diff --git a/.github/PklProject b/.github/PklProject
index 90d0145e3..acba3bbdb 100644
--- a/.github/PklProject
+++ b/.github/PklProject
@@ -2,5 +2,5 @@ amends "pkl:Project"
 
 dependencies {
   ["gha"] { uri = "package://pkg.pkl-lang.org/pkl-project-commons/temp.stefma.gha@0.0.0" }
-  ["pkl.impl.ghactions"] { uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.2.0" }
+  ["pkl.impl.ghactions"] { uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.3.2" }
 }
diff --git a/.github/PklProject.deps.json b/.github/PklProject.deps.json
index 2c5404a62..709b4b8c5 100644
--- a/.github/PklProject.deps.json
+++ b/.github/PklProject.deps.json
@@ -10,9 +10,9 @@
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.2.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.3.2",
       "checksums": {
-        "sha256": "2d593b831c63736bf55c1aa8ad3bc8dbbc86c974db963c38ba668fbcecd32a87"
+        "sha256": "3427c2349ba465e64e1d2e9ec1f71c079e7f98a0a5fcfe900df67c98daf7eebb"
       }
     }
   }
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4735a0ac5..3aeebd40a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,8 +6,11 @@ name: Build
   push:
     branches-ignore:
     - main
+    - release/*
     tags-ignore:
     - '*'
+permissions:
+  contents: read
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8fdd4055a..34b96f246 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -14,6 +14,8 @@ name: Build (main)
         description: The source GitHub Action workflow run triggering this build
         required: false
         type: string
+permissions:
+  contents: read
 jobs:
   publish:
     permissions:
diff --git a/.github/workflows/prb.yml b/.github/workflows/prb.yml
index 067424d70..bdd4a8d2f 100644
--- a/.github/workflows/prb.yml
+++ b/.github/workflows/prb.yml
@@ -4,6 +4,8 @@
 name: Pull Request
 'on':
   pull_request: {}
+permissions:
+  contents: read
 jobs:
   build-and-test:
     runs-on: ubuntu-latest