diff --git a/.github/actions/step_publish_test_results/action.yml b/.github/actions/step_publish_test_results/action.yml
index 52bc7b1f62d..271ef78f5d3 100644
--- a/.github/actions/step_publish_test_results/action.yml
+++ b/.github/actions/step_publish_test_results/action.yml
@@ -19,9 +19,6 @@ inputs:
     required: false
     default: "0.3"
     type: string
-  token:
-    description: 'A Github PAT'
-    required: true
   context:
     description: 'The context of the status'
     required: false
@@ -56,17 +53,3 @@ runs:
       indicators: true
       output: both
       thresholds: '${{ inputs.coverageThreshold }} 80'
-  # - name: Sending PR status to checkenforcer
-  #   run: |-
-  #     gh api \
-  #       --method POST \
-  #       -H "Accept: application/vnd.github+json" \
-  #       -H "X-GitHub-Api-Version: 2022-11-28" \
-  #       /repos/${{ github.repository }}/statuses/${{ github.sha }} \
-  #       -f state='success' \
-  #       -f target_url='https://github.com/microsoft/promptflow/actions/runs/${{ github.run_id }}' \
-  #       -f description='The build succeeded!' \
-  #       -f context='${{ inputs.context }}'
-  #   shell: bash -el {0}
-  #   env:
-  #     GITHUB_TOKEN: ${{ inputs.token }}
diff --git a/.github/workflows/check_enforcer.yml b/.github/workflows/check_enforcer.yml
index f74e757e8ec..e3f1034a824 100644
--- a/.github/workflows/check_enforcer.yml
+++ b/.github/workflows/check_enforcer.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   check_enforcer:
     runs-on: ubuntu-latest
+    permissions:
+      checks: read
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - run: git fetch origin main
diff --git a/.github/workflows/promptflow-executor-e2e-test.yml b/.github/workflows/promptflow-executor-e2e-test.yml
index 059bd54fb27..5b93cb2f6ac 100644
--- a/.github/workflows/promptflow-executor-e2e-test.yml
+++ b/.github/workflows/promptflow-executor-e2e-test.yml
@@ -143,7 +143,11 @@ jobs:
     name: "Publish Tests Results"
     needs: executor_e2e_tests
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: read
+      issues: read
     if: always()
     steps:
     - name: checkout
@@ -161,5 +165,4 @@ jobs:
         osVersion: ubuntu-latest
         pythonVersion: 3.9
         coverageThreshold: 70
-        token: ${{ secrets.GITHUB_TOKEN }}
         context: test/executor_e2e
diff --git a/.github/workflows/promptflow-executor-unit-test.yml b/.github/workflows/promptflow-executor-unit-test.yml
index 896994c595e..9f045af3c7f 100644
--- a/.github/workflows/promptflow-executor-unit-test.yml
+++ b/.github/workflows/promptflow-executor-unit-test.yml
@@ -146,7 +146,11 @@ jobs:
     name: "Publish Tests Results"
     needs: executor_unit_tests
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: read
+      issues: read
     if: always()
 
     steps:
diff --git a/.github/workflows/promptflow-global-config-test.yml b/.github/workflows/promptflow-global-config-test.yml
index 6c9af8a2ddc..a2059f0a11d 100644
--- a/.github/workflows/promptflow-global-config-test.yml
+++ b/.github/workflows/promptflow-global-config-test.yml
@@ -95,7 +95,11 @@ jobs:
     name: "Publish Tests Results"
     needs: sdk_cli_global_config_tests
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: read
+      issues: read
     if: always()
 
     steps:
@@ -111,5 +115,4 @@ jobs:
         osVersion: ubuntu-latest
         pythonVersion: 3.9
         coverageThreshold: 0
-        token: ${{ secrets.GITHUB_TOKEN }}
         context: test/sdk_cli
diff --git a/.github/workflows/promptflow-sdk-cli-test.yml b/.github/workflows/promptflow-sdk-cli-test.yml
index 83f26090537..33f87c64c38 100644
--- a/.github/workflows/promptflow-sdk-cli-test.yml
+++ b/.github/workflows/promptflow-sdk-cli-test.yml
@@ -160,7 +160,11 @@ jobs:
     name: "Publish Tests Results"
     needs: sdk_cli_tests
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: read
+      issues: read
     if: always()
 
     steps:
diff --git a/.github/workflows/sdk-cli-azure-test.yml b/.github/workflows/sdk-cli-azure-test.yml
index 24d7243eab7..4cbf98b6145 100644
--- a/.github/workflows/sdk-cli-azure-test.yml
+++ b/.github/workflows/sdk-cli-azure-test.yml
@@ -134,7 +134,11 @@ jobs:
     name: "Publish Tests Results"
     needs: sdk_cli_azure_test
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: read
+      issues: read
     if: always()
 
     steps:
@@ -148,5 +152,4 @@ jobs:
         osVersion: ubuntu-latest
         pythonVersion: 3.9
         coverageThreshold: 40
-        token: ${{ secrets.GITHUB_TOKEN }}
         context: test/sdk_cli
diff --git a/.github/workflows/tools_release_tag.yml b/.github/workflows/tools_release_tag.yml
index 848a00a7f64..334d1a457b1 100644
--- a/.github/workflows/tools_release_tag.yml
+++ b/.github/workflows/tools_release_tag.yml
@@ -21,6 +21,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v3