diff --git a/.github/actions/setup-test-env/action.yaml b/.github/actions/setup-test-env/action.yaml
new file mode 100644
index 0000000000..df2404785d
--- /dev/null
+++ b/.github/actions/setup-test-env/action.yaml
@@ -0,0 +1,17 @@
+name: Setup test env
+
+description: Create kind cluster, deploy kyverno, and wait pods are ready.
+
+inputs:
+  version:
+    description: kubernetes version
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: |
+        export KIND_IMAGE=kindest/node:${{ inputs.version }}
+        make kind-create-cluster kind-deploy-kyverno
+    - uses: ./.github/actions/kyverno-wait-ready
diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index 0a64a71e8b..130f947ec6 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -24,12 +24,10 @@ jobs:
         uses: ./.github/actions/setup-build-env
         with:
           build-cache-key: run-conformance
-      - name: Prepare environment
-        run: |
-          export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }}
-          make kind-create-cluster kind-deploy-kyverno
-      - name: Wait for Kyverno to start
-        uses: ./.github/actions/kyverno-wait-ready
+      - name: Setup test env
+        uses: ./.github/actions/setup-test-env
+        with:
+          version: ${{ matrix.k8s-version }}
       - name: Test with kuttl
         run: make test-kuttl
       - name: Debug failure
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index e6d38d0bb1..883895b3b2 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -1,50 +1,39 @@
 name: Scorecards supply-chain security
+
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
   schedule:
     - cron: '30 1 * * 6'
   push:
-    branches: [ "main" ]
-
-# Declare default permissions as read only.
-permissions: read-all
+    branches:
+      - main
 
 jobs:
   analysis:
-    name: Scorecards analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
       security-events: write
-      # Used to receive a badge.
       id-token: write
-
     steps:
-      - name: "Checkout code"
+      - name: Checkout
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
         with:
           persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # tag=v2.1.0
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
         with:
           results_file: results.sarif
           results_format: sarif
           repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.0.0
+      - name: Upload artifact
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # tag=v2.1.37
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
         with:
           sarif_file: results.sarif