diff --git a/.github/workflows/ci_nightly.yml b/.github/workflows/ci_nightly.yml
index de76d75f8..41cffd828 100644
--- a/.github/workflows/ci_nightly.yml
+++ b/.github/workflows/ci_nightly.yml
@@ -6,10 +6,29 @@ on:
       - master
 
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    permissions:
+      contents: none
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.REPO_GPG_PASSPHRASE != '' && secrets.NIGHTLY_KEYCHAIN_PASSPHRASE != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   build:
+    needs: config
+    if: needs.config.outputs.has-secrets
     name: Build and Sign
 
     runs-on: macos-12
+    permissions:
+      contents: read
     env:
       IS_CI: 1
       IS_NIGHTLY: 1
@@ -114,5 +133,9 @@ jobs:
           path: archive/${{ steps.version.outputs.NIGHTLY_VERSION }}/Release-build.log
 
       - name: Send notification
+        if: env.CI_WEBHOOK_URL != '' && env.CI_WEBHOOK_SECRET != ''
+        env:
+          CI_WEBHOOK_URL: ${{ secrets.CI_WEBHOOK_URL }}
+          CI_WEBHOOK_SECRET: ${{ secrets.CI_WEBHOOK_SECRET }}
         run: |
-          /usr/bin/curl -H "X-CI-WebHook: true" -H "Content-Type: application/json" -d '{"secret": "${{ secrets.CI_WEBHOOK_SECRET }}", "repository": "hammerspoon", "workflow": "Dev Build", "message": "New development build: ${{ steps.version.outputs.NIGHTLY_VERSION }}"}' ${{ secrets.CI_WEBHOOK_URL }}
+          /usr/bin/curl -H "X-CI-WebHook: true" -H "Content-Type: application/json" -d '{"secret": "$CI_WEBHOOK_SECRET", "repository": "hammerspoon", "workflow": "Dev Build", "message": "New development build: ${{ steps.version.outputs.NIGHTLY_VERSION }}"}' $CI_WEBHOOK_URL
diff --git a/.github/workflows/ci_testbuild.yml b/.github/workflows/ci_testbuild.yml
index c2e0ffcf9..9dd6ccada 100644
--- a/.github/workflows/ci_testbuild.yml
+++ b/.github/workflows/ci_testbuild.yml
@@ -10,6 +10,8 @@ jobs:
   build:
     name: Build and Test
     runs-on: macos-12
+    permissions:
+      contents: read
     env:
       IS_CI: 1
 
diff --git a/.github/workflows/ci_testbuild_results.yml b/.github/workflows/ci_testbuild_results.yml
index 0ec3ea980..7f40578f5 100644
--- a/.github/workflows/ci_testbuild_results.yml
+++ b/.github/workflows/ci_testbuild_results.yml
@@ -10,6 +10,10 @@ jobs:
   publish:
     name: "Process CI Results"
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
+
     if: always()
 
     steps:
diff --git a/.github/workflows/new_tag.yml b/.github/workflows/new_tag.yml
index 8ff558961..3a7e4591b 100644
--- a/.github/workflows/new_tag.yml
+++ b/.github/workflows/new_tag.yml
@@ -10,6 +10,8 @@ jobs:
   generate-release-notes:
     name: Generate Release Notes
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -52,6 +54,9 @@ jobs:
   create-next-milestone:
     name: Create next milestone
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - uses: actions/checkout@v2
         with: