diff --git a/.github/workflows/dispatch-ci.yml b/.github/workflows/dispatch-ci.yml
index 8fcd7dd..5c525f4 100644
--- a/.github/workflows/dispatch-ci.yml
+++ b/.github/workflows/dispatch-ci.yml
@@ -1,9 +1,11 @@
 name: Dispatch CI
 
 on:
-  # At 12:10 PM UTC, only on Wednesday and Thursday
+  # At 2:10 AM UTC, only on Wednesday and Thursday
   schedule:
-    - cron: '10 12 * * 3,4'
+    - cron: '10 2 * * 3,4'
+
+permissions: {}
 
 jobs:
   dispatch-ci:
@@ -11,6 +13,9 @@ jobs:
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Dispatch CI
         uses: silverstripe/gha-dispatch-ci@v1
diff --git a/.github/workflows/keepalive.yml b/.github/workflows/keepalive.yml
index c03edab..f8ea6d6 100644
--- a/.github/workflows/keepalive.yml
+++ b/.github/workflows/keepalive.yml
@@ -1,17 +1,21 @@
 name: Keepalive
 
 on:
-  # At 10:50 AM UTC, on day 7 of the month
+  # At 2:10 AM UTC, on day 11 of the month
   schedule:
-    - cron: '50 10 7 * *'
+    - cron: '10 2 11 * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   keepalive:
     name: Keepalive
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Keepalive
         uses: silverstripe/gha-keepalive@v1
diff --git a/.github/workflows/merge-up.yml b/.github/workflows/merge-up.yml
index 3bfedd4..9abcac2 100644
--- a/.github/workflows/merge-up.yml
+++ b/.github/workflows/merge-up.yml
@@ -1,17 +1,22 @@
 name: Merge-up
 
 on:
-  # At 12:10 PM UTC, only on Sunday
+  # At 2:10 AM UTC, only on Sunday
   schedule:
-    - cron: '10 12 * * 0'
+    - cron: '10 2 * * 0'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   merge-up:
     name: Merge-up
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Merge-up
         uses: silverstripe/gha-merge-up@v1
diff --git a/.github/workflows/update-js.yml b/.github/workflows/update-js.yml
index 7056de1..143ce03 100644
--- a/.github/workflows/update-js.yml
+++ b/.github/workflows/update-js.yml
@@ -4,7 +4,9 @@ on:
   workflow_dispatch:
   # Run on a schedule of once per quarter
   schedule:
-    - cron: '50 10 1 */3 *'
+    - cron: '10 2 1 */3 *'
+
+permissions: {}
 
 jobs:
   update-js:
@@ -12,6 +14,10 @@ jobs:
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
     steps:
       - name: Update JS
         uses: silverstripe/gha-update-js@v1