diff --git a/.github/workflows/add-prs-to-project.yml b/.github/workflows/add-prs-to-project.yml
new file mode 100644
index 00000000..2d3f41ad
--- /dev/null
+++ b/.github/workflows/add-prs-to-project.yml
@@ -0,0 +1,22 @@
+name: Add new PRs to github project
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - ready_for_review
+
+permissions: {}
+
+jobs:
+  addprtoproject:
+    name: Add PR to GitHub Project
+    # Only run on the silverstripe account
+    if: github.repository_owner == 'silverstripe'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Add PR to github project
+        uses: silverstripe/gha-add-pr-to-project@v1
+        with:
+          app_id: ${{ vars.PROJECT_PERMISSIONS_APP_ID }}
+          private_key: ${{ secrets.PROJECT_PERMISSIONS_APP_PRIVATE_KEY }}
diff --git a/.github/workflows/dispatch-ci.yml b/.github/workflows/dispatch-ci.yml
index 3a331652..4d2dd160 100644
--- a/.github/workflows/dispatch-ci.yml
+++ b/.github/workflows/dispatch-ci.yml
@@ -1,9 +1,11 @@
 name: Dispatch CI
 
 on:
-  # At 8:40 PM UTC, only on Saturday and Sunday
+  # At 12:00 AM UTC, only on Friday and Saturday
   schedule:
-    - cron: '40 20 * * 6,0'
+    - cron: '0 0 * * 5,6'
+
+permissions: {}
 
 jobs:
   dispatch-ci:
@@ -11,6 +13,9 @@ jobs:
     # Only run cron on the tractorcow-farm account
     if: (github.event_name == 'schedule' && github.repository_owner == 'tractorcow-farm') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Dispatch CI
         uses: silverstripe/gha-dispatch-ci@v1
diff --git a/.github/workflows/keepalive.yml b/.github/workflows/keepalive.yml
index 86f09119..0b18b2af 100644
--- a/.github/workflows/keepalive.yml
+++ b/.github/workflows/keepalive.yml
@@ -1,17 +1,21 @@
 name: Keepalive
 
 on:
-  # At 12:05 AM UTC, on day 20 of the month
+  # At 9:45 PM UTC, on day 6 of the month
   schedule:
-    - cron: '5 0 20 * *'
+    - cron: '45 21 6 * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   keepalive:
     name: Keepalive
     # Only run cron on the tractorcow-farm account
     if: (github.event_name == 'schedule' && github.repository_owner == 'tractorcow-farm') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Keepalive
         uses: silverstripe/gha-keepalive@v1
diff --git a/.github/workflows/merge-up.yml b/.github/workflows/merge-up.yml
index 86973a33..73f4f162 100644
--- a/.github/workflows/merge-up.yml
+++ b/.github/workflows/merge-up.yml
@@ -1,17 +1,22 @@
 name: Merge-up
 
 on:
-  # At 12:05 AM UTC, only on Tuesday
+  # At 12:00 AM UTC, only on Tuesday
   schedule:
-    - cron: '5 0 * * 2'
+    - cron: '0 0 * * 2'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   merge-up:
     name: Merge-up
     # Only run cron on the tractorcow-farm account
     if: (github.event_name == 'schedule' && github.repository_owner == 'tractorcow-farm') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Merge-up
         uses: silverstripe/gha-merge-up@v1
diff --git a/.github/workflows/tag-patch-release.yml b/.github/workflows/tag-patch-release.yml
new file mode 100644
index 00000000..c90c2a58
--- /dev/null
+++ b/.github/workflows/tag-patch-release.yml
@@ -0,0 +1,26 @@
+name: Tag patch release
+
+on:
+  # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
+  workflow_dispatch:
+    inputs:
+      latest_local_sha:
+        description: The latest local sha
+        required: true
+        type: string
+
+permissions: {}
+
+jobs:
+  tagpatchrelease:
+    name: Tag patch release
+    # Only run cron on the tractorcow-farm account
+    if: (github.event_name == 'schedule' && github.repository_owner == 'tractorcow-farm') || (github.event_name != 'schedule')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Tag release
+        uses: silverstripe/gha-tag-release@v2
+        with:
+          latest_local_sha: ${{ inputs.latest_local_sha }}
diff --git a/.github/workflows/update-js.yml b/.github/workflows/update-js.yml
index f225311f..64e101c0 100644
--- a/.github/workflows/update-js.yml
+++ b/.github/workflows/update-js.yml
@@ -2,9 +2,11 @@ name: Update JS
 
 on:
   workflow_dispatch:
-  # Run on a schedule of once per quarter
+  # At 4:20 AM UTC, on day 1 of the month, only in March and September
   schedule:
-    - cron: '40 20 1 */3 *'
+    - cron: '20 4 1 3,9 *'
+
+permissions: {}
 
 jobs:
   update-js:
@@ -12,6 +14,10 @@ jobs:
     # Only run cron on the tractorcow-farm account
     if: (github.event_name == 'schedule' && github.repository_owner == 'tractorcow-farm') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
     steps:
       - name: Update JS
         uses: silverstripe/gha-update-js@v1