diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
index f980b0fe..da75024d 100644
--- a/.github/workflows/ansible-lint.yml
+++ b/.github/workflows/ansible-lint.yml
@@ -15,7 +15,7 @@ jobs:
           persist-credentials: false
 
       - name: Lint Ansible Playbook
-        uses: ansible/ansible-lint@8ba9595a4acd1b906eb75568b34f6ef592cd1528 # v26
+        uses: ansible/ansible-lint@8ba9595a4acd1b906eb75568b34f6ef592cd1528 # v26.3.0
         # Let's point it to the path
         with:
           working_directory: "ansible/"
diff --git a/.github/workflows/update-metadata.yaml b/.github/workflows/update-metadata.yaml
index 14d58140..402162c4 100644
--- a/.github/workflows/update-metadata.yaml
+++ b/.github/workflows/update-metadata.yaml
@@ -3,14 +3,13 @@
 # validatedpatterns/docs/.github/workflows/metadata-docs.yml@main
 ---
 name: Update docs pattern metadata
-
 on:
   push:
     paths:
       - "pattern-metadata.yaml"
       - ".github/workflows/update-metadata.yml"
-
-permissions: read-all
+    branches:
+      - main
 
 jobs:
   update-metadata:
@@ -19,7 +18,8 @@ jobs:
       contents: read  # Required for "read-all"
       packages: write # Allows writing to packages
       id-token: write # Allows creating OpenID Connect (OIDC) tokens
-    secrets: inherit # zizmor: ignore[secrets-inherit]
+    secrets:
+      DOCS_TOKEN: ${{ secrets.DOCS_TOKEN }}
     # For testing you can point to a different branch in the docs repository
     # with:
     #  DOCS_BRANCH: "main"