diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 77a8621e1..7ccb45104 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,14 +12,12 @@ on:
 permissions: {}
 
 jobs:
-  ci:
-    name: CI
+  build-and-test:
+    name: Build & Test
     runs-on: ubuntu-latest
 
     permissions:
-      actions: read
       contents: read
-      security-events: write
 
     steps:
       - name: Harden runner
@@ -29,8 +27,6 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             github.com:443
-            api.github.com:443
-            uploads.github.com:443
             objects.githubusercontent.com:443
             repo.maven.apache.org:443
             jitpack.io:443
@@ -74,11 +70,6 @@ jobs:
           key: sonar
           restore-keys: sonar
 
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
-        with:
-          languages: java
-
       - name: Maven build & SonarCloud quality scan
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -93,6 +84,51 @@ jobs:
             -Dsonar.organization="${SONAR_ORGANIZATION}" \
             -Dsonar.projectKey="${SONAR_PROJECT_KEY}"
 
+  security-scan:
+    name: Security scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+            uploads.github.com:443
+            repo.maven.apache.org:443
+            jitpack.io:443
+            repo.papermc.io:443
+
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          java-version: 17
+          distribution: temurin
+          cache: maven
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          languages: java
+
+      - name: Build
+        run: |
+          mvn package --activate-profiles fast \
+            --batch-mode --errors --strict-checksums --update-snapshots --fail-fast
+
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         with: