diff --git a/.github/codecov.yml b/.github/codecov.yml
index e5c9a38..c2cbbb4 100644
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@@ -1,6 +1,3 @@
-codecov:
-  allow_coverage_offsets: true  # Avoid "Missing base report" due to committing with "[CI skip]"
-
 comment:
   layout: "diff, files"
 
@@ -9,3 +6,4 @@ coverage:
     project:
       default:
         threshold: 0.1%
+    patch: off
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 3a022c8..3cd9fbc 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -19,6 +19,9 @@ on:
       - "!.coveragerc"
       - "!.gitignore"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Run Tests on Multiple Platforms"
diff --git a/.github/workflows/publish_package.yml b/.github/workflows/publish_package.yml
index 8d349fb..a85c587 100644
--- a/.github/workflows/publish_package.yml
+++ b/.github/workflows/publish_package.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [ created ]
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish-pypi:
     name: Build and publish Python distributions to PyPI
diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
index b0a9df3..ad8ca77 100644
--- a/.github/workflows/pytest.yml
+++ b/.github/workflows/pytest.yml
@@ -8,6 +8,11 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  statuses: write
+  pull-requests: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ruff_check.yml b/.github/workflows/ruff_check.yml
index 9d9705c..5040265 100644
--- a/.github/workflows/ruff_check.yml
+++ b/.github/workflows/ruff_check.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   ruff_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-on-gpu.yml b/.github/workflows/run-on-gpu.yml
index 8096072..8ef7617 100755
--- a/.github/workflows/run-on-gpu.yml
+++ b/.github/workflows/run-on-gpu.yml
@@ -22,6 +22,9 @@ on:
       - "!.coveragerc"
       - "!.gitignore"
 
+permissions:
+  contents: read
+
 jobs:
   test-cli-gpu:
     name: "Run Tests on GPU Runners"
diff --git a/.github/workflows/test-mac.yml b/.github/workflows/test-mac.yml
index c4ea246..04bdb16 100644
--- a/.github/workflows/test-mac.yml
+++ b/.github/workflows/test-mac.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - comfy_cli/**
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: macos-latest
diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml
index a13b14d..c349c46 100755
--- a/.github/workflows/test-windows.yml
+++ b/.github/workflows/test-windows.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - comfy_cli/**
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: windows-latest