diff --git a/.github/gh-bot.yml b/.github/gh-bot.yml
deleted file mode 100644
index 21908a40c..000000000
--- a/.github/gh-bot.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-version: v1
-debug: true
-action:
-  printConfig: false
-  release:
-    retry: 15s
-    actionName: Release
-    allowOps:
-      - cuisongliu
-bot:
-  prefix: /
-  spe: _
-  allowOps:
-    - sealos-ci-robot
-    - sealos-release-robot
-  email: sealos-ci-robot@sealos.io
-  username: sealos-ci-robot
-repo:
-  org: false
-
-message:
-  success: |
-    🤖 says: Hooray! The action {{.Body}} has been completed successfully. 🎉
-  format_error: |
-    🤖 says: ‼️ There is a formatting issue with the action, kindly verify the action's format.
-  permission_error: |
-    🤖 says: ‼️ The action doesn't have permission to trigger.
-  release_error: |
-    🤖 says: ‼️ Release action failed.
-    Error details: {{.Error}}
diff --git a/.github/workflows/docs-preview.yml b/.github/workflows/docs-preview.yml
index e66e5d64e..9d635773d 100644
--- a/.github/workflows/docs-preview.yml
+++ b/.github/workflows/docs-preview.yml
@@ -1,7 +1,7 @@
 name: Preview FastGPT docs
 
 on:
-  pull_request_target:
+  pull_request:
     paths:
       - 'docSite/**'
   workflow_dispatch:
@@ -72,6 +72,8 @@ jobs:
           alias-domains: | #Optional
             fastgpt-staging.vercel.app
   docsOutput:
+    permissions:
+      pull-requests: write
     needs: [deploy-preview]
     runs-on: ubuntu-latest
     steps:
@@ -79,18 +81,13 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
-      - name: Write md
-        run: |
-          echo "# 🤖 Generated by deploy action" > report.md
-          echo "[👀 Visit Preview](${{ needs.deploy-preview.outputs.url }})" >> report.md
-          cat report.md
-      - name: Gh Rebot for Sealos
-        uses: labring/gh-rebot@v0.0.6
-        if: ${{ (github.event_name == 'pull_request_target') }}
+      - uses: actions/github-script@v7
         with:
-          version: v0.0.6
-        env:
-          GH_TOKEN: '${{ secrets.GH_PAT }}'
-          SEALOS_TYPE: 'pr_comment'
-          SEALOS_FILENAME: 'report.md'
-          SEALOS_REPLACE_TAG: 'DEFAULT_REPLACE_DEPLOY'
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '[👀 Visit Preview](${{ needs.deploy-preview.outputs.url }})'
+            })
diff --git a/.github/workflows/docs-sync_imgs.yml b/.github/workflows/docs-sync_imgs.yml
index 19dc28ab2..7ef8cfb80 100644
--- a/.github/workflows/docs-sync_imgs.yml
+++ b/.github/workflows/docs-sync_imgs.yml
@@ -1,6 +1,6 @@
 name: Sync images
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
     paths:
@@ -15,13 +15,6 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        if: ${{ (github.event_name == 'pull_request_target') }}
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-
       - name: Checkout
         uses: actions/checkout@v3
 
