diff --git a/.github/workflows/check-if-pr-has-label.yml b/.github/workflows/check-if-pr-has-label.yml
index e8b6c9c196625..3701c22caa9a8 100644
--- a/.github/workflows/check-if-pr-has-label.yml
+++ b/.github/workflows/check-if-pr-has-label.yml
@@ -4,14 +4,11 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled]
 
-permissions:
-  contents: read
-
 jobs:
   test-label-applied: # Tests that label is added on the PR
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      contents: read
     steps:
       - uses: mnajdova/github-action-required-labels@v2.1
         with:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b12b43f00ef7b..1817071a27775 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,17 +12,14 @@ jobs:
       actions: read
       contents: read
       security-events: write
-
     strategy:
       fail-fast: false
       matrix:
         language: ['javascript', 'typescript']
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
@@ -34,7 +31,6 @@ jobs:
 
           # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
           # queries: security-extended,security-and-quality
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
         with:
diff --git a/.github/workflows/l10n.yml b/.github/workflows/l10n.yml
index 1168dce7972b9..0c49d70b73769 100644
--- a/.github/workflows/l10n.yml
+++ b/.github/workflows/l10n.yml
@@ -6,15 +6,13 @@ on:
       - master
       - next
 
-permissions:
-  contents: read
-
 jobs:
   # Tests dev-only scripts across all supported dev environments
   update-l10n:
+    runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
-    runs-on: ubuntu-latest
     steps:
       - run: echo "${{ github.actor }}"
       - uses: actions/checkout@v3
diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
index c794cf2c520a1..bfb7590524b3b 100644
--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -1,4 +1,4 @@
-name: 'Maintenance'
+name: Maintenance
 
 on:
   # So that PRs touching the same files as the push are updated
@@ -15,14 +15,12 @@ on:
       - next
     types: [synchronize]
 
-permissions:
-  contents: read
-
 jobs:
   main:
+    runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
-    runs-on: ubuntu-latest
     steps:
       - name: check if prs are dirty
         uses: eps1lon/actions-label-merge-conflict@releases/2.x
diff --git a/.github/workflows/issue-mark-duplicate.yml b/.github/workflows/mark-duplicate.yml
similarity index 89%
rename from .github/workflows/issue-mark-duplicate.yml
rename to .github/workflows/mark-duplicate.yml
index 0f74891c43346..9692bf2e1fb51 100644
--- a/.github/workflows/issue-mark-duplicate.yml
+++ b/.github/workflows/mark-duplicate.yml
@@ -1,18 +1,16 @@
-name: Issue Mark Duplicate
+name: Mark duplicate
 
 on:
   issue_comment:
     types: [created]
 
-permissions:
-  contents: read
-
 jobs:
   mark-duplicate:
+    runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
       pull-requests: write
-    runs-on: ubuntu-latest
     steps:
       - name: mark-duplicate
         uses: actions-cool/issues-helper@v3
diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml
index 3100803f87ca5..422f86ae34624 100644
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -9,14 +9,12 @@ on:
     # Schedule for five minutes after the hour, every hour
     - cron: '5 * * * *'
 
-permissions:
-  contents: read
-
 jobs:
   noResponse:
+    runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
-    runs-on: ubuntu-latest
     steps:
       - uses: lee-dohm/no-response@v0.5.0
         with:
diff --git a/.github/workflows/support-stackoverflow.yml b/.github/workflows/support-stackoverflow.yml
index e647845ddfc29..63f69bca3a322 100644
--- a/.github/workflows/support-stackoverflow.yml
+++ b/.github/workflows/support-stackoverflow.yml
@@ -1,18 +1,16 @@
 # Configuration for support-requests - https://github.com/dessant/support-requests
-name: 'Support Stack Overflow'
+name: Support Stack Overflow
 
 on:
   issues:
     types: [labeled, unlabeled, reopened]
 
-permissions:
-  contents: read
-
 jobs:
   mark-support:
+    runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
-    runs-on: ubuntu-latest
     steps:
       - uses: dessant/support-requests@v2
         with:
diff --git a/.github/workflows/vale-action.yml b/.github/workflows/vale-action.yml
index e5dc00fff1eda..9e64a45bbd3ed 100644
--- a/.github/workflows/vale-action.yml
+++ b/.github/workflows/vale-action.yml
@@ -1,16 +1,14 @@
-name: reviewdog
+name: Vale action
 
 on: [pull_request]
 
-permissions:
-  contents: read
-
 jobs:
   vale:
-    permissions:
-      pull-requests: write
     name: runner / vale
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: errata-ai/vale-action@reviewdog