diff --git a/.github/workflows/build-addon.yml b/.github/workflows/build-addon.yml
index 5a5e9ead..1d6ff4ab 100644
--- a/.github/workflows/build-addon.yml
+++ b/.github/workflows/build-addon.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 jobs:
   napi-build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/module-system-smoke.yml b/.github/workflows/module-system-smoke.yml
index 82c099dd..e9942908 100644
--- a/.github/workflows/module-system-smoke.yml
+++ b/.github/workflows/module-system-smoke.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 jobs:
   module-smoke:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/native-pin-consistency.yml b/.github/workflows/native-pin-consistency.yml
index b2a01a97..a905b4a6 100644
--- a/.github/workflows/native-pin-consistency.yml
+++ b/.github/workflows/native-pin-consistency.yml
@@ -20,7 +20,7 @@ jobs:
     name: aa-* crates share one git rev
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: Assert all agent-assembly git deps share one rev
         run: |
           manifest="native/aa-ffi-node/Cargo.toml"
diff --git a/.github/workflows/precommit.yml b/.github/workflows/precommit.yml
index dfbdcbaa..600aaf34 100644
--- a/.github/workflows/precommit.yml
+++ b/.github/workflows/precommit.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 jobs:
   quality:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
index 1afa6b0a..79ad0859 100644
--- a/.github/workflows/regression.yml
+++ b/.github/workflows/regression.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 3 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   regression-suite:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-matrix.yml b/.github/workflows/test-matrix.yml
index 965f6a45..4293b79f 100644
--- a/.github/workflows/test-matrix.yml
+++ b/.github/workflows/test-matrix.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}