diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..adacf0c
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,43 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  schedule:
+    - cron: "7 4 19 * *"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+
+  codeql:
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript]
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3469cff..0cc5b66 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,6 +1,15 @@
 name: Test
 
-on: [push, pull_request]
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  schedule:
+   - cron: "7 4 19 * *"
+
+permissions:
+  contents: read
 
 jobs:
 
@@ -9,12 +18,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [18.x]
+        # These version names ensure that new Node versions are automatically tested,
+        # but also ensures that the oldest supported version is changed on purpose.
+        node-version: [lts/*]
         os: [ubuntu-latest, windows-latest, macOS-latest]
         include:
-          - node-version: 14.13.0
+          - node-version: latest
+            os: ubuntu-latest
+          - node-version: lts/-1
             os: ubuntu-latest
-          - node-version: 16.x
+          - node-version: 14.13.0
             os: ubuntu-latest
 
     runs-on: ${{ matrix.os }}
@@ -22,21 +35,16 @@ jobs:
     steps:
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Set up Node ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-
-      - name: Use npm cache
-        uses: actions/cache@v2
-        with:
-          path: node_modules
-          key: ${{ runner.os }}-node${{ matrix.node-version }}-${{ hashFiles('**/package-lock.json') }}
+          cache: npm
 
       - name: Install dependencies
-        run: npm install
+        run: npm install-clean
 
       - name: Test code
         run: npm test