diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3f81a785..db25c54b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,6 +8,9 @@ on:
     tags:
       - '[0-9]+.[0-9]+.[0-9a-zA-Z]+'  # Matches 1.2.3, 1.2.3alpha1 etc.
 
+permissions:
+  contents: read
+
 jobs:
   publish-pypi:
     runs-on: ubuntu-latest
@@ -32,6 +35,8 @@ jobs:
     needs: publish-pypi
     name: Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - name: Create Release
diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
index f2bc0370..a009491a 100644
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -22,6 +22,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
@@ -112,9 +115,26 @@ jobs:
         indicators: true
         output: both
         thresholds: '50 80'
+    - name: Upload coverage report artifact
+      uses: actions/upload-artifact@v4
+      if: runner.os == 'Linux' && matrix.python-version == '3.11'
+      with:
+        name: coverage-report
+        path: code-coverage-results.md
+
+  coverage-comment:
+    needs: build
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write  # for sticky-pull-request-comment posting coverage results
+    steps:
+    - name: Download coverage report
+      uses: actions/download-artifact@v4
+      with:
+        name: coverage-report
     - name: Add Coverage PR Comment
       uses: marocchino/sticky-pull-request-comment@v2
-      if: github.event_name == 'pull_request' && runner.os == 'Linux' && matrix.python-version == '3.11'
       with:
-          recreate: true
-          path: code-coverage-results.md
+        recreate: true
+        path: code-coverage-results.md
diff --git a/.github/workflows/run_tests_prod.yml b/.github/workflows/run_tests_prod.yml
index 81d8192f..689a5210 100644
--- a/.github/workflows/run_tests_prod.yml
+++ b/.github/workflows/run_tests_prod.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 6,18 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   sdk-python-tests-prod:
     uses: Clarifai/clarifai-python/.github/workflows/run_tests.yml@master
diff --git a/.github/workflows/run_tests_staging.yml b/.github/workflows/run_tests_staging.yml
index 5587cdc0..db9da94e 100644
--- a/.github/workflows/run_tests_staging.yml
+++ b/.github/workflows/run_tests_staging.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 6,18 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   sdk-python-tests-staging:
     uses: Clarifai/clarifai-python/.github/workflows/run_tests.yml@master
diff --git a/tests/runners/dummy_vllm_models/requirements.txt b/tests/runners/dummy_vllm_models/requirements.txt
index 7d543f6a..f83e0f2e 100644
--- a/tests/runners/dummy_vllm_models/requirements.txt
+++ b/tests/runners/dummy_vllm_models/requirements.txt
@@ -4,6 +4,6 @@ optimum==1.23.3
 openai
 clarifai>=11.5.2
 psutil
-torch==2.6.0
+torch==2.8.0
 vllm>=0.8.0
 transformers>=4.50.1
diff --git a/tests/runners/hf_mbart_model/requirements.txt b/tests/runners/hf_mbart_model/requirements.txt
index 51efb6d4..58782dec 100644
--- a/tests/runners/hf_mbart_model/requirements.txt
+++ b/tests/runners/hf_mbart_model/requirements.txt
@@ -5,5 +5,5 @@ requests
 sentencepiece>=0.2.0
 tiktoken>=0.9.0
 tokenizers>=0.21.1
-torch==2.6.0
+torch==2.8.0
 transformers>=4.51.3