diff --git a/.github/workflows/post-build-publish.yml b/.github/workflows/post-build-publish.yml
index af58b6af19b..de84f24e4f0 100644
--- a/.github/workflows/post-build-publish.yml
+++ b/.github/workflows/post-build-publish.yml
@@ -120,7 +120,16 @@ jobs:
         runs-on: ubuntu-latest
         needs: [ df1-compat ]
         if: always() && github.event.client_payload.slack_thread_ts
+        permissions:
+            contents: read
         steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  # use default branch to avoid running action from unmerged PRs and exposing secrets it uses
+                  ref: ${{ github.event.repository.default_branch }}
+                  persist-credentials: false
+
             - name: Notify Slack Jobs Result
               uses: ./.github/actions/notify-slack-jobs-result
               with:
@@ -136,7 +145,15 @@ jobs:
         runs-on: ubuntu-latest
         needs: [ cre-compat ]
         if: always() && github.event.client_payload.slack_thread_ts
+        permissions:
+            contents: read
         steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  # use default branch to avoid running action from unmerged PRs and exposing secrets it uses
+                  ref: ${{ github.event.repository.default_branch }}
+                  persist-credentials: false
             - name: Notify Slack Jobs Result
               uses: ./.github/actions/notify-slack-jobs-result
               with:
@@ -152,7 +169,15 @@ jobs:
         runs-on: ubuntu-latest
         needs: [ legacy-system-tests ]
         if: always() && github.event.client_payload.slack_thread_ts
+        permissions:
+            contents: read
         steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  # use default branch to avoid running action from unmerged PRs and exposing secrets it uses
+                  ref: ${{ github.event.repository.default_branch }}
+                  persist-credentials: false
             - name: Notify Slack Jobs Result
               uses: ./.github/actions/notify-slack-jobs-result
               with:
@@ -168,7 +193,15 @@ jobs:
         runs-on: ubuntu-latest
         needs: [ cre-smoke-tests ]
         if: always() && github.event.client_payload.slack_thread_ts
+        permissions:
+            contents: read
         steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  # use default branch to avoid running action from unmerged PRs and exposing secrets it uses
+                  ref: ${{ github.event.repository.default_branch }}
+                  persist-credentials: false
             - name: Notify Slack Jobs Result
               uses: ./.github/actions/notify-slack-jobs-result
               with:
@@ -184,7 +217,15 @@ jobs:
         runs-on: ubuntu-latest
         needs: [ cre-regression-tests ]
         if: always() && github.event.client_payload.slack_thread_ts
+        permissions:
+            contents: read
         steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  # use default branch to avoid running action from unmerged PRs and exposing secrets it uses
+                  ref: ${{ github.event.repository.default_branch }}
+                  persist-credentials: false
             - name: Notify Slack Jobs Result
               uses: ./.github/actions/notify-slack-jobs-result
               with: