diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
index 004666da2..96dbde7ab 100644
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -28,10 +28,14 @@ jobs:
       MD_CONFIG: .github/md_config.json
       DOC_SRC: README.md
       MD_LINT_CONFIG: .markdownlint.yaml
+
   build:
+
+    permissions:
+      contents: read
+
     runs-on: ubuntu-latest
     name: Build
-    if: "! contains(toJSON(github.event.commits.*.message), '[skip-ci]')"
     steps:
     - name: Check out code
       uses: actions/checkout@v4
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index 8667b23ab..f4c9ae571 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -17,6 +17,11 @@ env:
 
 jobs:
   build:
+
+    permissions:
+      contents: read
+      packages: write # to push artifacts to `ghcr.io`
+
     name: Build
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
@@ -27,6 +32,7 @@ jobs:
         with:
           token: ${{ secrets.STAKATER_GITHUB_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
+          submodules: recursive
 
       # Setting up helm binary
       - name: Set up Helm
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 20dbebe6e..9cd9bd8e2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,6 +15,11 @@ env:
 
 jobs:
   build:
+
+    permissions:
+      contents: read
+      packages: write # to push artifacts to `ghcr.io`
+
     name: GoReleaser build
     runs-on: ubuntu-latest
 
@@ -24,6 +29,7 @@ jobs:
         with:
           token: ${{ secrets.STAKATER_GITHUB_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
+          submodules: recursive
 
       # Setting up helm binary
       - name: Set up Helm
@@ -171,22 +177,7 @@ jobs:
             org.opencontainers.image.created=${{ steps.prep.outputs.created }}
             org.opencontainers.image.revision=${{ github.sha }}
 
-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-            docs:
-              - '.markdownlint.yaml'
-              - '.vale.ini'
-              - 'Dockerfile-docs'
-              - 'docs-nginx.conf'
-              - 'docs/**'
-              - 'README.md'
-              - 'theme_common'
-              - 'theme_override'
-
       - name: Build and Push Docker Image for Docs to ghcr registry
-        if: steps.filter.outputs.docs == 'true'
         uses: docker/build-push-action@v5
         with:
           context: .