diff --git a/.ci/docker-ci/arch/Dockerfile b/.ci/docker-ci/arch/Dockerfile
index e14e7b318..5b7bb35b0 100644
--- a/.ci/docker-ci/arch/Dockerfile
+++ b/.ci/docker-ci/arch/Dockerfile
@@ -1,4 +1,4 @@
-FROM archlinux:base-20220529.0.58327
+FROM archlinux/archlinux:base-20221113.0.102202
 
 LABEL maintainer="mail@sobolevn.me"
 LABEL vendor="git-secret team"
diff --git a/.github/workflows/build-man.yml b/.github/workflows/build-man.yml
index 2f2d998aa..c77896556 100644
--- a/.github/workflows/build-man.yml
+++ b/.github/workflows/build-man.yml
@@ -12,8 +12,11 @@ on:
       - 'docs/**/*'
   workflow_dispatch:
 
-concurrency: 
-  group: ${{ github.head_ref || github.run_id }}-build-man
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml
index c00c0b490..adabdc335 100644
--- a/.github/workflows/github-pages.yml
+++ b/.github/workflows/github-pages.yml
@@ -9,13 +9,18 @@ on:
       - 'docs/**/*'
       - 'utils/*/install.sh'
 
-concurrency: 
-  group: ${{ github.head_ref || github.run_id }}
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
     - uses: actions/checkout@v3
diff --git a/.github/workflows/release-ci.yml b/.github/workflows/release-ci.yml
index 32da1c7b1..7d6aa6b49 100644
--- a/.github/workflows/release-ci.yml
+++ b/.github/workflows/release-ci.yml
@@ -21,8 +21,11 @@ on:
       - 'Makefile'
       - '.github/workflows/release-ci.yml'
 
+permissions:
+  contents: read
+
 concurrency:
-  group: ${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
@@ -41,8 +44,8 @@ jobs:
             release-env: rocky
           - release-type: rpm
             release-env: alma
-          #- release-type: apk      # temp removal of alpine releases for #881
-          #  release-env: alpine    # temp removal of alpine releases for #881
+          # - release-type: apk  # see #881
+          #   release-env: alpine
 
     steps:
     - uses: actions/checkout@v3
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4bc3ec1e6..adba0ba88 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,7 +7,7 @@ on:
   workflow_dispatch:
 
 concurrency:
-  group: ${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
 
 jobs:
   release-packages:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5a9abbda9..e90968100 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,8 +11,11 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
-concurrency: 
-  group: ${{ github.head_ref || github.run_id }}-test
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
@@ -30,7 +33,7 @@ jobs:
         docker-env:
           - alma
           - alpine
-          #- arch           # disable arch testing for now, see #916
+          - arch
           - debian-gnupg1  # We need to test legacy version of gnupg
           - debian-gnupg2
           - fedora
@@ -63,10 +66,7 @@ jobs:
       with:
         usesh: true
         prepare: pkg install -y gnupg bash gmake git gawk
-        run: |
-          which -a bash
-          which -a shell
-          gmake test
+        run: gmake test
 
   windows-wsl-ci:
     runs-on: windows-latest