diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 9c03eeb4..d42b5ab8 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,13 +1,15 @@
 name: ci
 
+permissions: read-all
+
 on:
   pull_request:
     branches:
       - main
 
 env:
-  helm-version: "v3.12.1"
-  kubeconform-version: "v0.6.3"
+  helm-version: "v3.14.4"
+  kubeconform-version: "v0.6.4"
 
 jobs:
   super-linter:
@@ -19,7 +21,7 @@ jobs:
           fetch-depth: 0
 
       - name: Lint Code Base
-        uses: github/super-linter/slim@v5
+        uses: github/super-linter/slim@v6
         env:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -128,4 +130,4 @@ jobs:
         run: kubectl create --namespace zammad --filename zammad/ci/full-objects.yaml
 
       - name: Run chart-testing (install)
-        run: ct install --config .github/ct.yaml --helm-extra-args '--timeout 900s'
\ No newline at end of file
+        run: ct install --config .github/ct.yaml --helm-extra-args '--timeout 900s'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 841c02d8..7a273bea 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,15 +1,21 @@
 name: Release Charts
 
+permissions: read-all
+
 on:
   push:
     branches:
       - main
 
 env:
-  helm-version: "v3.10.1"
+  helm-version: "v3.14.4"
 
 jobs:
   release:
+    permissions:
+      contents: write # to push chart release and create a release (helm/chart-releaser-action)
+      packages: write # needed for ghcr access
+      id-token: write # needed for keyless signing
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
diff --git a/.github/workflows/sync-readme.yaml b/.github/workflows/sync-readme.yaml
index 71b174f6..0d9dd7a1 100644
--- a/.github/workflows/sync-readme.yaml
+++ b/.github/workflows/sync-readme.yaml
@@ -1,5 +1,7 @@
 name: sync-readme
 
+permissions: read-all
+
 on:
   push:
     branches:
@@ -9,6 +11,8 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: write # for git push
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
diff --git a/zammad/Chart.yaml b/zammad/Chart.yaml
index 1ffbe7b2..f841f4e9 100644
--- a/zammad/Chart.yaml
+++ b/zammad/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: zammad
-version: 12.0.0
-appVersion: 6.3.0
+version: 12.0.1
+appVersion: 6.3.0-15
 description: Zammad is a web based open source helpdesk/customer support system with many features to manage customer communication via several channels like telephone, facebook, twitter, chat and e-mails.
 home: https://zammad.org
 icon: https://raw.githubusercontent.com/zammad/zammad-documentation/main/images/zammad_logo_600x520.png
diff --git a/zammad/ci/full-objects.yaml b/zammad/ci/full-objects.yaml
index f5fa959f..c4cdd2ce 100644
--- a/zammad/ci/full-objects.yaml
+++ b/zammad/ci/full-objects.yaml
@@ -5,6 +5,7 @@ data:
 kind: Secret
 metadata:
   name: minio-existing-secret
+  namespace: zammad
 type: Opaque
 ---
 apiVersion: v1
@@ -13,6 +14,7 @@ data:
 kind: Secret
 metadata:
   name: redis-existing-secret
+  namespace: zammad
 type: Opaque
 ---
 apiVersion: v1
@@ -21,6 +23,7 @@ data:
 kind: Secret
 metadata:
   name: postgresql-existing-secret
+  namespace: zammad
 type: Opaque
 ---
 apiVersion: v1
@@ -29,6 +32,7 @@ data:
 kind: Secret
 metadata:
   name: elasticsearch-existing-secret
+  namespace: zammad
 type: Opaque
 ---
 apiVersion: v1
@@ -37,15 +41,17 @@ data:
 kind: Secret
 metadata:
   name: autowizard
+  namespace: zammad
 type: Opaque
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: storage-volume-claim
+  namespace: zammad
 spec:
   accessModes:
     - ReadWriteOnce   # Testing env does not provide ReadWrite Many, but for CI this is enough.
   resources:
     requests:
-      storage: 32Mi
\ No newline at end of file
+      storage: 32Mi