diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index be9e83e..b7e02ef 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -1,6 +1,6 @@
 on:
   push:
-    branches: main
+    branches: [main]
   pull_request:
   workflow_dispatch:
 
@@ -13,9 +13,7 @@ jobs:
     steps:
       - name: git checkout
         uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-        with:
-          determinate: true
+      - uses: DeterminateSystems/determinate-nix-action@v3
       - uses: DeterminateSystems/flakehub-cache-action@main
       - run: nix develop -c action-validator -v ./.github/workflows/workflow.yml
       - run: nix develop -c prettier --check .
@@ -23,7 +21,7 @@ jobs:
   DeterminateCI:
     uses: ./.github/workflows/workflow.yml
     permissions:
-      id-token: "write"
-      contents: "read"
+      id-token: write
+      contents: read
     with:
       directory: ./tests/smoke
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
index d10bc7c..b1963a7 100644
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -88,16 +88,14 @@ jobs:
       systems: ${{ steps.inventory.outputs.systems }}
 
     permissions:
-      id-token: "write"
-      contents: "read"
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
       # disabled pending strategy discussion on exposing tunables
       # - uses: Determinatesystems/flake-checker-action@main
-      - uses: DeterminateSystems/nix-installer-action@main
-        with:
-          determinate: true
+      - uses: DeterminateSystems/determinate-nix-action@v3
       - uses: DeterminateSystems/flakehub-cache-action@main
       - uses: webfactory/ssh-agent@v0.9.0
         if: ${{ inputs.enable-ssh-agent }}
@@ -120,14 +118,12 @@ jobs:
         systems: ${{ fromJSON(needs.inventory.outputs.systems) }}
 
     permissions:
-      id-token: "write"
-      contents: "read"
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-        with:
-          determinate: true
+      - uses: DeterminateSystems/determinate-nix-action@v3
       - uses: DeterminateSystems/flakehub-cache-action@main
       - uses: webfactory/ssh-agent@v0.9.0
         if: ${{ inputs.enable-ssh-agent }}
@@ -145,8 +141,8 @@ jobs:
     needs: build
     if: ${{ always() }}
     permissions:
-      id-token: "write"
-      contents: "read"
+      id-token: write
+      contents: read
 
     outputs:
       flake_name: ${{ steps.publish.outputs.flake_name }}
@@ -163,13 +159,11 @@ jobs:
           contains(needs.*.result, 'cancelled')
       - uses: actions/checkout@main
         if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/determinate-nix-action@v3
         if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
-        with:
-          determinate: true
       - uses: DeterminateSystems/flakehub-cache-action@main
         if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
-      - uses: "DeterminateSystems/flakehub-push@main"
+      - uses: DeterminateSystems/flakehub-push@main
         if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
         id: publish
         with: