diff --git a/.github/workflows/code-references.yml b/.github/workflows/code-references.yml
index e7bad76cc..90523ba17 100644
--- a/.github/workflows/code-references.yml
+++ b/.github/workflows/code-references.yml
@@ -1,19 +1,36 @@
----
 name: Collect code references
 
 on:
   pull_request:
-    branches-ignore:
-      - "renovate/**"
-
-permissions:
-  contents: read
-  pull-requests: write
 
 jobs:
+  check-ld-secret:
+    name: Check for LD secret
+    runs-on: ubuntu-22.04
+    outputs:
+      available: ${{ steps.check-ld-secret.outputs.available }}
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check
+        id: check-ld-secret
+        run: |
+          if [ "${{ secrets.LD_ACCESS_TOKEN }}" != '' ]; then
+            echo "available=true" >> $GITHUB_OUTPUT;
+          else
+            echo "available=false" >> $GITHUB_OUTPUT;
+          fi
+
   refs:
     name: Code reference collection
     runs-on: ubuntu-22.04
+    needs: check-ld-secret
+    if: ${{ needs.check-ld-secret.outputs.available == 'true' }}
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
       - name: Check out repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1d35ed41d..10bda75e7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,3 @@
----
 name: Testing
 
 on:
@@ -18,8 +17,14 @@ jobs:
     name: Run tests
     if: ${{ startsWith(github.head_ref, 'version_bump_') == false }}
     runs-on: ubuntu-22.04
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+
     env:
       NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+
     steps:
       - name: Check out repo
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -52,7 +57,17 @@ jobs:
           reporter: dotnet-trx
           fail-on-error: true
 
+      - name: Check for Codecov secret
+        id: check-codecov-secret
+        run: |
+          if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
+            echo "available=true" >> $GITHUB_OUTPUT;
+          else
+            echo "available=false" >> $GITHUB_OUTPUT;
+          fi
+
       - name: Upload to codecov.io
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+        if: steps.check-codecov-secret.outputs.available == 'true'
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}