diff --git a/.github/workflows/build-and-package.yml b/.github/workflows/build-and-package.yml
index 128dd8db..50f8dfc5 100644
--- a/.github/workflows/build-and-package.yml
+++ b/.github/workflows/build-and-package.yml
@@ -1,5 +1,9 @@
 name: Deploy blog
 
+permissions:
+  contents: write # to upload release assets
+  packages: write # to publish packages
+
 on:
   push:
     branches:
@@ -59,7 +63,7 @@ jobs:
           space_region: 'nyc3'
           source: ${{ env.PACKAGE_NAME }}
           out_dir: 'html/'
-          overwrite: true
+          # overwrite: true
 
   check-digitalocean-secrets:
     name: Check if Digitalocean registry information was set on secrets
@@ -122,7 +126,7 @@ jobs:
           password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
       - name: Build and push Nginx image
-        uses: docker/build-push-action@6
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 7a590796..167ed61a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,10 +1,14 @@
 name: Deploy blog
 
+permissions:
+  contents: write # to upload release assets
+  packages: write # to publish packages
+
 on:
   push:
     branches:
-      - main
-      - experimental
+      - main # only `main` / `master` branch
+      # - experimental
 
 jobs:
   deploy-gh-pages: