diff --git a/.github/workflows/multi-runner-build.yml b/.github/workflows/multi-runner-build.yml
index 91f3ed645..adc064676 100644
--- a/.github/workflows/multi-runner-build.yml
+++ b/.github/workflows/multi-runner-build.yml
@@ -40,11 +40,12 @@ on:
         type: string
         default: 'semver'
     secrets:
+      GITHUB_APP_TOKEN:
+        required:
       DOCKERHUB_USERNAME:
         required: false
       DOCKERHUB_TOKEN:
         required: false
-
 env:
   GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ inputs.image }}
   DOCKERHUB_IMAGE: altran1502/${{ inputs.image }}
@@ -83,9 +84,6 @@ jobs:
   build:
     needs: matrix
     runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -95,13 +93,14 @@ jobs:
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           persist-credentials: false
+          token: ${{ secrets.GITHUB_APP_TOKEN }}
 
       - uses: immich-app/devtools/actions/image-build@7d95e52a7a597ce005a306d6891467fc15427b69 # image-build-action-0.1.1
         with:
           context: ${{ inputs.context }}
           dockerfile: ${{ inputs.dockerfile }}
           image: ${{ env.GHCR_IMAGE }}
-          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
+          ghcr-token: ${{ secrets.GITHUB_APP_TOKEN }}
           platform: ${{ matrix.platform }}
           artifact-key-base: ${{ needs.matrix.outputs.key }}
           build-args: ${{ inputs.build-args }}
@@ -111,10 +110,6 @@ jobs:
     needs: [matrix, build]
     runs-on: ubuntu-latest
     if: ${{ !github.event.pull_request.head.repo.fork }}
-    permissions:
-      contents: read
-      actions: read
-      packages: write
     steps:
       - name: Download digests
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -122,6 +117,7 @@ jobs:
           path: ${{ runner.temp }}/digests
           pattern: ${{ needs.matrix.outputs.key }}-*
           merge-multiple: true
+          github-token: ${{ secrets.GITHUB_APP_TOKEN }}
 
       - name: Login to Docker Hub
         if: ${{ inputs.dockerhub-push }}
@@ -135,7 +131,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GITHUB_APP_TOKEN }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
diff --git a/actions/pre-job/action.yml b/actions/pre-job/action.yml
index a9fb4ae7a..f1a96d5bf 100644
--- a/actions/pre-job/action.yml
+++ b/actions/pre-job/action.yml
@@ -4,6 +4,9 @@ inputs:
   filters:
     description: 'Path filters as YAML string'
     required: true
+  github-token:
+    description: 'Github token to use'
+    required: true
   force-filters:
     description: 'Additional path filters that trigger force-run (e.g., workflow files)'
     required: false
@@ -190,6 +193,7 @@ runs:
       uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         persist-credentials: false
+        token: ${{ inputs.github-token }}
 
     - name: Check force paths
       if: ${{ steps.check-conditions.outputs.needs_path_filtering == 'true' && inputs.force-filters != '' }}
@@ -240,6 +244,7 @@ runs:
       uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
       with:
         filters: ${{ steps.force_paths.outputs.force-paths-yaml }}
+        token: ${{ inputs.github-token }}
 
     - name: Check main paths
       if: ${{ steps.check-conditions.outputs.needs_path_filtering == 'true' && (inputs.force-filters == '' || steps.force_paths_filter.outputs.force-paths != 'true') }}
@@ -247,6 +252,7 @@ runs:
       uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
       with:
         filters: ${{ inputs.filters }}
+        token: ${{ inputs.github-token }}
 
     - name: Generate final outputs
       id: generate-outputs
diff --git a/actions/use-mise/action.yml b/actions/use-mise/action.yml
index 7a3a8b165..8627fa065 100644
--- a/actions/use-mise/action.yml
+++ b/actions/use-mise/action.yml
@@ -1,10 +1,15 @@
 name: 'Use Mise'
 description: 'Use Mise with a pinned version'
+inputs:
+  github-token:
+    description: 'Github token to use'
+    required: true
 runs:
   using: 'composite'
   steps:
     - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
       with:
+        github_token: ${{ inputs.GITHUB_TOKEN }}
         version: 2025.7.12
         sha256: ${{ runner.os == 'Linux' && runner.arch == 'X64' && '78e141b547e4b50dac6b97f9be35e117f6a3e520aa6891aa5ee75c956585d5d2' ||
                  runner.os == 'Linux' && runner.arch == 'ARM64' && '2e06c7bc32263d7a4ec45edb760922c85e37adba048dc1249d281cbf46e7f703' ||