diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 722ce45..3d936e2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,9 +1,8 @@
 name: Dotfiles publisher
-on: [push]
-# on:
-#   push:
-#     branches:
-#       - master
+on:
+  push:
+    branches:
+      - master
 
 jobs:
   publish-installer:
diff --git a/README.md b/README.md
index 9214ef6..b34c462 100644
--- a/README.md
+++ b/README.md
@@ -4,10 +4,14 @@ Collection of my dotfiles and supporting install scripts
 
 ## Install
 
+[![Dotfiles publisher](https://github.com/andrejusk/dotfiles/actions/workflows/publish.yml/badge.svg?branch=master)](https://github.com/andrejusk/dotfiles/actions/workflows/publish.yml)
+
     wget https://dots.andrejus.dev/setup.sh -qO - | bash
 
 ## Stack
 
+[![Dotfiles CI](https://github.com/andrejusk/dotfiles/actions/workflows/ci.yml/badge.svg)](https://github.com/andrejusk/dotfiles/actions/workflows/ci.yml)
+
 Tested and maintained against Debian buster
 
 ### Shells
diff --git a/terraform/module/main.tf b/terraform/module/main.tf
index 5a8cfee..4c81429 100644
--- a/terraform/module/main.tf
+++ b/terraform/module/main.tf
@@ -3,12 +3,17 @@ locals {
 }
 
 # =================================================================
-# Public bucket for static content
+# Public bucket for static content with uploader service account
 # =================================================================
 resource "google_project_service" "storage" {
   service = "storage.googleapis.com"
 }
 
+resource "google_service_account" "uploader_sa" {
+  account_id   = "${var.prefix}-uploader-sa"
+  display_name = "Uploader Service Account"
+}
+
 resource "google_storage_bucket" "bucket" {
   name       = var.domain
   depends_on = [google_project_service.storage]
@@ -20,10 +25,13 @@ resource "google_storage_bucket" "bucket" {
   }
 }
 
-resource "google_storage_default_object_access_control" "bucket_public" {
+resource "google_storage_bucket_acl" "bucket_acl" {
   bucket = google_storage_bucket.bucket.name
-  role   = "READER"
-  entity = "allUsers"
+
+  role_entity = [
+    "READER:allUsers",
+    "OWNER:user-${google_service_account.uploader_sa.email}",
+  ]
 }
 
 resource "google_storage_bucket_object" "index" {
@@ -32,17 +40,6 @@ resource "google_storage_bucket_object" "index" {
   bucket = google_storage_bucket.bucket.name
 }
 
-resource "google_service_account" "uploader_sa" {
-  account_id   = "${var.prefix}-uploader-sa"
-  display_name = "Uploader Service Account"
-}
-
-resource "google_storage_default_object_access_control" "upload" {
-  bucket = google_storage_bucket.bucket.name
-  role   = "OWNER"
-  entity = "user-${google_service_account.uploader_sa.email}"
-}
-
 # =================================================================
 # Expose bucket via HTTPS using Cloud CDN
 #