diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml
index 9a3f9e2..f8482e6 100644
--- a/.github/workflows/actionci.yml
+++ b/.github/workflows/actionci.yml
@@ -16,6 +16,7 @@ jobs:
   actionci:
     permissions:
       contents: read
+      actions: read
       security-events: write
     uses: smallstep/workflows/.github/workflows/actionci.yml@main
     secrets: inherit
diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
index 7d59d23..c0388a3 100644
--- a/.github/workflows/code-scan-cron.yml
+++ b/.github/workflows/code-scan-cron.yml
@@ -2,13 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * SUN'
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
 jobs:
   code-scan:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main
-    secrets:
-      GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
+    secrets: inherit
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index d6e1e43..534b2d3 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -15,6 +15,5 @@ jobs:
     permissions:
       contents: read
       issues: write
-      pull-requests: write
     uses: smallstep/workflows/.github/workflows/triage.yml@main
     secrets: inherit