diff --git a/.github/workflows/doc-tests.yaml b/.github/workflows/doc-tests.yaml
index 24f72c479d86e..c4800de972371 100644
--- a/.github/workflows/doc-tests.yaml
+++ b/.github/workflows/doc-tests.yaml
@@ -11,6 +11,9 @@ jobs:
     name: Lint (Docs)
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/docs:latest
       volumes:
diff --git a/.github/workflows/integration-tests-non-root.yaml b/.github/workflows/integration-tests-non-root.yaml
index 18a324faec516..47844b774deb5 100644
--- a/.github/workflows/integration-tests-non-root.yaml
+++ b/.github/workflows/integration-tests-non-root.yaml
@@ -18,7 +18,6 @@ jobs:
 
     permissions:
       contents: read
-      id-token: write
       packages: read
 
     container:
diff --git a/.github/workflows/integration-tests-root.yaml b/.github/workflows/integration-tests-root.yaml
index c3e5f0e1504a1..28e77837087ed 100644
--- a/.github/workflows/integration-tests-root.yaml
+++ b/.github/workflows/integration-tests-root.yaml
@@ -18,7 +18,6 @@ jobs:
 
     permissions:
       contents: read
-      id-token: write
 
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 49a64572b99c0..4e226018f7003 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -11,6 +11,9 @@ jobs:
     name: Lint (Go)
     runs-on: ubuntu-22.04-16core
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       env:
diff --git a/.github/workflows/os-compatibility-test.yaml b/.github/workflows/os-compatibility-test.yaml
index b42e4c72de76b..899494163b58e 100644
--- a/.github/workflows/os-compatibility-test.yaml
+++ b/.github/workflows/os-compatibility-test.yaml
@@ -10,6 +10,10 @@ jobs:
   build:
     name: Build Artifacts
     runs-on: ubuntu-22.04-16core
+
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox-centos7:teleport12
       env:
@@ -36,6 +40,10 @@ jobs:
     needs: build
     name: Run Compatibility Test
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/unit-tests-code-bypass.yaml b/.github/workflows/unit-tests-code-bypass.yaml
index 196fb3177f883..1c445b38a3af1 100644
--- a/.github/workflows/unit-tests-code-bypass.yaml
+++ b/.github/workflows/unit-tests-code-bypass.yaml
@@ -10,5 +10,9 @@ jobs:
   test:
     name: Unit Tests (Go)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-code.yaml b/.github/workflows/unit-tests-code.yaml
index 3d8bad9ff6b7c..fb7bfcd1dc71c 100644
--- a/.github/workflows/unit-tests-code.yaml
+++ b/.github/workflows/unit-tests-code.yaml
@@ -18,7 +18,6 @@ jobs:
 
     permissions:
       contents: read
-      id-token: write
       packages: read
 
     container:
diff --git a/.github/workflows/unit-tests-helm-bypass.yaml b/.github/workflows/unit-tests-helm-bypass.yaml
index dd7693cc950b2..beaee5aabc17b 100644
--- a/.github/workflows/unit-tests-helm-bypass.yaml
+++ b/.github/workflows/unit-tests-helm-bypass.yaml
@@ -11,5 +11,9 @@ jobs:
   test:
     name: Unit Tests (Helm)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-helm.yaml b/.github/workflows/unit-tests-helm.yaml
index 15821d10e490c..da800e2dfd65f 100644
--- a/.github/workflows/unit-tests-helm.yaml
+++ b/.github/workflows/unit-tests-helm.yaml
@@ -14,6 +14,9 @@ jobs:
     name: Unit Tests (Helm)
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       env:
diff --git a/.github/workflows/unit-tests-operator-bypass.yaml b/.github/workflows/unit-tests-operator-bypass.yaml
index b9f31219f7e7f..6fbdcf266d48c 100644
--- a/.github/workflows/unit-tests-operator-bypass.yaml
+++ b/.github/workflows/unit-tests-operator-bypass.yaml
@@ -14,5 +14,9 @@ jobs:
   test:
     name: Unit Tests (Operator)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-operator.yaml b/.github/workflows/unit-tests-operator.yaml
index b02eb44478e2b..0250497d2cb96 100644
--- a/.github/workflows/unit-tests-operator.yaml
+++ b/.github/workflows/unit-tests-operator.yaml
@@ -18,6 +18,9 @@ jobs:
     name: Unit Tests (Operator)
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       options: --cap-add=SYS_ADMIN --privileged
diff --git a/.github/workflows/unit-tests-rust-bypass.yaml b/.github/workflows/unit-tests-rust-bypass.yaml
index 43b39dd408dcf..d32119a822b23 100644
--- a/.github/workflows/unit-tests-rust-bypass.yaml
+++ b/.github/workflows/unit-tests-rust-bypass.yaml
@@ -12,5 +12,9 @@ jobs:
   test:
     name: Unit Tests (Rust)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-rust.yaml b/.github/workflows/unit-tests-rust.yaml
index c536ab948d28f..0cf2fdddf3688 100644
--- a/.github/workflows/unit-tests-rust.yaml
+++ b/.github/workflows/unit-tests-rust.yaml
@@ -15,6 +15,10 @@ jobs:
   test:
     name: Unit Tests (Rust)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       options: --cap-add=SYS_ADMIN --privileged
diff --git a/api/types/database.go b/api/types/database.go
index ba021c8aaa082..97c8bb3243ab4 100644
--- a/api/types/database.go
+++ b/api/types/database.go
@@ -31,7 +31,7 @@ import (
 	azureutils "github.com/gravitational/teleport/api/utils/azure"
 )
 
-// Database represents a database proxied by a database server.
+// Database represents a single database proxied by a database server.
 type Database interface {
 	// ResourceWithLabels provides common resource methods.
 	ResourceWithLabels
diff --git a/examples/chart/teleport-kube-agent/Chart.yaml b/examples/chart/teleport-kube-agent/Chart.yaml
index 05a270173c25a..7a38fba0a0efa 100644
--- a/examples/chart/teleport-kube-agent/Chart.yaml
+++ b/examples/chart/teleport-kube-agent/Chart.yaml
@@ -4,7 +4,7 @@ name: teleport-kube-agent
 apiVersion: v2
 version: *version
 appVersion: *version
-description: Teleport provides a secure SSH and Kubernetes remote access solution that doesn't get in the way.
+description: Teleport provides a secure SSH, Kubernetes, database and application remote access solution that doesn't get in the way.
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords:
   - Teleport
diff --git a/lib/srv/desktop/rdp/rdpclient/build.rs b/lib/srv/desktop/rdp/rdpclient/build.rs
index f6509fb731c6b..52fa90e1876db 100644
--- a/lib/srv/desktop/rdp/rdpclient/build.rs
+++ b/lib/srv/desktop/rdp/rdpclient/build.rs
@@ -21,7 +21,7 @@ fn main() {
         .unwrap();
 
     // atomically swap the header in place, just in case there's multiple
-    // compilations at the same time
+    // compilations at the same time.
     let out = tempfile::NamedTempFile::new_in(".").unwrap();
     bindings.write(&out);