diff --git a/.github/workflows/assign-reviewers.yml b/.github/workflows/assign-reviewers.yml
index 267fd7c8af43..e22123762fff 100644
--- a/.github/workflows/assign-reviewers.yml
+++ b/.github/workflows/assign-reviewers.yml
@@ -12,7 +12,7 @@ jobs:
   assign-reviewers:
     runs-on: ubuntu-latest
     steps:
-      - uses: trask/component-owners@main
+      - uses: trask/component-owners@02dfde3c03025c064cc6961975e28a42e81c394a # main
         with:
           # this repository is using this action to request doc review
           assign-owners: false
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index ef4554c9f62f..aa86b6dd692d 100644
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -1,6 +1,9 @@
 name: Labeler
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   label:
 
diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml
index 8b8f7c182e9b..be31bb50b1af 100644
--- a/.github/workflows/prepare-patch-release.yml
+++ b/.github/workflows/prepare-patch-release.yml
@@ -2,8 +2,13 @@ name: Prepare patch release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   prepare-patch-release:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml
index 615ad5c3f4e3..18e9b527d529 100644
--- a/.github/workflows/prepare-release-branch.yml
+++ b/.github/workflows/prepare-release-branch.yml
@@ -2,6 +2,9 @@ name: Prepare release branch
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   prereqs:
     runs-on: ubuntu-latest
@@ -21,6 +24,8 @@ jobs:
           fi
 
   create-pull-request-against-release-branch:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     needs:
       - prereqs
@@ -74,6 +79,8 @@ jobs:
                        --base $RELEASE_BRANCH_NAME
 
   create-pull-request-against-main:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     needs:
       - prereqs
diff --git a/.github/workflows/publish-petclinic-benchmark-image.yml b/.github/workflows/publish-petclinic-benchmark-image.yml
index 6dd3f94ddd54..5e08f26f364d 100644
--- a/.github/workflows/publish-petclinic-benchmark-image.yml
+++ b/.github/workflows/publish-petclinic-benchmark-image.yml
@@ -7,6 +7,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable-markdown-link-check.yml b/.github/workflows/reusable-markdown-link-check.yml
index 1d148bd76ec3..88d890a11de2 100644
--- a/.github/workflows/reusable-markdown-link-check.yml
+++ b/.github/workflows/reusable-markdown-link-check.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: lycheeverse/lychee-action@v2
+      - uses: lycheeverse/lychee-action@f796c8b7d468feb9b8c0a46da3fac0af6874d374 # v2.2.0
         with:
           # excluding links to pull requests and issues is done for performance
           args: >