diff --git a/.github/workflows/pull-request-main.yml b/.github/workflows/pull-request-main.yml
index dc0606f0b..ca7600fd4 100644
--- a/.github/workflows/pull-request-main.yml
+++ b/.github/workflows/pull-request-main.yml
@@ -151,8 +151,10 @@ jobs:
 
   ci-sonarqube:
     name: Sonarqube Scan
-    needs: [ ci-lint, ci-lint-misc, ci-test ]
+    needs: [ci-lint, ci-lint-misc, ci-test]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: github.actor != 'dependabot[bot]'
     steps:
       - name: Scanning with Sonarqube
diff --git a/.github/workflows/push-main.yml b/.github/workflows/push-main.yml
index 87c5c9f35..9531f8fc3 100644
--- a/.github/workflows/push-main.yml
+++ b/.github/workflows/push-main.yml
@@ -10,9 +10,7 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
       contents: read
-      actions: read
     steps:
       - name: Linting Go
         uses: smartcontractkit/.github/actions/ci-lint-go@bd2ca3d8fa2dc89f98b49b297e9b72c2e3e68cdc # ci-lint-go@3.1.0
@@ -26,9 +24,7 @@ jobs:
     name: Lint E2E tests
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
       contents: read
-      actions: read
     steps:
       - name: Linting Go
         uses: smartcontractkit/.github/actions/ci-lint-go@bd2ca3d8fa2dc89f98b49b297e9b72c2e3e68cdc # ci-lint-go@3.1.0
@@ -54,7 +50,7 @@ jobs:
       actions: read
     steps:
       - name: ci-test
-        uses: smartcontractkit/.github/actions/ci-test-go@ci-test-go/1.0.0
+        uses: smartcontractkit/.github/actions/ci-test-go@dfcba48f05933158428bce867d790e3d5a9baa6b # ci-test-go@1.1.0
         with:
           go-test-cmd: go test -coverprofile=coverage.txt $(go list ./...)
           use-go-cache: true
@@ -147,7 +143,6 @@ jobs:
               exit 0
             }
 
-
   cd-release:
     runs-on: ubuntu-latest
     permissions:
@@ -167,7 +162,7 @@ jobs:
 
   ci-sonarqube:
     name: Sonarqube Scan
-    needs: [ ci-lint, ci-lint-misc, ci-test ]
+    needs: [ci-lint, ci-lint-misc, ci-test]
     runs-on: ubuntu-latest
     if: github.actor != 'dependabot[bot]'
     steps:
diff --git a/.github/workflows/push-tag-release.yml b/.github/workflows/push-tag-release.yml
index 45274dd16..b236152fe 100644
--- a/.github/workflows/push-tag-release.yml
+++ b/.github/workflows/push-tag-release.yml
@@ -60,7 +60,7 @@ jobs:
           update-git-tag: "true"
           # goreleaser inputs
           goreleaser-args: "--config .goreleaser.yml"
-          goreleaser-version: '~> v2'
+          goreleaser-version: "~> v2"
           goreleaser-dist: goreleaser-pro
           goreleaser-key: ${{ secrets.GORELEASER_KEY }}
 
@@ -69,6 +69,8 @@ jobs:
     needs:
       - cicd-publish-release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     environment: build-publish
     steps:
       - name: Checkout repository
@@ -85,4 +87,4 @@ jobs:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot
           git-ref: ${{ env.TAG }}
           git-ref-type: tag
-          changelog-url: 'https://github.com/${{ github.repository }}/releases/tag/${{ env.TAG }}'
+          changelog-url: "https://github.com/${{ github.repository }}/releases/tag/${{ env.TAG }}"