diff --git a/.github/workflows/dashboard_perf_test.yml b/.github/workflows/dashboard_perf_test.yml
index 62823e889..db134ee5f 100644
--- a/.github/workflows/dashboard_perf_test.yml
+++ b/.github/workflows/dashboard_perf_test.yml
@@ -17,6 +17,8 @@ jobs:
           - '--pre torch --index-url https://download.pytorch.org/whl/nightly/cu124'
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Setup miniconda
         uses: pytorch/test-infra/.github/actions/setup-miniconda@main
diff --git a/.github/workflows/doc_build.yml b/.github/workflows/doc_build.yml
index 8644d9d33..d038f7c8d 100644
--- a/.github/workflows/doc_build.yml
+++ b/.github/workflows/doc_build.yml
@@ -29,6 +29,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Setup conda env
         uses: conda-incubator/setup-miniconda@v2
         with:
@@ -61,7 +63,9 @@ jobs:
     if: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Download artifact
         uses: actions/download-artifact@v3
         with:
@@ -96,19 +100,29 @@ jobs:
           name: Doc-Build
           path: docs
       - name: Add no-index tag
+        env:
+          REF_NAME: ${{ github.ref }}
         run: |
-          REF_NAME=$(echo "${{ github.ref }}")
+          if ! [[ "$REF_NAME" =~ ^refs/(heads|tags)/[a-zA-Z0-9._-]+$ ]]; then
+            echo "Error: Invalid ref format"
+            exit 1
+          fi
           echo "Ref name: ${REF_NAME}"
-          if [[ "${{ github.ref }}" == 'refs/heads/main' ]]; then
+          if [[ "$REF_NAME == 'refs/heads/main' ]]; then
             find docs -name "*.html" -print0 | xargs -0 sed -i '/<head>/a \ \ <meta name="robots" content="noindex">';
           fi
       - name: Move and commit changes
+        env:
+          GITHUB_REF: ${{ github.ref }}
         run: |
+          if ! [[ "$REF_NAME" =~ ^refs/(heads|tags)/[a-zA-Z0-9._-]+$ ]]; then
+            echo "Error: Invalid ref format"
+            exit 1
+          fi
           set -euo pipefail
           # Get github.ref for the output doc folder. By default "main"
           # If matches a tag like refs/tags/v1.12.0-rc3 or
           # refs/tags/v1.12.0 convert to 1.12
-          GITHUB_REF=${{ github.ref }}
 
           # Convert refs/tags/v1.12.0rc3 into 1.12.
           # Adopted from https://github.com/pytorch/pytorch/blob/main/.github/workflows/_docs.yml#L150C11-L155C13
diff --git a/.github/workflows/ruff_linter.yml b/.github/workflows/ruff_linter.yml
index dec9bdef1..8a32d7e74 100644
--- a/.github/workflows/ruff_linter.yml
+++ b/.github/workflows/ruff_linter.yml
@@ -22,46 +22,67 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-    
+
     strategy:
       matrix:
         python-version: ["3.9"]
     steps:
     - name: Extract PR info
       if: github.event_name == 'workflow_dispatch'
+      env:
+        INPUT_PR_URL: ${{ github.event.inputs.pr_url }}
       run: |
-        PR_URL=${{ github.event.inputs.pr_url }}
-        PR_NUMBER=$(echo $PR_URL | grep -oE '[0-9]+$')
-        echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
-        
-    - uses: actions/checkout@v3
+        if ! [[ "$INPUT_PR_URL" =~ ^https://github\.com/[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+/pull/[0-9]+$ ]]; then
+          echo "Error: Invalid PR URL format"
+          exit 1
+        fi
+
+        PR_NUMBER=${INPUT_PR_URL##*/}
+
+        if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+          echo "Error: Invalid PR number format"
+          exit 1
+        fi
+
+        {
+          echo "PR_NUMBER=$PR_NUMBER"
+        } >> "$GITHUB_ENV"
+
+    - uses: actions/checkout@v4
       if: github.event_name == 'workflow_dispatch'
       with:
         fetch-depth: 0
+        persist-credentials: false
         token: ${{ secrets.GITHUB_TOKEN }}
-    
+
     - name: Checkout PR branch
       if: github.event_name == 'workflow_dispatch'
       run: |
-        gh pr checkout ${{ env.PR_NUMBER }}
+        if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+          echo "Error: Invalid PR number format"
+          exit 1
+        fi
+        gh pr checkout "$PR_NUMBER"
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        
-    - uses: actions/checkout@v3
+        PR_NUMBER: ${{ env.PR_NUMBER }}
+
+    - uses: actions/checkout@v4
       if: github.event_name != 'workflow_dispatch'
       with:
+        persist-credentials: false
         fetch-depth: 0
-        
+
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v3
       with:
         python-version: ${{ matrix.python-version }}
-        
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install ruff==0.6.8
-        
+
     - name: Regular lint check
       if: github.event_name != 'workflow_dispatch'
       run: |
@@ -77,11 +98,11 @@ jobs:
       run: |
         git config --global user.name 'github-actions[bot]'
         git config --global user.email 'github-actions[bot]@users.noreply.github.com'
-        
+
         # Apply fixes
         ruff check --select F,I --fix
         ruff format .
-        
+
         # Commit and push if there are changes
         if [[ -n "$(git status --porcelain)" ]]; then
           git add .
diff --git a/.github/workflows/trymerge.yml b/.github/workflows/trymerge.yml
index 1db4926f9..e345f77fd 100644
--- a/.github/workflows/trymerge.yml
+++ b/.github/workflows/trymerge.yml
@@ -16,9 +16,10 @@ jobs:
     steps:
       - name: Checkout repo
         id: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
           token: ${{ secrets.PYTORCH_MERGEBOT_TOKEN }}
 
       - name: Setup Python