diff --git a/.github/workflows/build-lint-test.yaml b/.github/workflows/build-lint-test.yaml
index a426a3c..876ebb0 100644
--- a/.github/workflows/build-lint-test.yaml
+++ b/.github/workflows/build-lint-test.yaml
@@ -46,7 +46,7 @@ jobs:
       - name: 📥 Install Dependencies
         run: yarn install --immutable
 
-      - name: 🏗️ Build TypeScript
+      - name: 🏗️ Build
         run: yarn build
         env:
           WIREIT_LOGGER: metrics
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 011f68a..d7dba7c 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -4,23 +4,17 @@ name: CodeQL
 
 on:
   workflow_call:
-    inputs:
-      node-version:
-        description: "Node.js version"
-        required: true
-        default: "lts/*"
-        type: string
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
 
 jobs:
-  analyze-code-ql:
+  main:
     name: CodeQL Analyze
     runs-on: ubuntu-latest
 
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index 08cde49..dd90cf1 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -4,21 +4,15 @@ name: Dependency Review
 
 on:
   workflow_call:
-    inputs:
-      node-version:
-        description: "Node.js version"
-        required: true
-        default: "lts/*"
-        type: string
+
+permissions:
+  contents: read
 
 jobs:
-  dependency-review:
+  main:
     name: Dependency Review
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-
     steps:
       - name: ⤵️ Checkout repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 0ee9d4f..d378463 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -14,17 +14,17 @@ on:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
-  publish-npm:
+  main:
     if: github.repository_owner == 'the-nexim'
 
     name: Publish NPM
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      id-token: write
-
     steps:
       - name: 📥 Checkout repository
         uses: actions/checkout@v4
@@ -55,7 +55,7 @@ jobs:
       - name: 🗃️ Cache Wireit
         uses: google/wireit@setup-github-actions-caching/v2
 
-      - name: 🏗️ Build TypeScript
+      - name: 🏗️ Build
         run: yarn build
         env:
           WIREIT_LOGGER: metrics
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ac6b718..54f89d6 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,14 +15,14 @@ env:
   NODE_VERSION: lts/*
   GPG_KEY_ID: ${{ vars.GPG_KEY_ID }}
 
+permissions:
+  contents: write
+
 jobs:
   main:
     name: Build & Lint & Test & Release
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-
     steps:
       - name: ⤵️ Checkout repository
         uses: actions/checkout@v4
@@ -70,7 +70,7 @@ jobs:
       - name: 🗃️ Cache Wireit
         uses: google/wireit@setup-github-actions-caching/v2
 
-      - name: 🏗️ Build TypeScript
+      - name: 🏗️ Build
         run: yarn build
         env:
           WIREIT_LOGGER: metrics
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 2cbf1ce..837990d 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -3,22 +3,17 @@
 name: Sync labels
 
 on:
-  workflow_dispatch:
-  push:
-    branches:
-      - next
-    paths:
-      - .github/labels.yml
+  workflow_call:
+
+permissions:
+  contents: read
+  issues: write
 
 jobs:
-  labels:
+  main:
     name: Sync labels
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      issues: write
-
     steps:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v4