diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
index 8ec09616..67b39b07 100644
--- a/.github/workflows/auto-merge-dependabot.yml
+++ b/.github/workflows/auto-merge-dependabot.yml
@@ -7,7 +7,7 @@ permissions: write-all
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 16642759..ff6756eb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,8 @@ jobs:
   build-node:
     name: "build on ${{ matrix.os }}"
     runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
     if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
 
     strategy:
@@ -21,6 +22,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'
@@ -34,10 +36,13 @@ jobs:
   build-artifacts:
     name: "build artifacts"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
 
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'
@@ -81,9 +86,12 @@ jobs:
   unit-tests:
     name: "Unit tests"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - run: npm ci
       - run: npm run test-unit-ci
       - name: Upload coverage reports to Codecov
@@ -96,9 +104,12 @@ jobs:
     name: "E2E tests using chrome"
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - run: npm ci
       - name: Cypress run
         uses: cypress-io/github-action@v6
@@ -119,6 +130,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - run: npm ci
       - name: Cypress run
         uses: cypress-io/github-action@v6
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 5e83f456..1259ac88 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,9 +8,12 @@ jobs:
   deploy-pages:
     name: deploy/pages
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     if: ${{ github.event_name == 'push' }}
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
 
       - name: Use Node.js from nvmrc
         uses: actions/setup-node@v5
@@ -33,9 +36,10 @@ jobs:
   deploy-docker:
     name: deploy/docker
     runs-on: ubuntu-latest
-
     if: ${{ github.event_name == 'push' }}
-
+    permissions:
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 62c0469b..5b69f683 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,11 +12,14 @@ jobs:
     defaults:
       run:
         shell: bash
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
           ref: main
+          persist-credentials: false
 
       - name: Use Node.js from nvmrc
         uses: actions/setup-node@v5