diff --git a/.github/workflows/bootstrap.yaml b/.github/workflows/bootstrap.yaml
index a2572ac4..90670e5b 100644
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@@ -2,12 +2,14 @@ name: bootstrap
 
 on:
   push:
-    branches:
-      - '*'
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 jobs:
   github:
     runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'fluxcd' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v2
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 310d7dc0..b0c9ca6d 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -1,9 +1,8 @@
 name: Publish docs via GitHub Pages
+
 on:
   push:
-    branches:
-      - docs*
-      - main
+    branches: [ 'docs*', main ]
 
 jobs:
   build:
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index f1f5b2b4..2b2b0aa8 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -1,10 +1,10 @@
 name: e2e
 
 on:
-  pull_request:
   push:
-    branches:
-      - main
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 jobs:
   kind:
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yaml
similarity index 93%
rename from .github/workflows/rebase.yml
rename to .github/workflows/rebase.yaml
index 74a9049a..623b0fbe 100644
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yaml
@@ -2,9 +2,9 @@ name: rebase
 
 on:
   pull_request:
-    types: [opened]
+    types: [ opened ]
   issue_comment:
-    types: [created]
+    types: [ created ]
 
 jobs:
   rebase:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5f360131..106bb666 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,8 +2,7 @@ name: release
 
 on:
   push:
-    tags:
-      - '*'
+    tags: [ '*' ]
 
 jobs:
   goreleaser:
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
new file mode 100644
index 00000000..57cbeb9f
--- /dev/null
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,55 @@
+name: Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 10 * * 3'
+
+jobs:
+  fossa:
+    name: FOSSA
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run FOSSA scan and upload build data
+        uses: fossa-contrib/fossa-action@v1
+        with:
+          # FOSSA Push-Only API Token
+          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
+          github-token: ${{ github.token }}
+
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'fluxcd' }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: snyk.sarif
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
deleted file mode 100644
index 63f34b94..00000000
--- a/.github/workflows/scan.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-name: scan
-on:
-  push:
-  pull_request:
-    branches: [main]
-
-jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
-        with:
-          go-version: 1.15.x
-      - name: FOSSA Analysis
-        if: github.event_name == 'pull_request'
-        uses: fossa-contrib/fossa-action@v1
-        with:
-          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
-          github-token: ${{ github.token }}
-      - name: CodeQL Init
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/init@v1
-        with:
-          languages: "go"
-      - name: CodeQL Autobuild
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/autobuild@v1
-      - name: CodeQL Analysis
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/analyze@v1
-      - name: Snyk Init
-        if: github.event_name == 'push'
-        uses: snyk/actions/setup@master
-      - name: Snyk Analysis
-        if: github.event_name == 'push'
-        run: snyk test --sarif-file-output=snyk.sarif
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      - name: Snyk Upload result to GitHub Code Scanning
-        if: github.event_name == 'push'
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: snyk.sarif
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yaml
similarity index 100%
rename from .github/workflows/update.yml
rename to .github/workflows/update.yaml
diff --git a/docs/internal/release.md b/docs/internal/release.md
index 96ecc537..0910a181 100644
--- a/docs/internal/release.md
+++ b/docs/internal/release.md
@@ -130,7 +130,7 @@ Upgrade procedure:
 
 `fluxcd/flux2`:
 
-1. Update the `github.com/fluxcd/*-controller/api` version in `flux2/go.mod` (automated with [GitHub Actions](../../.github/workflows/update.yml))
+1. Update the `github.com/fluxcd/*-controller/api` version in `flux2/go.mod` (automated with [GitHub Actions](../../.github/workflows/update.yaml))
 1. Update the `github.com/fluxcd/pkg/*` version in `flux2/go.mod`
 1. Update the `k8s.io/*` and `github.com/fluxcd/pkg/runtime` version in `flux2/go.mod`