diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index cbef29ff4fd..23969e55dca 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -4,7 +4,7 @@ on:
 name: Benchmark
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions: { }
 
 jobs:
     benchmark:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e897caf229f..fa32568bd83 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ on:
 name: CI
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
@@ -71,7 +71,9 @@ jobs:
 
       - name: "Run if style changes have been detected"
         if: steps.commit_style_fix.outputs.changes_detected == 'true'
-        run: echo "${{steps.commit_style_fix.outputs.commit_hash}}" >> .git-blame-ignore-revs
+        run: echo "$HASH" >> .git-blame-ignore-revs
+        env:
+            HASH: ${{steps.commit_style_fix.outputs.commit_hash}}
 
       - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
         id: commit_rev_ignore
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index a1ef3c28730..91dc76873b2 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -59,8 +59,10 @@ jobs:
       - name: Setup Graphviz
         uses: ts-graphviz/setup-graphviz@b1de5da23ed0a6d14e0aeee8ed52fdd87af2363c # v2.0.2
 
-      - run: ./gradlew -Pversion=${{ github.event.inputs.version }} alljavadoc
+      - run: ./gradlew -Pversion=$VERSION alljavadoc
         working-directory: sdk
+        env:
+          VERSION: ${{ github.event.inputs.version }}
 
       - run: rsync -r sdk/build/docs/javadoc/ doc/javadoc
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index be091be7ee5..d2cc4d52de9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,8 +36,9 @@ jobs:
           SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
           PASSPHRASE: ${{ secrets.PASSPHRASE }}
 
-      - run: ./gradlew -Pversion=${{ github.ref_name }} clean test javadoc publishToSonatype closeAndReleaseSonatypeStagingRepository
+      - run: ./gradlew -Pversion=$REF_NAME clean test javadoc publishToSonatype closeAndReleaseSonatypeStagingRepository
         env:
+          REF_NAME: ${{ github.ref_name }}
           CTP_OSS_USER: ${{ secrets.OSS_USER }}
           CTP_OSS_SECRET: ${{ secrets.OSS_SECRET }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -76,7 +77,9 @@ jobs:
 
       - uses: gradle/wrapper-validation-action@216d1ad2b3710bf005dc39237337b9673fd8fcd5 # v3.3.2
 
-      - run: ./gradlew -Pversion=${{ github.ref_name }} writeVersionToExamples writeVersionToReadme setVersion nextMinorVersion snapshotVersion
+      - run: ./gradlew -Pversion=$REF_NAME writeVersionToExamples writeVersionToReadme setVersion nextMinorVersion snapshotVersion
+        env:
+          REF_NAME: ${{ github.ref_name }}
 
       - name: "Switch SDK to after release branch"
         run: |
@@ -150,8 +153,11 @@ jobs:
       - name: Setup Graphviz
         uses: ts-graphviz/setup-graphviz@b1de5da23ed0a6d14e0aeee8ed52fdd87af2363c # v2.0.2
 
-      - run: ./gradlew -Pversion=${{ github.ref_name }} alljavadoc
+      - run: ./gradlew -Pversion=$REF_NAME alljavadoc
         working-directory: sdk
+        env:
+            REF_NAME: ${{ github.ref_name }}
+
 
       - run: rsync -r sdk/build/docs/javadoc/ doc/javadoc