diff --git a/.github/actions/checkout-and-setup/action.yml b/.github/actions/checkout-and-setup/action.yml
index 28aa18aba..3f01e4b7a 100644
--- a/.github/actions/checkout-and-setup/action.yml
+++ b/.github/actions/checkout-and-setup/action.yml
@@ -5,10 +5,9 @@ runs:
   using: 'composite'
   steps:
     - name: Setup pnpm
-      uses: pnpm/action-setup@v2.4.0
+      uses: pnpm/action-setup@v4.0.0
       with:
         run_install: false
-        version: 8.6.0
     - name: Install Node.js
       uses: actions/setup-node@v4
       with:
diff --git a/.github/workflows/bump-package-version.yml b/.github/workflows/bump-package-version.yml
index 25f3391bf..32c12f52a 100644
--- a/.github/workflows/bump-package-version.yml
+++ b/.github/workflows/bump-package-version.yml
@@ -2,13 +2,6 @@ name: Bump Package Version
 
 on:
   workflow_dispatch:
-    branches:
-      - main
-    secrets:
-      TEMPORAL_CICD_APP_ID:
-        required: true
-      TEMPORAL_CICD_PRIVATE_KEY:
-        required: true
     inputs:
       bump:
         required: true
@@ -37,9 +30,7 @@ jobs:
         with:
           app_id: ${{ secrets.TEMPORAL_CICD_APP_ID }}
           private_key: ${{ secrets.TEMPORAL_CICD_PRIVATE_KEY }}
-          permissions:
-            contents: read
-            pull_requests: write
+
       - name: Configure Git
         run: |
           git config --local user.name 'Temporal Data (cicd)'
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index 9d453cc44..7722180a4 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -3,11 +3,6 @@ name: Publish npm Package
 on:
   pull_request:
     types: [closed]
-  secrets:
-    TEMPORAL_CICD_APP_ID:
-      required: true
-    TEMPORAL_CICD_PRIVATE_KEY:
-      required: true
 
 jobs:
   publish:
@@ -35,9 +30,7 @@ jobs:
         with:
           app_id: ${{ secrets.TEMPORAL_CICD_APP_ID }}
           private_key: ${{ secrets.TEMPORAL_CICD_PRIVATE_KEY }}
-          permissions:
-            contents: write
-            pull_requests: write
+
       - name: Create Release
         run: |
           version=`cat ./package.json | jq -r .version`
diff --git a/.github/workflows/update-ui-server.yml b/.github/workflows/update-ui-server.yml
index 02e52deb1..b27ce18ae 100644
--- a/.github/workflows/update-ui-server.yml
+++ b/.github/workflows/update-ui-server.yml
@@ -4,11 +4,6 @@ on:
   push:
     branches:
       - main
-    secrets:
-      TEMPORAL_CICD_APP_ID:
-        required: true
-      TEMPORAL_CICD_PRIVATE_KEY:
-        required: true
 
 jobs:
   sync:
@@ -21,6 +16,13 @@ jobs:
       - name: Checkout and Setup Node
         uses: ./.github/actions/checkout-and-setup
 
+      - name: Prepare checkout token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.TEMPORAL_CICD_APP_ID }}
+          private_key: ${{ secrets.TEMPORAL_CICD_PRIVATE_KEY }}
+
       - uses: actions/setup-go@v3
         with:
           go-version-file: server/go.mod
@@ -32,16 +34,6 @@ jobs:
           version: '3.x'
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Prepare checkout token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.TEMPORAL_CICD_APP_ID }}
-          private_key: ${{ secrets.TEMPORAL_CICD_PRIVATE_KEY }}
-          permissions:
-            contents: read
-            pull_requests: write
-
       - name: Checkout UI Server
         uses: actions/checkout@v4
         with: