diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 496d2580..be1cfbb2 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -14,12 +14,16 @@ on: # Build any PRs and main branch changes
       - '.github/workflows/coverage-upload.yml'
       - '.github/workflows/reusable-CI-workflow.yml'
       - '.github/workflows/reusable-coverage-upload-workflow.yml'
+      - '.github/workflows/reusable-nightly-tests-workflow.yml'
       - '.github/workflows/auto-merge-dependabot.yml'
   push:
     branches: [ master ]
   schedule:
     - cron: '0 0 1 * *' # Every month
 
+permissions:
+  contents: read
+
 concurrency:
   group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
   cancel-in-progress: true
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
index bed36d80..d9726abf 100644
--- a/.github/workflows/auto-merge-dependabot.yml
+++ b/.github/workflows/auto-merge-dependabot.yml
@@ -7,8 +7,11 @@ permissions:
 
 jobs:
   dependabot:
-    runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'yoanm/php-jsonrpc-server-sdk'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/coverage-upload.yml b/.github/workflows/coverage-upload.yml
index 02bda588..7953f5df 100644
--- a/.github/workflows/coverage-upload.yml
+++ b/.github/workflows/coverage-upload.yml
@@ -4,6 +4,10 @@ on:
     workflows: ["CI"]
     types: [completed]
 
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
 jobs:
   upload:
     name: Coverage
diff --git a/.github/workflows/nightly-tests.yml b/.github/workflows/nightly-tests.yml
new file mode 100644
index 00000000..3018c9ee
--- /dev/null
+++ b/.github/workflows/nightly-tests.yml
@@ -0,0 +1,17 @@
+name: 'Nightly'
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
+jobs:
+  tests:
+    name: Tests
+    permissions:
+      contents: read
+      checks: write # For the check run creation !
+    uses: ./.github/workflows/reusable-nightly-tests-workflow.yml
diff --git a/.github/workflows/pre-check-CI-updates.yml b/.github/workflows/pre-check-CI-updates.yml
index 8ec496d6..d4b2dc57 100644
--- a/.github/workflows/pre-check-CI-updates.yml
+++ b/.github/workflows/pre-check-CI-updates.yml
@@ -16,8 +16,13 @@ on:
       - '.github/workflows/coverage-upload.yml'
       - '.github/workflows/reusable-CI-workflow.yml'
       - '.github/workflows/reusable-coverage-upload-workflow.yml'
+      - '.github/workflows/reusable-nightly-tests-workflow.yml'
       - '.github/workflows/auto-merge-dependabot.yml'
 
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
 concurrency:
   group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
   cancel-in-progress: true
@@ -29,6 +34,14 @@ jobs:
       contents: read
     uses: ./.github/workflows/reusable-CI-workflow.yml
 
+  nightly:
+    name: Nightly
+    needs: [tests]
+    permissions:
+      contents: read
+      checks: write # For the check run creation !
+    uses: ./.github/workflows/reusable-nightly-tests-workflow.yml
+
   upload:
     name: Coverage
     needs: [tests]
diff --git a/.github/workflows/reusable-CI-workflow.yml b/.github/workflows/reusable-CI-workflow.yml
index 096e7935..92a6ad31 100644
--- a/.github/workflows/reusable-CI-workflow.yml
+++ b/.github/workflows/reusable-CI-workflow.yml
@@ -7,10 +7,15 @@ env:
   COMPOSER_PREFER_STABLE: '1'
   TEST_OUTPUT_STYLE: pretty
 
+permissions:
+  contents: read
+
 jobs:
   fetch-supported-versions:
     name: Fetch supported versions
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       php-min: ${{ steps.fetch-php-versions.outputs.min }}
       php-max: ${{ steps.fetch-php-versions.outputs.max }}
@@ -20,13 +25,15 @@ jobs:
         id: fetch-php-versions
         uses: yoanm/gha-supported-versions-parser@feature/init
         with:
-          dependency: php
           path: .github/workflows/supported-versions.json
+          dependency: php
 
