diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 32801df..8d7002f 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -4,10 +4,15 @@ on:
     tags:
       - '*.*.*'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   auto-tag:
     name: Auto-tag
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Auto-tag
         uses: silverstripe/gha-auto-tag@v1
diff --git a/.github/workflows/keepalive.yml b/.github/workflows/keepalive.yml
index 8a2197e..7c5a895 100644
--- a/.github/workflows/keepalive.yml
+++ b/.github/workflows/keepalive.yml
@@ -1,17 +1,21 @@
 name: Keepalive
 
 on:
-  # At 12:00 AM UTC, on day 21 of the month
+  # At 1:05 PM UTC, on day 2 of the month
   schedule:
-    - cron: '0 0 21 * *'
+    - cron: '5 13 2 * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   keepalive:
     name: Keepalive
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Keepalive
         uses: silverstripe/gha-keepalive@v1
diff --git a/.github/workflows/merge-up.yml b/.github/workflows/merge-up.yml
index a284f0e..a4be998 100644
--- a/.github/workflows/merge-up.yml
+++ b/.github/workflows/merge-up.yml
@@ -1,17 +1,22 @@
 name: Merge-up
 
 on:
-  # At 12:00 AM UTC, only on Saturday
+  # At 4:20 AM UTC, only on Wednesday
   schedule:
-    - cron: '0 0 * * 6'
+    - cron: '20 4 * * 3'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   merge-up:
     name: Merge-up
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Merge-up
         uses: silverstripe/gha-merge-up@v1
diff --git a/.github/workflows/tag-patch-release.yml b/.github/workflows/tag-patch-release.yml
index 0950def..ff4cd3b 100644
--- a/.github/workflows/tag-patch-release.yml
+++ b/.github/workflows/tag-patch-release.yml
@@ -18,6 +18,7 @@ jobs:
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
     permissions:
+      actions: write
       contents: write
     steps:
       - name: Tag release