diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
new file mode 100644
index 0000000..7c8ba29
--- /dev/null
+++ b/.github/workflows/pull_request.yaml
@@ -0,0 +1,34 @@
+name: CI & Plan
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    # The permissions are necessary for the google-github-actions/auth@v2 action
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: [ubuntu-latest]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ secrets.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ secrets.STATE_BUCKET_ACCESS_WIF_PROVIDER }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          version: '>= 363.0.0'
+      - name: Use gcloud CLI
+        run: gcloud info
+      - id: init
+        run: terraform init
+      - id: plan
+        run: terraform plan -no-color
+      - run: echo ${{ steps.plan.outputs.stdout }}
+      - run: echo ${{ steps.plan.outputs.stderr }}
+      - run: echo ${{ steps.plan.outputs.exitcode }}
\ No newline at end of file
diff --git a/action.identity.tf b/action.identity.tf
new file mode 100644
index 0000000..8d37b7f
--- /dev/null
+++ b/action.identity.tf
@@ -0,0 +1,15 @@
+module "github_wif" {
+  source     = "Cyclenerd/wif-github/google"
+  version    = "~> 1.0.0"
+  project_id = var.project_id
+  attribute_condition = "assertion.repository_owner == 'senacor'"
+}
+
+module "wif_lpt_bootstrap" {
+  source     = "Cyclenerd/wif-service-account/google"
+  version    = "~> 1.0.0"
+  project_id = var.project_id
+  pool_name  = module.github_wif.pool_name
+  account_id = module.state_service_account.id
+  repository = github_repository.bootstrap.full_name
+}
\ No newline at end of file
diff --git a/bootstrap.repository.tf b/bootstrap.repository.tf
index 0a2f0d6..7d94318 100644
--- a/bootstrap.repository.tf
+++ b/bootstrap.repository.tf
@@ -44,4 +44,16 @@ resource "github_actions_secret" "state_bucket_access_private_key" {
   repository      = github_repository.bootstrap.name
   secret_name     = "STATE_BUCKET_ACCESS_PRIVATE_KEY"
   plaintext_value = google_service_account_key.state_service_account_key.private_key
+}
+
+resource "github_actions_secret" "state_bucket_access_wif_provider" {
+  repository      = github_repository.bootstrap.name
+  secret_name     = "STATE_BUCKET_ACCESS_WIF_PROVIDER"
+  plaintext_value = module.github_wif.provider_name
+}
+
+resource "github_actions_secret" "gcp_project_id" {
+  repository      = github_repository.bootstrap.name
+  secret_name     = "GCP_PROJECT_ID"
+  plaintext_value = var.project_id
 }
\ No newline at end of file
diff --git a/simple.gke.tf b/simple.gke.tf
index 84b9ed2..b9fed71 100644
--- a/simple.gke.tf
+++ b/simple.gke.tf
@@ -66,10 +66,16 @@ module "gke" {
   ip_range_services               = local.svc_range_name
   release_channel                 = "REGULAR"
   enable_vertical_pod_autoscaling = true
-  enable_private_endpoint         = true
+  enable_private_endpoint         = false
   enable_private_nodes            = true
   network_tags                    = [local.cluster_type]
   deletion_protection             = false
+  master_authorized_networks = [
+    {
+      cidr_block   = "93.211.11.162/32"
+      display_name = "PSI"
+    }
+  ]
 }
 
 resource "google_service_account_key" "gke_service_account_key" {