diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
new file mode 100644
index 00000000..e64ea34a
--- /dev/null
+++ b/.github/actions/setup/action.yml
@@ -0,0 +1,15 @@
+name: 'Setup Node.js with cached dependencies'
+description: 'Sets up Node.js and restores node_modules from the artifact uploaded by the setup job.'
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+    - uses: actions/download-artifact@v4
+      with:
+        name: node-modules
+        path: .
+    - run: tar -xzf node-modules.tar.gz && rm node-modules.tar.gz
+      shell: bash
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 66260529..5ed900d6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,10 +4,16 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
-  lint:
-    name: Lint
+  setup:
+    name: Install Dependencies
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -15,41 +21,58 @@ jobs:
           node-version: '20'
           cache: 'npm'
       - run: npm ci
+      - run: tar -czf node-modules.tar.gz node_modules
+      - uses: actions/upload-artifact@v4
+        with:
+          name: node-modules
+          path: node-modules.tar.gz
+          retention-days: 1
+
+  lint:
+    name: Lint
+    needs: setup
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup
       - run: npm run lint
 
   format-check:
     name: Format Check
+    needs: setup
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'npm'
-      - run: npm ci
+      - uses: ./.github/actions/setup
       - run: npm run format:check
 
   build:
     name: Build
+    needs: setup
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'npm'
-      - run: npm ci
+      - uses: ./.github/actions/setup
       - run: npm run build
 
   test:
     name: Test & Coverage
+    needs: setup
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'npm'
-      - run: npm ci
+      - uses: ./.github/actions/setup
       - name: Enforce 80% coverage
         run: npm run test:coverage