diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index 48fb24b2476..c69f0f8d7a8 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml
index d378a5d3e9d..8f7194097e3 100644
--- a/.github/workflows/on_label_added.yml
+++ b/.github/workflows/on_label_added.yml
@@ -32,6 +32,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
index f3896118d10..e435d59951d 100644
--- a/.github/workflows/on_merged_pr.yml
+++ b/.github/workflows/on_merged_pr.yml
@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index 79e77bd9488..1b9cb2f4de2 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
diff --git a/.github/workflows/on_pr_updates.yml b/.github/workflows/on_pr_updates.yml
index 003bc0880a8..2663d707399 100644
--- a/.github/workflows/on_pr_updates.yml
+++ b/.github/workflows/on_pr_updates.yml
@@ -17,7 +17,7 @@ name: PR requirements
 # due to limitations in GH API.
 
 on:
- pull_request:
+  pull_request:
     types:
       - opened
       - labeled
@@ -26,7 +26,7 @@ on:
 permissions: {}  # no permission required
 
 jobs:
-  fail-for-draft:
+  check-requirements:
     runs-on: ubuntu-latest
     steps:
       - name: Block if it doesn't minimum requirements