diff --git a/.github/workflows/preview-docs-build.yml b/.github/workflows/preview-docs-build.yml
index 7551c7f6b6..4345462dee 100644
--- a/.github/workflows/preview-docs-build.yml
+++ b/.github/workflows/preview-docs-build.yml
@@ -34,12 +34,6 @@ jobs:
         id: datetime
         run: echo "datetime=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
 
-      - name: Save PR metadata
-        run: |
-          mkdir -p /tmp/pr-metadata
-          echo "${{ github.event.pull_request.number }}" > /tmp/pr-metadata/pr-number.txt
-          echo "${{ github.event.pull_request.head.sha }}" > /tmp/pr-metadata/pr-sha.txt
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -64,21 +58,21 @@ jobs:
           path: /tmp/fastgpt-docs-${{ steps.datetime.outputs.datetime }}.tar
           retention-days: 1
 
-      - name: Upload PR metadata
-        uses: actions/upload-artifact@v4
-        with:
-          name: pr-metadata-docs-${{ steps.datetime.outputs.datetime }}
-          path: /tmp/pr-metadata/
-          retention-days: 1
+    outputs:
+      datetime: ${{ steps.datetime.outputs.datetime }}
 
   call-push-workflow:
     needs: build-docs-image
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      pull-requests: write
+      issues: write
     uses: ./.github/workflows/preview-docs-push.yml
     secrets: inherit
     with:
-      pr_number: ${{ github.event.pull_request.number }}
+      pr_number: ${{ format('{0}', github.event.pull_request.number) }}
       datetime: ${{ needs.build-docs-image.outputs.datetime }}
-      run_id: ${{ github.run_id }}
-
-    outputs:
-      datetime: ${{ steps.datetime.outputs.datetime }}
+      run_id: ${{ format('{0}', github.run_id) }}
diff --git a/.github/workflows/preview-docs-push.yml b/.github/workflows/preview-docs-push.yml
index 9495044f48..5cdf44d267 100644
--- a/.github/workflows/preview-docs-push.yml
+++ b/.github/workflows/preview-docs-push.yml
@@ -26,14 +26,6 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-      - name: Download PR metadata
-        uses: actions/download-artifact@v4
-        with:
-          name: pr-metadata-docs-${{ inputs.datetime }}
-          path: /tmp/pr-metadata/
-          run-id: ${{ inputs.run_id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Read PR information
         id: pr
         run: |
diff --git a/.github/workflows/preview-fastgpt-build.yml b/.github/workflows/preview-fastgpt-build.yml
index 77424ec69b..c7f2224c09 100644
--- a/.github/workflows/preview-fastgpt-build.yml
+++ b/.github/workflows/preview-fastgpt-build.yml
@@ -33,12 +33,6 @@ jobs:
           ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
           fetch-depth: 0
 
-      - name: Save PR metadata
-        run: |
-          mkdir -p /tmp/pr-metadata
-          echo "${{ github.event.pull_request.number }}" > /tmp/pr-metadata/pr-number.txt
-          echo "${{ github.event.pull_request.head.sha }}" > /tmp/pr-metadata/pr-sha.txt
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
@@ -95,23 +89,23 @@ jobs:
           path: /tmp/${{ steps.config.outputs.IMAGE_NAME }}-${{ github.sha }}.tar
           retention-days: 1
 
-      - name: Upload PR metadata
-        uses: actions/upload-artifact@v4
-        with:
-          name: pr-metadata-${{ matrix.image }}-${{ github.sha }}
-          path: /tmp/pr-metadata/
-          retention-days: 1
-
   call-push-workflow:
     needs: build-preview-images
     strategy:
       matrix:
         image: [fastgpt, sandbox, mcp_server]
       fail-fast: false
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      pull-requests: write
+      issues: write
     uses: ./.github/workflows/preview-fastgpt-push.yml
     secrets: inherit
     with:
-      pr_number: ${{ github.event.pull_request.number }}
+      pr_number: ${{ format('{0}', github.event.pull_request.number) }}
       pr_sha: ${{ github.sha }}
-      run_id: ${{ github.run_id }}
+      run_id: ${{ format('{0}', github.run_id) }}
       image: ${{ matrix.image }}
diff --git a/.github/workflows/preview-fastgpt-push.yml b/.github/workflows/preview-fastgpt-push.yml
index 603291c7b6..b64dc04a48 100644
--- a/.github/workflows/preview-fastgpt-push.yml
+++ b/.github/workflows/preview-fastgpt-push.yml
@@ -16,15 +16,16 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  packages: write
+  attestations: write
+  id-token: write
+  pull-requests: write
+  issues: write
+
 jobs:
   push-preview-images:
-    permissions:
-      contents: read
-      packages: write
-      attestations: write
-      id-token: write
-      pull-requests: write
-      issues: write # Required for issue-comment (PR comments use Issues API)
 
     runs-on: ubuntu-24.04