diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ac93556..714fea0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,41 +1,46 @@
-image: node:lts-buster
-
 stages:
   - test
   - package
+  - security
   - upload
 
-cache:
-  key: ${CI_COMMIT_REF_SLUG}
-  paths:
-    - node_modules/
-
-default:
+.cljs-job: &cljs
+  image: node:lts-buster
+  cache:
+    key: ${CI_COMMIT_REF_SLUG}
+    paths:
+      - node_modules/
   before_script:
     - apt update && apt -qqy install openjdk-11-jre-headless
     - npm install
     - npm install -g --save-dev shadow-cljs
 
+.js-job: &js-upload
+  image: node:lts-buster
+  cache:
+    key: ${CI_COMMIT_REF_SLUG}
+    paths:
+      - node_modules/
+  before_script:
+    - echo _auth=$NPM_PUBLSH_KEY >> .npmrc
+    - echo email=$NPM_PUBLSH_MAIL >> .npmrc
+    - echo always-auth=true >> .npmrc
+    - mkdir -p target/npm-build/mastodon_bot
+    - cp target/mastodon-bot.js target/npm-build/mastodon_bot/
+    - cp target/mastodon-bot.js.sha256 target/npm-build/mastodon_bot/
+    - cp target/mastodon-bot.js.sha512 target/npm-build/mastodon_bot/
+    - cp package.json target/npm-build/mastodon_bot/
+    - cp README.md target/npm-build/mastodon_bot/
+
 build:
+  <<: *cljs
   stage: test
   script:
     - shadow-cljs compile test
 
-sast:
-  variables:
-    SAST_EXCLUDED_ANALYZERS:
-      bandit, brakeman, flawfinder, gosec, kubesec, phpcs-security-audit,
-      pmd-apex, security-code-scan, sobelow, spotbugs
-  stage: test
-  before_script:
-  - echo "scan security"
-include:
-  - template: Security/SAST.gitlab-ci.yml
-
 package:
+  <<: *cljs
   stage: package
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "master"'
   artifacts:
     paths:
       - target/
@@ -45,38 +50,31 @@ package:
     - sha256sum target/mastodon-bot.js > target/mastodon-bot.js.sha256
     - sha512sum target/mastodon-bot.js > target/mastodon-bot.js.sha512
 
+sast:
+  variables:
+    SAST_EXCLUDED_ANALYZERS:
+      bandit, brakeman, flawfinder, gosec, kubesec, phpcs-security-audit,
+      pmd-apex, security-code-scan, sobelow, spotbugs
+  stage: security
+  before_script:
+    - mkdir -p builds && cp -r target/ builds/
+include:
+  - template: Security/SAST.gitlab-ci.yml
+
 upload-prerelease:
+  <<: *js-upload
   stage: upload
   rules:
     - if: '$CI_COMMIT_BRANCH == "master" && $CI_COMMIT_TAG == null'
-  before_script:
-    - echo _auth=$NPM_PUBLSH_KEY >> .npmrc
-    - echo email=$NPM_PUBLSH_MAIL >> .npmrc
-    - echo always-auth=true >> .npmrc
   script:
-    - mkdir -p target/npm-build/mastodon_bot
-    - cp target/mastodon-bot.js target/npm-build/mastodon_bot/
-    - cp target/mastodon-bot.js.sha256 target/npm-build/mastodon_bot/
-    - cp target/mastodon-bot.js.sha512 target/npm-build/mastodon_bot/
-    - cp package.json target/npm-build/mastodon_bot/
-    - cp README.md target/npm-build/mastodon_bot/
     - npm version --no-git-tag-version prerelease
     - npm publish ./target/npm-build/mastodon_bot --access public
 
 upload-release:
+  <<: *js-upload
   stage: upload
   rules:
     - if: '$CI_COMMIT_BRANCH == "master" && $CI_COMMIT_TAG != null'
-  before_script:
-    - echo _auth=$NPM_PUBLSH_KEY >> .npmrc
-    - echo email=$NPM_PUBLSH_MAIL >> .npmrc
-    - echo always-auth=true >> .npmrc
   script:
-    - mkdir -p target/npm-build/mastodon_bot
-    - cp target/mastodon-bot.js target/npm-build/mastodon_bot/
-    - cp target/mastodon-bot.js.sha256 target/npm-build/mastodon_bot/
-    - cp target/mastodon-bot.js.sha512 target/npm-build/mastodon_bot/
-    - cp package.json target/npm-build/mastodon_bot/
-    - cp README.md target/npm-build/mastodon_bot/
     - npm version --no-git-tag-version $CI_COMMIT_TAG
     - npm publish ./target/npm-build/mastodon_bot --access public