diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 38ed3fa60..1ec6524ed 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -9,5 +9,7 @@ jobs:
   actionlint:
     name: Run actionlint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-actionlint@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index d4c8ebbe5..75dc0615f 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -6,5 +6,7 @@ on:
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-dependency-review@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index ed9f64bc6..04c4652de 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -13,15 +13,13 @@ on:
       - "docs/**"
       - ".github/workflows/deploy-docs.yml"
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 jobs:
   deploy-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     steps:
       - id: build_docs
         uses: it-at-m/lhm_actions/action-templates/actions/action-build-docs@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/dockercompose-healthcheck.yml b/.github/workflows/dockercompose-healthcheck.yml
index 34c6d30bf..6fc26bc95 100644
--- a/.github/workflows/dockercompose-healthcheck.yml
+++ b/.github/workflows/dockercompose-healthcheck.yml
@@ -8,6 +8,8 @@ jobs:
   docker-compose-healthcheck:
     name: Run docker compose healthcheck
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-dockercompose-healthcheck@12966547963631f8429d42bab860485b413003c2 # v1.0.22
         with:
diff --git a/.github/workflows/maven-node-build.yml b/.github/workflows/maven-node-build.yml
index 8fca95a89..147997b35 100644
--- a/.github/workflows/maven-node-build.yml
+++ b/.github/workflows/maven-node-build.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     env:
       TZ: Europe/Berlin # timezone
     strategy:
diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml
index 100902584..e67463422 100644
--- a/.github/workflows/maven-release.yml
+++ b/.github/workflows/maven-release.yml
@@ -22,6 +22,9 @@ on:
 jobs:
   release-maven:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       MVN_ARTIFACT_ID: ${{ steps.maven-release-step.outputs.MVN_ARTIFACT_ID }}
       ARTIFACT_NAME: ${{ steps.maven-release-step.outputs.artifact-name }}
@@ -34,6 +37,7 @@ jobs:
           app-path: ${{ github.event.inputs.app-path }}
           releaseVersion: ${{ github.event.inputs.releaseVersion }}
           developmentVersion: ${{ github.event.inputs.developmentVersion }}
+          use-pr: 'true'
           SIGN_KEY_PASS: ${{ secrets.gpg_passphrase }}
           CENTRAL_USERNAME: ${{ secrets.sonatype_username }}
           CENTRAL_PASSWORD: ${{ secrets.sonatype_password }}
@@ -42,6 +46,8 @@ jobs:
   build-image:
     runs-on: ubuntu-latest
     needs: release-maven
+    permissions:
+      packages: write
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@12966547963631f8429d42bab860485b413003c2 # v1.0.22
         with:
@@ -57,6 +63,8 @@ jobs:
   create-github-release:
     needs: release-maven
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Download a single artifact
         uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
index ffdd1dffc..b6779c710 100644
--- a/.github/workflows/npm-release.yml
+++ b/.github/workflows/npm-release.yml
@@ -40,6 +40,7 @@ jobs:
         with:
           app-path: ${{ inputs.app-path }}
           releaseVersion: ${{ inputs.release-version }}
+          use-pr: 'true'
       - id: node
         uses: it-at-m/lhm_actions/action-templates/actions/action-npm-build@12966547963631f8429d42bab860485b413003c2 # v1.0.22
         with:
@@ -52,8 +53,10 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Centralized token in it-at-m GitHub organization
 
   build-image:
-    runs-on: ubuntu-latest
     needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@12966547963631f8429d42bab860485b413003c2 # v1.0.22
         with:
@@ -65,9 +68,12 @@ jobs:
           image-tags: |
             type=semver,pattern={{version}},value=${{ needs.release.outputs.ARTIFACT_VERSION }}
             type=raw,value=latest
+
   create-github-release:
     needs: release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Create GitHub Release
         uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@12966547963631f8429d42bab860485b413003c2 # v1.0.22