diff --git a/.github/actions/upload-artifact/action.yaml b/.github/actions/upload-artifact/action.yaml
deleted file mode 100644
index b9d384456b7d..000000000000
--- a/.github/actions/upload-artifact/action.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-name: UploadArtifacts
-description: 'Uploads artifacts of a workflow as an archive of a directory so that another workflow that runs on workflow_run can download and use it'
-runs:
-  using: "composite"
-  steps:
-    - uses: actions/upload-artifact@v3
-      with:
-        name: artifacts
-        path: /tmp/artifacts
diff --git a/.github/workflows/approval-comment.yaml b/.github/workflows/approval-comment.yaml
index b02597e22a37..d53c1bd6cb77 100644
--- a/.github/workflows/approval-comment.yaml
+++ b/.github/workflows/approval-comment.yaml
@@ -6,7 +6,6 @@ on:
 jobs:
   approval-comment:
     if: startsWith(github.event.review.body, '/karpenter snapshot') || startsWith(github.event.review.body, '/karpenter scale') || startsWith(github.event.review.body, '/karpenter conformance')
-    permissions: write-all
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -21,4 +20,7 @@ jobs:
           echo ${{ github.event.pull_request.number }} >> /tmp/artifacts/metadata.txt
           echo ${{ github.event.review.commit_id }} >> /tmp/artifacts/metadata.txt
           cat /tmp/artifacts/metadata.txt
-      - uses: ./.github/actions/upload-artifact
+      - uses: actions/upload-artifact@v3
+        with:
+          name: artifacts
+          path: /tmp/artifacts
diff --git a/.github/workflows/codegen.yaml b/.github/workflows/codegen.yaml
index a45f7eb2bf61..d92447dbd44e 100644
--- a/.github/workflows/codegen.yaml
+++ b/.github/workflows/codegen.yaml
@@ -5,9 +5,9 @@ on:
     - cron: '0 13 * * MON'
 
 permissions:
-  id-token: write
-  pull-requests: write
-  contents: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  pull-requests: write # name: Create Pull Request
+  contents: write # name: Create Pull Request
 
 jobs:
   codegen:
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index bc61db907386..60f764dbe505 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -12,9 +12,8 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
-      security-events: write
+      actions: read # github/codeql-action/init@v2
+      security-events: write # github/codeql-action/init@v2
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/docgen.yaml b/.github/workflows/docgen.yaml
index 97a116bf437b..c65be3d2bdd4 100644
--- a/.github/workflows/docgen.yaml
+++ b/.github/workflows/docgen.yaml
@@ -5,7 +5,7 @@ on:
     branches: [main]
 
 permissions:
-  id-token: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 
 jobs:
   docgen-ci:
diff --git a/.github/workflows/e2e-upgrade.yaml b/.github/workflows/e2e-upgrade.yaml
index 1e418d872335..8a71094b63e0 100644
--- a/.github/workflows/e2e-upgrade.yaml
+++ b/.github/workflows/e2e-upgrade.yaml
@@ -46,9 +46,8 @@ on:
       SLACK_WEBHOOK_URL:
         required: true
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-  statuses: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  statuses: write # ./.github/actions/commit-status/start
 jobs:
   run-suite:
     name: suite-upgrade
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 47b373afbd0b..42abf5c92bfc 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -74,9 +74,8 @@ on:
       SLACK_WEBHOOK_URL:
         required: true
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-  statuses: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  statuses: write # ./.github/actions/commit-status/start
 jobs:
   run-suite:
     name: suite-${{ inputs.suite }}
diff --git a/.github/workflows/pr-snapshot.yaml b/.github/workflows/pr-snapshot.yaml
index 8bd9e961c7a7..f720df036147 100644
--- a/.github/workflows/pr-snapshot.yaml
+++ b/.github/workflows/pr-snapshot.yaml
@@ -5,8 +5,6 @@ on:
     types: [completed]
 permissions:
   id-token: write
-  pull-requests: write
-  contents: write
   statuses: write
 jobs:
   release:
diff --git a/.github/workflows/publish-test-tools.yaml b/.github/workflows/publish-test-tools.yaml
index f9365b210dbe..09f0f50325d3 100644
--- a/.github/workflows/publish-test-tools.yaml
+++ b/.github/workflows/publish-test-tools.yaml
@@ -8,7 +8,7 @@ on:
   schedule:
     - cron: '0 13 * * MON'
 permissions:
-  id-token: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 jobs:
   publish-tools:
     if: github.repository == 'aws/karpenter'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 798c905b1ff5..c8dd1d914610 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,9 +3,9 @@ on:
   push:
     tags: [ 'v*.*.*' ]
 permissions:
-  id-token: write
-  pull-requests: write
-  contents: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  contents: write # marvinpinto/action-automatic-releases@latest
+  pull-requests: write # name: Create PR
 jobs:
   release:
     if: github.repository == 'aws/karpenter'
diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml
index da8f58f41840..50add2d98f88 100644
--- a/.github/workflows/snapshot.yaml
+++ b/.github/workflows/snapshot.yaml
@@ -3,7 +3,7 @@ on:
   push:
     branches: [ main ]
 permissions:
-  id-token: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 jobs:
   release:
     if: github.repository == 'aws/karpenter'
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 219fcef93cf2..2d27333c2a36 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -7,9 +7,8 @@ jobs:
   StaleBot:
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      discussions: write
-      pull-requests: write
+      issues: write # actions/stale@v8.0.0
+      pull-requests: write # actions/stale@v8.0.0
     if: github.repository == 'aws/karpenter'
     name: Stale issue bot
     steps:
diff --git a/.github/workflows/sweeper.yaml b/.github/workflows/sweeper.yaml
index 8d0138804f22..894f50400b0b 100644
--- a/.github/workflows/sweeper.yaml
+++ b/.github/workflows/sweeper.yaml
@@ -4,8 +4,7 @@ on:
     - cron: '0 */12 * * *'
   workflow_dispatch:
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 jobs:
   sweeper:
     if: vars.ACCOUNT_ID != '' || github.event_name == 'workflow_dispatch'