diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 2dd7c5d..2409f28 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -15,3 +15,6 @@ jobs:
   build:
     needs: [tests-prettier]
     uses: ./.github/workflows/reusable-build.yml
+    permissions:
+      contents: read
+      id-token: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4564420..13499b6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,8 +5,8 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+(-[a-zA-Z0-9]+)?"
 
 env:
-  gcp-project-id: 118585658141
-  service-account: gh-ci-optable-web-sdk
+  workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+  service-account: ${{ secrets.SERVICE_ACCOUNT }}
 
 jobs:
   tests-prettier:
@@ -15,6 +15,9 @@ jobs:
   build:
     needs: [tests-prettier]
     uses: ./.github/workflows/reusable-build.yml
+    permissions:
+      contents: read
+      id-token: write
 
   deploy-sdk-to-npm:
     needs: [build]
@@ -93,8 +96,8 @@ jobs:
 
       - uses: "google-github-actions/auth@v2"
         with:
-          workload_identity_provider: "projects/${{ env.gcp-project-id }}/locations/global/workloadIdentityPools/optable-ci/providers/github-pool-provider"
-          service_account: "${{ env.service-account }}@optable-platform-ci.iam.gserviceaccount.com"
+          workload_identity_provider: ${{ env.workload_identity_provider }}
+          service_account: ${{ env.service-account }}
 
       - name: Upload SDK to GCS bucket, upload new version
         uses: "google-github-actions/upload-cloud-storage@v2"
@@ -139,8 +142,8 @@ jobs:
       - uses: "google-github-actions/auth@v2"
         id: auth
         with:
-          workload_identity_provider: "projects/${{ env.gcp-project-id }}/locations/global/workloadIdentityPools/optable-ci/providers/github-pool-provider"
-          service_account: "${{ env.service-account }}@optable-platform-ci.iam.gserviceaccount.com"
+          workload_identity_provider: ${{ env.workload_identity_provider }}
+          service_account: ${{ env.service-account }}
 
       - name: Build web-sdk-demos Docker Image
         run: |
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 7caf65a..a237ee7 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -1,6 +1,10 @@
 name: Building SDK and demos
 on: workflow_call
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build-web:
     runs-on: ubuntu-22.04
@@ -61,13 +65,13 @@ jobs:
       SDK_URI: https://cdn.optable.co/web-sdk/${{ startsWith(github.ref, 'refs/tags/') && github.ref_name || 'latest' }}/sdk.js
       ADS_HOST: ads.optable.co
       ADS_REGION: ca
-      ADS_SITE: 4fe7c1ce-7c7d-4718-a0b8-5195e489319f
+      ADS_SITE: ${{ vars.ADS_SITE }}
       DCN_HOST: sandbox.optable.co
       DCN_SITE: web-sdk-demo
       DCN_ID: optable
       DCN_INSECURE: "false"
       DCN_INIT: "true"
-      UID2_BASE_URL: https://operator-integ.uidapi.com
+      UID2_BASE_URL: ${{ vars.UID2_BASE_URL }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4