diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml
index bbbe1ab0d..f28a02101 100644
--- a/.github/workflows/block-merge-freeze.yml
+++ b/.github/workflows/block-merge-freeze.yml
@@ -29,11 +29,29 @@ jobs:
 
     steps:
       - name: Register server reference to fallback to master branch
-        run: |
-          server_ref="$(if [ '${{ github.base_ref }}' = 'main' ]; then echo -n 'master'; else echo -n '${{ github.base_ref }}'; fi)"
-          echo "server_ref=$server_ref" >> $GITHUB_ENV
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const baseRef = context.payload.pull_request.base.ref
+            if (baseRef === 'main' || baseRef === 'master') {
+              core.exportVariable('server_ref', 'master');
+              console.log('Setting server_ref to master');
+            } else {
+              const regex = /^stable(\d+)$/
+              const match = baseRef.match(regex)
+              if (match) {
+                core.exportVariable('server_ref', match[0]);
+                console.log('Setting server_ref to ' + match[0]);
+              } else {
+                console.log('Not based on master/main/stable*, so skipping freeze check');
+              }
+            }
+
       - name: Download version.php from ${{ env.server_ref }}
+        if: ${{ env.server_ref != '' }}
         run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php
 
       - name: Run check
+        if: ${{ env.server_ref != '' }}
         run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC'
diff --git a/.github/workflows/composer-auto.yml b/.github/workflows/composer-auto.yml
index e731f8f70..6ce905104 100644
--- a/.github/workflows/composer-auto.yml
+++ b/.github/workflows/composer-auto.yml
@@ -1,8 +1,12 @@
 name: Compile Command
+
 on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest
@@ -37,12 +41,12 @@ jobs:
           exit 1
 
       - name: Check actor permission
-        uses: skjnldsv/check-actor-permission@v3
+        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
         with:
           require: write
 
       - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
@@ -50,7 +54,7 @@ jobs:
           reactions: '+1'
 
       - name: Init branch
-        uses: xt0rted/pull-request-comment-branch@v3
+        uses: xt0rted/pull-request-comment-branch@e8b8daa837e8ea7331c0003c9c316a64c6d8b0b1 # v3.0.0
         id: comment-branch
 
       - name: Add reaction on failure
@@ -70,6 +74,7 @@ jobs:
       - name: Checkout ${{ needs.init.outputs.head_ref }}
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           token: ${{ secrets.COMMAND_BOT_PAT }}
           fetch-depth: 0
           ref: ${{ needs.init.outputs.head_ref }}
@@ -80,7 +85,7 @@ jobs:
           git config --local user.name 'nextcloud-command'
 
       - name: Set up php
-        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 #v2.32.0
+        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
         with:
           php-version: 8.1
           coverage: none
@@ -107,7 +112,7 @@ jobs:
           git push --force origin '${{ needs.init.outputs.head_ref }}'
 
       - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         if: failure()
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
diff --git a/.github/workflows/composer.yml b/.github/workflows/composer.yml
index 70f4512f1..20f4136b7 100644
--- a/.github/workflows/composer.yml
+++ b/.github/workflows/composer.yml
@@ -7,6 +7,9 @@ on:
       - master
       - stable*
 
+permissions:
+  contents: read
+
 jobs:
   php:
     runs-on: ubuntu-latest
@@ -14,10 +17,12 @@ jobs:
     name: Check vendor changes
     steps:
     - name: Checkout
-      uses: actions/checkout@master
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Set up php
-      uses: shivammathur/setup-php@master
+      uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
       with:
         php-version: 8.1
         coverage: none
diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml
index 03114cf63..bc405c200 100644
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -19,13 +19,15 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php-versions: [ '8.1', '8.2', '8.3' ]
+        php-versions: [ '8.1', '8.2', '8.3', '8.4' ]
 
     name: php-lint
 
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 #v2.32.0