diff --git a/.github/workflows/latest_deps_tests.yml b/.github/workflows/latest_deps_tests.yml
index efa2ddc1a..a291257c5 100644
--- a/.github/workflows/latest_deps_tests.yml
+++ b/.github/workflows/latest_deps_tests.yml
@@ -25,9 +25,6 @@ on:
   schedule:
     - cron: "0 3 * * *"
 
-permissions:
-  contents: read
-
 # Sets up the environment variables
 env:
   UV_VERSION: "0.8.0"
@@ -46,6 +43,8 @@ jobs:
     name: Upgrade Lockfile
     runs-on: ubuntu-latest
     if: github.repository == 'huggingface/lerobot'
+    permissions:
+      contents: read
     outputs:
       changed: ${{ steps.diff.outputs.changed }}
     steps:
@@ -86,6 +85,8 @@ jobs:
     needs: [upgrade-lock]
     if: needs.upgrade-lock.outputs.changed == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       MUJOCO_GL: egl
       HF_HOME: /mnt/cache/.cache/huggingface
@@ -140,6 +141,8 @@ jobs:
     name: Build and Push Docker
     needs: [upgrade-lock]
     if: needs.upgrade-lock.outputs.changed == 'true'
+    permissions:
+      contents: read
     runs-on:
       group: aws-general-8-plus
     outputs:
@@ -181,6 +184,8 @@ jobs:
   gpu-tests:
     name: GPU Tests (Latest Deps)
     needs: [build-and-push-docker]
+    permissions:
+      contents: read
     runs-on:
       group: aws-g6-4xlarge-plus
     env:
@@ -221,10 +226,8 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-    # NOTE: PRs created with GITHUB_TOKEN won't trigger pull_request workflows.
-    # CI will run when a reviewer approves the PR (via pull_request_review trigger).
     env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GH_TOKEN: ${{ secrets.UPDATE_LOCK_TOKEN }}
     steps:
       - uses: actions/checkout@v6
         with:
@@ -247,7 +250,7 @@ jobs:
           git checkout -B "$BRANCH"
           git add uv.lock
           git commit -m "chore(dependencies): update uv.lock"
-          git push --force-with-lease --set-upstream origin "$BRANCH"
+          git push --force origin "$BRANCH"
 
           # Create PR only if one doesn't already exist for this branch
           EXISTING_PR=$(gh pr list --head "$BRANCH" --state open --json number --jq '.[0].number')
@@ -268,6 +271,8 @@ jobs:
     name: Cleanup Docker Image
     needs: [gpu-tests, build-and-push-docker]
     if: always() && needs.build-and-push-docker.result == 'success'
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Get Docker Hub Token and Delete Image