diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index 214954e2..a302131d 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -2,12 +2,10 @@ name: CI
 
 permissions:
   packages: read
+  contents: read
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
 
 jobs:
   backend-ci:
@@ -15,8 +13,6 @@ jobs:
     defaults:
       run:
         working-directory: backend
-    env:
-      backend_path: ${{ github.workspace }}/backend
     steps:
     - uses: actions/checkout@v4
     - run: pipx install poetry==1.7.1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c80a742..e425cb1b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,7 @@ on:
 
 permissions:
   packages: write
+  contents: write
 
 jobs:
   backend-ci:
diff --git a/.github/workflows/db.yml b/.github/workflows/db.yml
index 26bf9b84..e480147b 100644
--- a/.github/workflows/db.yml
+++ b/.github/workflows/db.yml
@@ -7,11 +7,15 @@ on:
           required: true
           type: string
 
+permissions:
+  packages: write
+  contents: read
+
 jobs:
   build-db:
     runs-on: ubuntu-latest
     # In case of production only run when it is a non-prerelease release
-    if: ${{ inputs.env != 'production' }} || ${{ github.event_name == 'release' && !github.event.release.prerelease }}
+    if: ${{ inputs.env != 'production' || (github.event_name == 'release' && !github.event.release.prerelease) }}
     defaults:
       run:
         working-directory: deploy
diff --git a/.github/workflows/kv.yml b/.github/workflows/kv.yml
index 9e835dd9..5e82a25b 100644
--- a/.github/workflows/kv.yml
+++ b/.github/workflows/kv.yml
@@ -7,11 +7,18 @@ on:
           required: true
           type: string
 
+permissions:
+  packages: write
+  contents: read
+
 jobs:
   build-kv:
     runs-on: ubuntu-latest
     # In case of production only run when it is a non-prerelease release
-    if: ${{ inputs.env != 'production' }} || ${{ github.event_name == 'release' && !github.event.release.prerelease }}
+    if: ${{ inputs.env != 'production' || (github.event_name == 'release' && !github.event.release.prerelease) }}
+    defaults:
+      run:
+        working-directory: deploy
     steps:
       - uses: actions/checkout@v4
       - run: pipx install poetry==1.7.1
@@ -54,7 +61,7 @@ jobs:
           password: ${{ github.token }}
       # Set up buildx for later build-push-action
       - name: Set up Docker Buildx
-        uses: docker/setup-2buildx-action@v3
+        uses: docker/setup-buildx-action@v3
 
       # *************************************************
       # ************** SET CONTAINER TAGS ***************
diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml
index faae68b0..4b07148c 100644
--- a/.github/workflows/server.yml
+++ b/.github/workflows/server.yml
@@ -7,11 +7,18 @@ on:
           required: true
           type: string
 
+permissions:
+  packages: write
+  contents: read
+
 jobs:
   build-server:
     runs-on: ubuntu-latest
     # In case of production only run when it is a non-prerelease release
-    if: ${{ inputs.env != 'production' }} || ${{ github.event_name == 'release' && !github.event.release.prerelease }}
+    if: ${{ inputs.env != 'production' || (github.event_name == 'release' && !github.event.release.prerelease) }}
+    defaults:
+      run:
+        working-directory: deploy
     steps:
       - uses: actions/checkout@v4
       - run: pipx install poetry==1.7.1
@@ -32,6 +39,7 @@ jobs:
       # dotglob is enabled to also allow the '.*' files to be moved
       # Finally configuration files for building authpage is moved (TEMP until confspawn option)
       - name: Move source
+        working-directory: ${{ github.workspace }}
         run: |
           mv backend/poetry.lock deploy/context
           mv backend//pyproject.toml deploy/context
@@ -53,10 +61,10 @@ jobs:
           cache-dependency-path: deploy/context/authpage/package-lock.json
       - name: Build credentials
         if: ${{ (github.event_name == 'release' && github.event.action == 'published') || steps.cached-authpage.outputs.cache-hit != 'true' }}
+        working-directory: ${{ github.workspace }}/deploy/context/authpage
         run: |
           npm install
           npm run build-mode -- --mode ${{ inputs.env }}
-        working-directory: deploy/context/authpage
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
diff --git a/authpage/vite.config.ts b/authpage/vite.config.ts
index 852fac3b..b975a16d 100644
--- a/authpage/vite.config.ts
+++ b/authpage/vite.config.ts
@@ -24,7 +24,7 @@ export default defineConfig({
         reset: resolve(__dirname, 'reset/index.html')
       }
     },
-    outDir: '../src/apiserver/resources/static/credentials'
+    outDir: '../backend/src/apiserver/resources/static/credentials'
   },
   server: {
     port: 4244