diff --git a/.github/workflows/update-release-status.yml b/.github/workflows/update-release-status.yml
index 50df8d8c0..a9c943c1a 100644
--- a/.github/workflows/update-release-status.yml
+++ b/.github/workflows/update-release-status.yml
@@ -1,4 +1,5 @@
 name: "Update Release Status"
+
 on:
   workflow_dispatch:
     inputs:
@@ -8,11 +9,6 @@ on:
         type: string
         required: true
 
-permissions:
-  actions: write
-  checks: write
-  contents: write
-
 env:
   HEAD_SHA: ${{ inputs.head-sha }}
 
@@ -22,9 +18,13 @@ jobs:
     outputs:
       status: ${{ steps.set-output.outputs.status }}
       conclusion: ${{ steps.set-output.outputs.conclusion }}
+    permissions:
+      actions: write
+      checks: write
+      contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ inputs.head-sha }}
 
@@ -132,6 +132,10 @@ jobs:
     needs: validate-check-runs
     if: needs.validate-check-runs.outputs.status == 'completed' && needs.validate-check-runs.outputs.conclusion == 'success'
     uses: ./.github/workflows/update-release.yml
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
     with:
       head-sha: ${{ inputs.head-sha }}
     secrets:
diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml
index b34abe191..282d2a104 100644
--- a/.github/workflows/update-release.yml
+++ b/.github/workflows/update-release.yml
@@ -1,8 +1,4 @@
 name: Update Release
-permissions:
-  contents: write
-  pull-requests: write
-  actions: write
 
 on:
   workflow_dispatch:
@@ -23,22 +19,28 @@ on:
         description: |
           The private key to use to generate a token for accessing the release engineering repository.
         required: true
+
 env:
   HEAD_SHA: ${{ inputs.head-sha }}
 
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+
 jobs:
   update-release:
     name: "Update release"
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0 # We need the full history to compute the changelog
           ref: ${{ inputs.head-sha }}
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"