diff --git a/.github/workflows/build-autotriage.yml b/.github/workflows/build-autotriage.yml
index 38f733469..df5774705 100644
--- a/.github/workflows/build-autotriage.yml
+++ b/.github/workflows/build-autotriage.yml
@@ -11,18 +11,22 @@ env:
   TRIAGE_SCRIPT: "tooling/build_autotriage/build_autotriage.sh"
 
 jobs:
-  Label:
+  autotriage:
+    permissions:
+      contents: read
+      issues: write 
     runs-on: ubuntu-latest
     name: Run Build Triage
     if: github.repository == 'adoptium/temurin-build'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
       - name: "Run Build Auto Triage"
         run: bash "${PWD}/${TRIAGE_SCRIPT}" jdk8u jdk11u jdk17u jdk21u jdk22 jdk23head
 
       - name: Create Issue From File
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # v2
+        uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
         with:
-          filename: ./build_triage_output.md
\ No newline at end of file
+          filename: ./build_triage_output.md
diff --git a/.github/workflows/ca-cert-updater.yml b/.github/workflows/ca-cert-updater.yml
index 5582d24ea..9eb806418 100644
--- a/.github/workflows/ca-cert-updater.yml
+++ b/.github/workflows/ca-cert-updater.yml
@@ -6,7 +6,8 @@ on:
     - cron: "0 0 * * *"
 
 permissions:
-  contents: read
+  contents: write  # to push local changes (gr2m/create-or-update-pull-request-action)
+  pull-requests: write  # to create a PR (gr2m/create-or-update-pull-request-action)
 
 jobs:
   update_ca_certs:
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 296494601..be789c6c5 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -1,6 +1,10 @@
 name: Dependabot auto-merge
 on: pull_request_target
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   dependabot:
     uses: adoptium/.github/.github/workflows/dependabot-auto-merge.yml@main
diff --git a/.github/workflows/testsbom.yml b/.github/workflows/testsbom.yml
index 40dcb7d3b..1c71324bb 100644
--- a/.github/workflows/testsbom.yml
+++ b/.github/workflows/testsbom.yml
@@ -36,9 +36,10 @@ jobs:
         run: |
           ant -noinput -buildfile cyclonedx-lib/build.xml clean
           ant -noinput -buildfile cyclonedx-lib/build.xml build
+
       - name: Run TemurinGenSBOM Unit test
-        run: |
-          ant -noinput -buildfile cyclonedx-lib/build.xml run
+        run: ant -noinput -buildfile cyclonedx-lib/build.xml run
+
       - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         name: Collect and Archive TemurinGenSBOM Artifacts
         with: