diff --git a/.github/workflows/daily-update-vllm-version.yml b/.github/workflows/daily-update-vllm-version.yml
index 991d4b8db2..e1580ec9a8 100644
--- a/.github/workflows/daily-update-vllm-version.yml
+++ b/.github/workflows/daily-update-vllm-version.yml
@@ -3,6 +3,10 @@
 
 name: Daily update vLLM & vLLM-fork version
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   schedule:
     - cron: "30 22 * * *"
@@ -26,9 +30,6 @@ jobs:
             repo_name: HabanaAI/vllm-fork
             ver_name: VLLM_FORK_VER
       fail-fast: false
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/daily_check_issue_and_pr.yml b/.github/workflows/daily_check_issue_and_pr.yml
index 21e1c1d835..d22c984c7e 100644
--- a/.github/workflows/daily_check_issue_and_pr.yml
+++ b/.github/workflows/daily_check_issue_and_pr.yml
@@ -3,6 +3,11 @@
 
 name: Check stale issue and pr
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 on:
   schedule:
     - cron: "30 22 * * *"
@@ -10,9 +15,6 @@ on:
 jobs:
   close-issues:
     runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
     steps:
       - uses: actions/stale@v9
         with:
diff --git a/.github/workflows/manual-example-workflow.yml b/.github/workflows/manual-example-workflow.yml
index a96b6241a5..d5a2d90cdc 100644
--- a/.github/workflows/manual-example-workflow.yml
+++ b/.github/workflows/manual-example-workflow.yml
@@ -95,18 +95,15 @@ jobs:
     permissions:
       actions: read
       attestations: read
+      checks: read
       discussions: read
       models: read
       repository-projects: read
       id-token: write
       contents: read
-      checks: write
-      deployments: write
       issues: write
-      packages: write
       pages: write
       pull-requests: write
-      statuses: write
       security-events: read
     needs: [get-test-matrix, build-comps-base]
     strategy:
diff --git a/.github/workflows/manual-image-build.yml b/.github/workflows/manual-image-build.yml
index 4052ba11c2..2e3a529dee 100644
--- a/.github/workflows/manual-image-build.yml
+++ b/.github/workflows/manual-image-build.yml
@@ -65,18 +65,15 @@ jobs:
     permissions:
       actions: read
       attestations: read
+      checks: read
       discussions: read
       models: read
       repository-projects: read
       id-token: write
       contents: read
-      checks: write
-      deployments: write
       issues: write
-      packages: write
       pages: write
       pull-requests: write
-      statuses: write
       security-events: read
     needs: get-test-matrix
     if: ${{ needs.get-test-matrix.outputs.nodes != '' }}
diff --git a/.github/workflows/nightly-docker-build-publish.yml b/.github/workflows/nightly-docker-build-publish.yml
index b89c8ca1c8..12cac214cf 100644
--- a/.github/workflows/nightly-docker-build-publish.yml
+++ b/.github/workflows/nightly-docker-build-publish.yml
@@ -99,7 +99,6 @@ jobs:
       id-token: write
       contents: read
       issues: write
-      packages: write
       pages: write
       pull-requests: write
       security-events: read
diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml
index 8944ccc5d5..f64184c519 100644
--- a/.github/workflows/pr-code-scan.yml
+++ b/.github/workflows/pr-code-scan.yml
@@ -4,7 +4,7 @@
 name: Code Scan
 permissions:
   contents: read
-  security-events: write
+  security-events: read
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-link-path-scan.yml b/.github/workflows/pr-link-path-scan.yml
index c3c2d56ebd..932646a52d 100644
--- a/.github/workflows/pr-link-path-scan.yml
+++ b/.github/workflows/pr-link-path-scan.yml
@@ -24,12 +24,14 @@ jobs:
           fetch-depth: 0
 
       - name: Check the Validity of Hyperlinks
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
         run: |
           cd ${{github.workspace}}
           delay=1
           fail="FALSE"
           merged_commit=$(git log -1 --format='%H')
-          changed_files="$(git diff --name-status --diff-filter=ARM ${{ github.event.pull_request.base.sha }} ${merged_commit} | awk '/\.md$/ {print $NF}')"
+          changed_files="$(git diff --name-status --diff-filter=ARM $BASE_SHA ${merged_commit} | awk '/\.md$/ {print $NF}')"
           if  [ -n "$changed_files" ]; then
             for changed_file in $changed_files; do
               # echo $changed_file
@@ -87,15 +89,18 @@ jobs:
           fetch-depth: 0
 
       - name: Checking Relative Path Validity
+        env:
+          REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
         run: |
           cd ${{github.workspace}}
           delay=1
           fail="FALSE"
-          repo_name=${{ github.event.pull_request.head.repo.full_name }}
-          branch="https://github.com/$repo_name/blob/${{ github.event.pull_request.head.ref }}"
+          branch="https://github.com/$REPO_NAME/blob/$HEAD_REF"
 
           merged_commit=$(git log -1 --format='%H')
-          changed_files="$(git diff --name-status --diff-filter=ARM ${{ github.event.pull_request.base.sha }} ${merged_commit} | awk '/\.md$/ {print $NF}')"
+          changed_files="$(git diff --name-status --diff-filter=ARM $BASE_SHA ${merged_commit} | awk '/\.md$/ {print $NF}')"
           png_lines=$(grep -Eo '\]\([^)]+\)' --include='*.md' -r .|grep -Ev 'http')
           if [ -n "$png_lines" ]; then
             for png_line in $png_lines; do