diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index bfe2505f4..dadee9368 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -3,7 +3,7 @@ run-name: ${{ github.actor }} is running Pull Request CI
 
 on:
   pull_request_target:
-    types: [opened, labeled, reopened, synchronize]
+    types: [opened, labeled, reopened]
   workflow_dispatch:
 
 concurrency:
@@ -86,6 +86,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -123,6 +124,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -157,6 +159,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -191,6 +194,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -228,6 +232,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -277,6 +282,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
diff --git a/.github/workflows/remove-validated-on-synchronize.yml b/.github/workflows/remove-validated-on-synchronize.yml
new file mode 100644
index 000000000..565edee1e
--- /dev/null
+++ b/.github/workflows/remove-validated-on-synchronize.yml
@@ -0,0 +1,41 @@
+name: Remove Validated Label On New Push
+run-name: Remove validated label for PR #${{ github.event.pull_request.number }}
+
+on:
+  pull_request_target:
+    types: [synchronize]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  remove-validated-label:
+    name: Remove reusable validated label
+    runs-on: ubuntu-latest
+    steps:
+      - name: Remove validated label from PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const pull_number = context.payload.pull_request.number;
+
+            const labels = context.payload.pull_request.labels.map((label) => label.name);
+            if (!labels.includes('validated')) {
+              core.info('No validated label found; skipping.');
+              return;
+            }
+
+            try {
+              await github.rest.issues.removeLabel({
+                owner,
+                repo,
+                issue_number: pull_number,
+                name: 'validated',
+              });
+
+              core.info('Removed validated label after synchronize event.');
+            } catch (error) {
+              core.warning(`Failed to remove validated label: ${error.message}`);
+            }