diff --git a/.github/workflows/close-pr.yaml b/.github/workflows/close-pr.yaml
index 22db3e8fd..93045ce62 100644
--- a/.github/workflows/close-pr.yaml
+++ b/.github/workflows/close-pr.yaml
@@ -1,8 +1,5 @@
 name: Close PR
 
-permissions:
-  pull-requests: write
-
 on:
   workflow_dispatch:
     inputs:
@@ -19,6 +16,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   update:
     name: Close PR
diff --git a/.github/workflows/crds.yaml b/.github/workflows/crds.yaml
index 529eac314..5f9fff888 100644
--- a/.github/workflows/crds.yaml
+++ b/.github/workflows/crds.yaml
@@ -1,13 +1,11 @@
 name: Update CRDs for chart repo
 
-permissions:
-  contents: read
-  pull-requests: write
-
 on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   update-crds:
     if: "!contains(github.event.release.tag_name, '-rc')"
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 78ba9a352..59eb43a1f 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -9,8 +9,7 @@ on:
       - 'README.md'
       - '.github/workflows/docs.yaml'
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   update-docs:
@@ -22,6 +21,7 @@ jobs:
       - name: Checkout operator repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
+          token: ${{ secrets.VM_BOT_GH_TOKEN }}
           path: __vm-operator
 
       - name: Checkout docs repo
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index ce9b742c9..8b8126c67 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -35,6 +35,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   build:
     name: Build and Test
diff --git a/.github/workflows/operatorhub.yaml b/.github/workflows/operatorhub.yaml
index 04e26af62..923ccf375 100644
--- a/.github/workflows/operatorhub.yaml
+++ b/.github/workflows/operatorhub.yaml
@@ -1,9 +1,5 @@
 name: Publish OperatorHub release
 
-permissions:
-  contents: read
-  pull-requests: write
-
 on:
   workflow_run:
     workflows:
@@ -11,6 +7,8 @@ on:
     types:
       - completed
 
+permissions: {}
+
 jobs:
   update:
     name: Publish new OperatorHub release
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 95d46810d..a000f1e8e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -4,6 +4,9 @@ on:
     types:
       - created
       - prereleased
+
+permissions: {}
+
 jobs:
   release:
     name: Release on GitHub
diff --git a/.github/workflows/sandbox.yaml b/.github/workflows/sandbox.yaml
index b7fb92772..063953f4d 100644
--- a/.github/workflows/sandbox.yaml
+++ b/.github/workflows/sandbox.yaml
@@ -15,9 +15,7 @@ on:
         default: master
         type: string
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}
 
 jobs:
   update:
@@ -29,6 +27,7 @@ jobs:
         with:
           repository: VictoriaMetrics/operator
           ref: ${{ github.event.inputs.branch }}
+          token: ${{ secrets.VM_BOT_GH_TOKEN }}
 
       - name: Publish image
         id: publish
diff --git a/.github/workflows/upgrade-tests.yaml b/.github/workflows/upgrade-tests.yaml
index 6a96c1351..955b2a045 100644
--- a/.github/workflows/upgrade-tests.yaml
+++ b/.github/workflows/upgrade-tests.yaml
@@ -1,14 +1,13 @@
 name: Upgrade Tests
 on:
   workflow_dispatch:
+permissions: {}
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
     permissions:
-      actions: read
       contents: read
-      security-events: write
       checks: write
     steps:
       - name: Free space