diff --git a/.github/workflows/_unit-tests.yml b/.github/workflows/_unit-tests.yml
index 3464dc8b..7c4da2c4 100644
--- a/.github/workflows/_unit-tests.yml
+++ b/.github/workflows/_unit-tests.yml
@@ -1,5 +1,6 @@
 name: Unit Tests
-permissions: write-all
+permissions:
+  contents: write
 on:
   workflow_call:
 jobs:
@@ -15,7 +16,7 @@ jobs:
 
       - name: Run tests
         run: npm run test:coverage
-      
+
       - name: Send coverage to Coveralls
         uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 #v2.3.4
         with:
diff --git a/.github/workflows/on-main.yml b/.github/workflows/on-main.yml
new file mode 100644
index 00000000..f8de89f3
--- /dev/null
+++ b/.github/workflows/on-main.yml
@@ -0,0 +1,21 @@
+name: On Merge to main
+on:
+  push:
+    branches:
+      - main
+permissions:
+    contents: read   
+jobs:
+  security:
+    name: Security Checks
+    uses: ./.github/workflows/_security-checks.yml
+
+  static-checks:
+    name: Static Checks
+    uses: ./.github/workflows/_static-checks.yml
+    secrets: inherit
+
+  unit-tests:
+    name: Unit Tests
+    uses: ./.github/workflows/_unit-tests.yml
+    secrets: inherit