diff --git a/.github/workflows/docs-deploy-kubeconfig.yml b/.github/workflows/docs-deploy-kubeconfig.yml
index cc6d11ca7..833016117 100644
--- a/.github/workflows/docs-deploy-kubeconfig.yml
+++ b/.github/workflows/docs-deploy-kubeconfig.yml
@@ -10,6 +10,13 @@ on:
 jobs:
   build-fastgpt-docs-images:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -50,8 +57,8 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Aliyun
         uses: docker/login-action@v3
diff --git a/.github/workflows/docs-deploy-vercel.yml b/.github/workflows/docs-deploy-vercel.yml
index 0b8b91b50..f0d6e0473 100644
--- a/.github/workflows/docs-deploy-vercel.yml
+++ b/.github/workflows/docs-deploy-vercel.yml
@@ -20,6 +20,11 @@ jobs:
     # The type of runner that the job will run on
     runs-on: ubuntu-22.04
 
+    permissions:
+      contents: write
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+
     # Job outputs
     outputs:
       docs: ${{ steps.filter.outputs.docs }}
@@ -71,7 +76,8 @@ jobs:
           working-directory: docSite/public
 
       - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v4
+        if: github.ref == 'refs/heads/main'
         with:
-          github_token: ${{ secrets.GH_PAT }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: docSite/public