diff --git a/.github/workflows/add_tags.yml b/.github/workflows/add_tags.yml
deleted file mode 100644
index 9b62d7c..0000000
--- a/.github/workflows/add_tags.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# Warning, do not check out untrusted code with
-# the pull_request_target event.
-# the current workflow IS safe as long as you dont checkout untrusted code
-# https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
-on:
-  pull_request_target:
-    types: [opened, edited]
-name: conventional-release-labels
-jobs:
-  label:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: bcoe/conventional-release-labels@v1
-        with:
-          type_labels: '{ "feat": "feat", "fix": "fix", "chore": "chore", "refactor": "refactor", "test": "test", "breaking": "breaking" }'
\ No newline at end of file
diff --git a/.github/workflows/lint_golang.yml b/.github/workflows/lint_golang.yml
index cf3350e..6eb0977 100644
--- a/.github/workflows/lint_golang.yml
+++ b/.github/workflows/lint_golang.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   golangci:
     name: Lint with GolangCI
diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml
index 8511fa9..8a6f52a 100644
--- a/.github/workflows/pr_title.yml
+++ b/.github/workflows/pr_title.yml
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Validate PR title
@@ -44,7 +47,7 @@ jobs:
           # special "[WIP]" prefix to indicate this state. This will avoid the
           # validation of the PR title and the pull request checks remain pending.
           # Note that a second check will be reported if this is enabled.
-          wip: true
+          wip: false
           # When using "Squash and merge" on a PR with only one commit, GitHub
           # will suggest using that commit message instead of the PR title for the
           # merge commit, and it's easy to commit this by mistake. Enable this option
diff --git a/.github/workflows/regen.yml b/.github/workflows/regen.yml
index 62e19cf..dab90cf 100644
--- a/.github/workflows/regen.yml
+++ b/.github/workflows/regen.yml
@@ -4,6 +4,9 @@ on:
     - cron: "0 8 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   regen:
     timeout-minutes: 30
diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml
index fcda8f7..69f61c4 100644
--- a/.github/workflows/release_pr.yml
+++ b/.github/workflows/release_pr.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml
index a773a9d..4dc245e 100644
--- a/.github/workflows/unittest.yml
+++ b/.github/workflows/unittest.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   unitests:
     timeout-minutes: 30
@@ -28,4 +31,4 @@ jobs:
         run: make test
         env:
           CLOUDQUERY_TEAM_NAME: ${{ secrets.CLOUDQUERY_TEAM_NAME }}
-          CLOUDQUERY_API_KEY: ${{ secrets.CLOUDQUERY_API_KEY }}
\ No newline at end of file
+          CLOUDQUERY_API_KEY: ${{ secrets.CLOUDQUERY_API_KEY }}