   tests:
     name: ${{ matrix.job-name }}
     needs: [fetch-supported-versions]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       COVERAGE_TYPE: none
       COVERAGE_OUTPUT_STYLE: clover
@@ -116,6 +123,8 @@ jobs:
     name: Static analysis
     needs: [fetch-supported-versions]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       PHP_VERSION: ${{ needs.fetch-supported-versions.outputs.php-max }}
     steps:
@@ -153,44 +162,3 @@ jobs:
       - name: Dependencies check
         if: ${{ github.event_name == 'pull_request' }}
         uses: actions/dependency-review-action@v4
-
-  nightly-tests:
-    name: Nightly
-    needs: [ fetch-supported-versions, tests ]
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    env:
-      PHP_VERSION: ${{ needs.fetch-supported-versions.outputs.php-next }}
-      COMPOSER_IGNORE_PLATFORM_REQ: 'php+'
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v5
-
-      - name: Setup PHP ${{ env.PHP_VERSION }}
-        id: setup-php
-        uses: shivammathur/setup-php@v2
-        env:
-          update: true # whether to use latest available patch for the version or not
-          fail-fast: true # step will fail if an extension or tool fails to set up
-        with:
-          php-version: ${{ env.PHP_VERSION }}
-          tools: composer
-          coverage: none
-
-      - name: Get composer cache directory
-        id: composer-cache
-        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
-
-      - name: Setup cache for PHP ${{ steps.setup-php.outputs.php-version }}
-        uses: actions/cache@v4
-        with:
-          path: |
-            ${{ steps.composer-cache.outputs.dir }}
-          # Clear the cache if composer.json (as composer.lock is not available) has been updated
-          key: tests-php${{ steps.setup-php.outputs.php-version }}-${{ hashFiles('composer.json') }}
-
-      - name: Build with PHP ${{ steps.setup-php.outputs.php-version }}
-        run: make build
-
-      - name: Test
-        run: make test-unit && make test-functional
diff --git a/.github/workflows/reusable-coverage-upload-workflow.yml b/.github/workflows/reusable-coverage-upload-workflow.yml
index 0f25cc64..a28b1600 100644
--- a/.github/workflows/reusable-coverage-upload-workflow.yml
+++ b/.github/workflows/reusable-coverage-upload-workflow.yml
@@ -8,6 +8,10 @@ on:
       CODECOV_TOKEN:
         required: true
 
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
 jobs:
   fetch-info:
     name: Fetch triggering workflow metadata
diff --git a/.github/workflows/reusable-nightly-tests-workflow.yml b/.github/workflows/reusable-nightly-tests-workflow.yml
new file mode 100644
index 00000000..2917c192
--- /dev/null
+++ b/.github/workflows/reusable-nightly-tests-workflow.yml
@@ -0,0 +1,77 @@
+name: 'Nightly reusable workflow'
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: Reference in order to fetch code
+        type: string
+        required: false
+        default: "${{ github.event.workflow_run && github.event.workflow_run.referenced_workflows[0] && github.event.workflow_run.referenced_workflows[0].ref || github.ref }}"
+
+env:
+  COMPOSER_PREFER_STABLE: '1'
+  TEST_OUTPUT_STYLE: pretty
+
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
+jobs:
+  tests:
+    name: PHP
+    permissions:
+      contents: read
+      checks: write # For the check run creation !
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    env:
+      COMPOSER_IGNORE_PLATFORM_REQ: 'php+'
+    steps:
+      - name: 'Check run ○'
+        uses: yoanm/temp-reports-group-workspace/utils/attach-check-run-to-triggering-workflow@v0
+        with:
+          name: 'Nightly / PHP'
+          fails-on-triggering-workflow-failure: true
+
+      - name: Fetch PHP supported versions
+        id: fetch-php-versions
+        uses: yoanm/gha-supported-versions-parser@feature/init
+        with:
+          dependency: php
+          path: .github/workflows/supported-versions.json
+          ref: "${{ inputs.ref }}"
+
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          ref: "${{ inputs.ref }}"
+
+      - name: Setup PHP ${{ steps.fetch-php-versions.outputs.next }}
+        id: setup-php
+        uses: shivammathur/setup-php@v2
+        env:
+          update: true # whether to use latest available patch for the version or not
+          fail-fast: true # step will fail if an extension or tool fails to set up
+        with:
+          php-version: ${{ steps.fetch-php-versions.outputs.next }}
+          tools: composer
+          coverage: none
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Setup cache for PHP ${{ steps.setup-php.outputs.php-version }}
+        uses: actions/cache@v4
+        with:
+          path: |
+            ${{ steps.composer-cache.outputs.dir }}
+          # Clear the cache if composer.json (as composer.lock is not available) has been updated
+          key: tests-php${{ steps.setup-php.outputs.php-version }}-${{ hashFiles('composer.json') }}
+
+      - name: Build with PHP ${{ steps.setup-php.outputs.php-version }}
+        run: make build
+
+      - name: Test
+        run: make test-unit && make test-functional