovate/semantic_commits.json5
+++ b/.github/renovate/semantic_commits.json5
@@ -5,24 +5,24 @@
       "matchDatasources": ["pypi"],
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(python)!: ",
-      "commitMessageTopic": "",
-      "commitMessageExtra": "(  →  )"
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["pypi"],
       "matchUpdateTypes": ["minor"],
       "semanticCommitType": "feat",
       "semanticCommitScope": "python",
-      "commitMessageTopic": "",
-      "commitMessageExtra": "(  →  )"
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["pypi"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
       "semanticCommitScope": "python",
-      "commitMessageTopic": "",
-      "commitMessageExtra": "(  →  )"
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
   ]
 }
\ No newline at end of file
diff --git a/.github/workflows/automation-sync-pr.yml b/.github/workflows/automation-sync-pr.yml
index c5b50ac..49158a8 100644
--- a/.github/workflows/automation-sync-pr.yml
+++ b/.github/workflows/automation-sync-pr.yml
@@ -6,14 +6,14 @@ on:
   push:
     branches:
       - automation-sync
-permissions:
-  contents: read
-  pull-requests: write
-  checks: write
+permissions: {}
 jobs:
   create-pull-request:
     name: Create Pull Request
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
index 187c26a..e0b2974 100644
--- a/.github/workflows/lint-pr.yml
+++ b/.github/workflows/lint-pr.yml
@@ -9,14 +9,15 @@ on:
       - edited
       - synchronize
       - reopened
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
+permissions: {}
 jobs:
   lint-pr:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 7b4900c..e839629 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,18 +4,18 @@
 name: python lint
 on:
   - pull_request
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
+permissions: {}
 jobs: 
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@v4
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 24c94c8..b8b31b1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,13 +6,13 @@ on:
   push:
     tags:
       - '*'
-permissions:
-  contents: write
-  id-token: write
+permissions: {}
 jobs:
   changelog:
     name: Generate changelog
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       release_body: ${{ steps.git-cliff.outputs.content }}
     steps:
@@ -28,9 +28,11 @@ jobs:
         env:
           OUTPUT: CHANGELOG.md
           GITHUB_REPO: ${{ github.repository }}
-  create_draft_release:
+  create-draft-release:
     name: Create release as draft
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: [changelog]
     steps:
       - name: Checkout
@@ -39,29 +41,50 @@ jobs:
         run: gh release create ${{ github.ref_name }} -n "${{ needs.changelog.outputs.release_body }}" --draft
         env:
           GITHUB_TOKEN:  ${{ secrets.GITHUB_TOKEN  }}
-  package:
-    name: Package
+  build-package:
+    name: Build package
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
         - uses: actions/checkout@v4
         - name: Install uv
-          uses: astral-sh/setup-uv@v3
+          uses: astral-sh/setup-uv@v4
         - name: Set up Python
           uses: actions/setup-python@v5
           with:
             python-version-file: ".python-version"
         - name: Install the project
           run: uv sync --all-extras
-        - name: Publish package
+        - name: Build package
           run: |
             sed -i -e "s/0.0.0/${GITHUB_REF#refs/*/}/" pyproject.toml
             uv build
-        - name: Publish package distributions to PyPI
-          uses: pypa/gh-action-pypi-publish@release/v1
+        - name: Upload artifacts
+          uses: actions/upload-artifact@v4
+          with:
+            name: artifacts
+            path: dist/
+  publish-package:
+    name: Publish package
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for signing the images with GitHub OIDC Token
+    needs: [build-package]
+    steps:
+      - name: Downloads artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: dist/
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
   publish_release:
     name: Publish release
     runs-on: ubuntu-latest
-    needs: [create_draft_release, package]
+    permissions:
+      contents: write
+    needs: [create-draft-release, publish-package]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9568e77..84f2927 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,14 +4,14 @@
 name: python test
 on:
   - pull_request
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
+permissions: {}
 jobs: 
   test:
     name: Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     strategy:
       matrix:
         python-version:
@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@v4
       - name: Set up Python ${{ matrix.python-version }}
         run: uv python install ${{ matrix.python-version }}
       - name: Install the project