diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index f68f9d066..b3028ef5a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -38,6 +38,8 @@ jobs:
           - "go"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Get Go version directive from go.mod as major.minor
         id: go_version
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
index d1ab1574b..ff72e8e32 100644
--- a/.github/workflows/depsreview.yml
+++ b/.github/workflows/depsreview.yml
@@ -30,5 +30,7 @@ jobs:
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # 4.5.0
diff --git a/.github/workflows/e2e_test.yml b/.github/workflows/e2e_test.yml
index 03e770f02..3a1c6c22f 100644
--- a/.github/workflows/e2e_test.yml
+++ b/.github/workflows/e2e_test.yml
@@ -30,11 +30,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
-          go-version: '1.23'
+          go-version-file: './go.mod'
           check-latest: true
 
       - name: Cache Modules
diff --git a/.github/workflows/sync-module-tags.yaml b/.github/workflows/sync-module-tags.yaml
index 8e9f5da58..31b6e80a9 100644
--- a/.github/workflows/sync-module-tags.yaml
+++ b/.github/workflows/sync-module-tags.yaml
@@ -32,10 +32,14 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: true
+        env:
+          REF_NAME: ${{ github.ref_name }}
       - run: |
-          tag="${{ matrix.module }}/${{ github.ref_name }}"
+          tag="${{ matrix.module }}/${REF_NAME}"
           echo tagging "${tag}"
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git tag -a "${tag}" -m "syncing module ${{ matrix.module }} @ ${{ github.ref_name }}"
+          git tag -a "${tag}" -m "syncing module ${{ matrix.module }} @ ${REF_NAME}"
           git push origin "${tag}"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 51b92fd23..d584f52a6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,6 +39,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0