diff --git a/.github/workflows/add-prs-to-project.yml b/.github/workflows/add-prs-to-project.yml
new file mode 100644
index 00000000..1ac4035c
--- /dev/null
+++ b/.github/workflows/add-prs-to-project.yml
@@ -0,0 +1,21 @@
+name: Add new pull requests to a github project
+
+on:
+  pull_request:
+    types:
+      - opened
+      - ready_for_review
+
+permissions: {}
+
+jobs:
+  addprtoproject:
+    # Only run on the silverstripe account
+    if: github.repository_owner == 'silverstripe'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Add PR to github project
+        uses: silverstripe/gha-add-pr-to-project@v1
+        with:
+          app_id: ${{ vars.PROJECT_PERMISSIONS_APP_ID }}
+          private_key: ${{ secrets.PROJECT_PERMISSIONS_APP_PRIVATE_KEY }}
diff --git a/.github/workflows/dispatch-ci.yml b/.github/workflows/dispatch-ci.yml
index 2c2cd9cd..cda04736 100644
--- a/.github/workflows/dispatch-ci.yml
+++ b/.github/workflows/dispatch-ci.yml
@@ -1,9 +1,11 @@
 name: Dispatch CI
 
 on:
-  # At 12:20 PM UTC, only on Tuesday and Wednesday
+  # At 6:30 AM UTC, only on Tuesday and Wednesday
   schedule:
-    - cron: '20 12 * * 2,3'
+    - cron: '30 6 * * 2,3'
+
+permissions: {}
 
 jobs:
   dispatch-ci:
@@ -11,6 +13,9 @@ jobs:
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Dispatch CI
         uses: silverstripe/gha-dispatch-ci@v1
diff --git a/.github/workflows/keepalive.yml b/.github/workflows/keepalive.yml
index a78d7714..a607d570 100644
--- a/.github/workflows/keepalive.yml
+++ b/.github/workflows/keepalive.yml
@@ -1,17 +1,21 @@
 name: Keepalive
 
 on:
-  # At 2:10 AM UTC, on day 11 of the month
+  # At 3:15 AM UTC, on day 24 of the month
   schedule:
-    - cron: '10 2 11 * *'
+    - cron: '15 3 24 * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   keepalive:
     name: Keepalive
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Keepalive
         uses: silverstripe/gha-keepalive@v1
diff --git a/.github/workflows/merge-up.yml b/.github/workflows/merge-up.yml
index edf290a3..d7a188fa 100644
--- a/.github/workflows/merge-up.yml
+++ b/.github/workflows/merge-up.yml
@@ -1,17 +1,22 @@
 name: Merge-up
 
 on:
-  # At 12:20 PM UTC, only on Saturday
+  # At 6:30 AM UTC, only on Saturday
   schedule:
-    - cron: '20 12 * * 6'
+    - cron: '30 6 * * 6'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   merge-up:
     name: Merge-up
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Merge-up
         uses: silverstripe/gha-merge-up@v1
diff --git a/.github/workflows/update-js.yml b/.github/workflows/update-js.yml
index fe3653e7..fb01dfef 100644
--- a/.github/workflows/update-js.yml
+++ b/.github/workflows/update-js.yml
@@ -2,9 +2,11 @@ name: Update JS
 
 on:
   workflow_dispatch:
-  # Run on a schedule of once per quarter
+  # At 10:50 AM UTC, on day 1 of the month, only in March and September
   schedule:
-    - cron: '10 2 1 */3 *'
+    - cron: '50 10 1 3,9 *'
+
+permissions: {}
 
 jobs:
   update-js:
@@ -12,6 +14,10 @@ jobs:
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
     steps:
       - name: Update JS
         uses: silverstripe/gha-update-js@v1