diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index a6068a10..bffe3063 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -2,6 +2,9 @@
 name: Codespell
 on: [ pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   codespell:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/container-image.yaml b/.github/workflows/container-image.yaml
index 608f9ab4..d1bf91f7 100644
--- a/.github/workflows/container-image.yaml
+++ b/.github/workflows/container-image.yaml
@@ -2,20 +2,13 @@ name: container-image
 
 on:
   push:
-    branches:
-      - main
-      - release-*
-    # Sequence of patterns matched against refs/tags
     tags:
       - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
   pull_request:
-    branches:
-      - main
-      - release-*
 
 permissions:
-  contents: write
+  contents: read
   packages: write
 
 jobs:
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 07c961dc..4ae1bc88 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -5,13 +5,18 @@ on:
     branches: ["main"]
   pull_request_target:
     types: ["opened", "synchronize", "reopened", "labeled", "unlabeled"]
-    branches: ["main"]
+
+permissions:
+  contents: read
 
 jobs:
   e2e:
     if: ${{ ! contains( github.event.pull_request.labels.*.name, 'e2e/none') }}
     runs-on: capmox-e2e
     environment: e2e
+    concurrency:
+      group: e2e-${{ github.event.pull_request.number || github.sha }}
+      cancel-in-progress: true
     env:
       PROXMOX_URL: ${{ secrets.PROXMOX_URL }}
       PROXMOX_TOKEN: ${{ secrets.PROXMOX_TOKEN }}
@@ -38,7 +43,7 @@ jobs:
         run: echo 'SKIP_E2E=""' >> "$GITHUB_ENV"
 
       - name: Run e2e tests
-        run: "make test-e2e GINKGO_SKIP=${{ env.SKIP_E2E }}"
+        run: make test-e2e "GINKGO_SKIP=$SKIP_E2E"
 
       - name: Upload artifacts
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9a96b4a1..3842b155 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
           go-version-file: go.mod
       - name: generate release artifacts
         run: |
-          make release-manifests RELEASE_VERSION=${{ env.RELEASE_TAG }}
+          make release-manifests "RELEASE_VERSION=$RELEASE_TAG"
       - name: generate release templates
         run: |
           make release-templates
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 38386f9e..21ebdb1f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,7 +3,9 @@ on:
   push:
     branches: ["main"]
   pull_request:
-    branches: ["main"]
+
+permissions:
+  contents: read
 
 jobs:
   test:
@@ -28,12 +30,10 @@ jobs:
            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
            -Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
       - name: SonarQube
         if: github.event_name == 'push'
         uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}