diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
new file mode 100644
index 0000000..c680373
--- /dev/null
+++ b/.github/workflows/push.yml
@@ -0,0 +1,18 @@
+name: Node.js CI
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+      - run: npm ci
+      - run: npm run build --if-present
+      - run: npm test
diff --git a/routes/api/courses.js b/routes/api/courses.js
index 9edd857..ffb9cb5 100644
--- a/routes/api/courses.js
+++ b/routes/api/courses.js
@@ -73,12 +73,15 @@ export default async function (fastify) {
       schema: schema['/courses/{id}'].PATCH.args.properties,
     },
     async (request) => {
-      // fastify.assert.equal(a, b, 403)
-      const course = await db.update(schemas.courses)
+      const course = await db.query.courses.findFirst({
+        where: eq(schemas.courses.id, request.params.id),
+      })
+      fastify.assert(course, 404)
+
+      fastify.assert.equal(request.user.id, course?.creatorId, 403)
+      await db.update(schemas.courses)
         .set(request.body)
         .where(eq(schemas.courses.id, request.params.id))
-        .returning()
-      fastify.assert(course, 404)
 
       return { id: request.params.id }
     },
diff --git a/test/helper.js b/test/helper.js
index 10608b6..63613cd 100644
--- a/test/helper.js
+++ b/test/helper.js
@@ -5,6 +5,8 @@ import assert from 'assert'
 import helper from 'fastify-cli/helper.js'
 import path from 'path'
 import { fileURLToPath } from 'url'
+import * as schemas from '../db/schema.js'
+import { eq } from 'drizzle-orm'
 
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
@@ -49,10 +51,12 @@ async function build(t) {
 }
 
 /**
-  * @param {import('fastify').FastifyInstance} app
-  */
-async function getAuthHeader(app) {
-  const client = await app.db.query.users.findFirst()
+ * @param {import('fastify').FastifyInstance} app
+ * @param {number | null} userId
+ */
+async function getAuthHeader(app, userId = null) {
+  const from = app.db.select().from(schemas.users)
+  const [client] = userId ? await from.where(eq(schemas.users.id, userId)) : await from.limit(1)
   assert.ok(client)
   const token = app.jwt.sign({ id: client.id })
   return {
diff --git a/test/routes/api/courses.test.js b/test/routes/api/courses.test.js
index f14edc5..fa3263b 100644
--- a/test/routes/api/courses.test.js
+++ b/test/routes/api/courses.test.js
@@ -47,7 +47,7 @@ test('patch courses/:id', async (t) => {
   const course = await app.db.query.courses.findFirst()
   assert.ok(course)
 
-  const authHeader = await getAuthHeader(app)
+  const authHeader = await getAuthHeader(app, course.creatorId)
   const res = await app.inject({
     method: 'patch',
     url: `/api/courses/${course.id}`,