diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3a3fd02..396208e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,6 +13,8 @@ permissions:
 
 jobs:
   find-uncached:
+    name: "Find uncached packages"
+    if: github.repository == 'notashelf/nyxexprs'
     runs-on: ubuntu-latest
     outputs:
       uncached: ${{ steps.get-packages.outputs.packages }}
@@ -36,10 +38,10 @@ jobs:
 
           echo -n "packages=$packages" >> "$GITHUB_OUTPUT"
   build-uncached:
-    needs: packages
+    needs: find-uncached
     strategy:
       matrix:
-        package: ${{ fromJSON(needs.find_uncached.outputs.uncached) }}
+        package: ${{ fromJSON(needs.find-uncached.outputs.uncached) }}
     uses: ./.github/workflows/nix.yml
     with:
       command: nix build "github:notashelf/nyxexprs/${{ github.ref }}#${{ matrix.package }}"
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 72c3122..5174715 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -1,7 +1,11 @@
-name: Checks
+name: Run Checks
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   check:
     strategy:
@@ -9,7 +13,6 @@ jobs:
         command:
           - NIXPKGS_ALLOW_INSECURE=1 nix flake check --accept-flake-config --impure
           - nix run .#alejandra-custom -- -c . -e ./npins
-
     uses: ./.github/workflows/nix.yml
     with:
       command: ${{ matrix.command }}
diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml
index 5300b77..f317f0f 100644
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: "0 0 * * 0" # weekly
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   update:
     if: github.repository == 'notashelf/nyxexprs'
diff --git a/.github/workflows/update-pkgs.yml b/.github/workflows/update-pkgs.yml
index cee32b0..790e5d6 100644
--- a/.github/workflows/update-pkgs.yml
+++ b/.github/workflows/update-pkgs.yml
@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: "0 0 * * *" # daily
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   update:
     if: github.repository == 'notashelf/nyxexprs'