@@ -32,4 +25,4 @@ jobs:
           CONFIG_PATH: .github/sync_imgs.yml
           ORIGINAL_MESSAGE: true
           SKIP_PR: true
-          COMMIT_EACH_FILE: false
\ No newline at end of file
+          COMMIT_EACH_FILE: false
diff --git a/.github/workflows/fastgpt-build-image-personal.yml b/.github/workflows/fastgpt-build-image-personal.yml
index f0edad535..8271782bc 100644
--- a/.github/workflows/fastgpt-build-image-personal.yml
+++ b/.github/workflows/fastgpt-build-image-personal.yml
@@ -9,6 +9,11 @@ on:
       - 'main'
 jobs:
   build-fastgpt-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-20.04
     if: github.repository != 'labring/FastGPT'
     steps:
@@ -32,7 +37,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
       - name: Set DOCKER_REPO_TAGGED based on branch or tag
         run: |
           echo "DOCKER_REPO_TAGGED=ghcr.io/${{ github.repository_owner }}/fastgpt:latest" >> $GITHUB_ENV
diff --git a/.github/workflows/fastgpt-build-image.yml b/.github/workflows/fastgpt-build-image.yml
index ccd54859c..70926860e 100644
--- a/.github/workflows/fastgpt-build-image.yml
+++ b/.github/workflows/fastgpt-build-image.yml
@@ -9,6 +9,11 @@ on:
       - 'v*'
 jobs:
   build-fastgpt-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-20.04
     steps:
       # install env
@@ -39,7 +44,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
       - name: Login to Ali Hub
         uses: docker/login-action@v2
         with:
@@ -91,6 +96,11 @@ jobs:
           -t ${Docker_Hub_Latest} \
           .
   build-fastgpt-images-sub-route:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-20.04
     steps:
       # install env
@@ -121,7 +131,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
       - name: Login to Ali Hub
         uses: docker/login-action@v2
         with:
@@ -174,6 +184,11 @@ jobs:
           -t ${Docker_Hub_Latest} \
           .
   build-fastgpt-images-sub-route-gchat:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-20.04
     steps:
       # install env
@@ -204,7 +219,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
       - name: Login to Ali Hub
         uses: docker/login-action@v2
         with:
diff --git a/.github/workflows/fastgpt-preview-image.yml b/.github/workflows/fastgpt-preview-image.yml
index 1622cce2a..adbefade4 100644
--- a/.github/workflows/fastgpt-preview-image.yml
+++ b/.github/workflows/fastgpt-preview-image.yml
@@ -1,10 +1,15 @@
 name: Preview FastGPT images
 on:
-  pull_request_target:
+  pull_request:
   workflow_dispatch:
 
 jobs:
   preview-fastgpt-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
@@ -48,20 +53,13 @@ jobs:
           --cache-to=type=local,dest=/tmp/.buildx-cache \
           -t ${DOCKER_REPO_TAGGED} \
           .
-      # Add write md step after build
-      - name: Write md
-        run: |
-          echo "# 🤖 Generated by deploy action" > report.md
-          echo "📦 Preview Image: \`${DOCKER_REPO_TAGGED}\`" >> report.md
-          cat report.md
-
-      - name: Gh Rebot for Sealos
-        uses: labring/gh-rebot@v0.0.6
-        if: ${{ (github.event_name == 'pull_request_target') }}
+      - uses: actions/github-script@v7
         with:
-          version: v0.0.6
-        env:
-          GH_TOKEN: '${{ secrets.GH_PAT }}'
-          SEALOS_TYPE: 'pr_comment'
-          SEALOS_FILENAME: 'report.md'
-          SEALOS_REPLACE_TAG: 'DEFAULT_REPLACE_DEPLOY'
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Preview Image: ${{ env.DOCKER_REPO_TAGGED }}'
+            })
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
index 25f7fb771..bcbb5b7b6 100644
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -8,6 +8,11 @@ on:
 
 jobs:
   helm:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
@@ -20,7 +25,7 @@ jobs:
         run: echo "tag=$(git describe --tags)" >> $GITHUB_OUTPUT
       - name: Release Helm
         run: |
-          echo ${{ secrets.GH_PAT }} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
+          echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
           export APP_VERSION=${{ steps.vars.outputs.tag }}
           export HELM_VERSION=${{ steps.vars.outputs.tag }}
           export HELM_REPO=ghcr.io/${{ github.repository_owner }}
diff --git a/.github/workflows/sandbox-build-image.yml b/.github/workflows/sandbox-build-image.yml
index 8e58daf46..873582cf3 100644
--- a/.github/workflows/sandbox-build-image.yml
+++ b/.github/workflows/sandbox-build-image.yml
@@ -8,6 +8,11 @@ on:
       - 'v*'
 jobs:
   build-fastgpt-sandbox-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-20.04
     steps:
       # install env
@@ -38,7 +43,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Ali Hub
         uses: docker/login-action@v2
         with: