diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d83c554f3..42d253b83 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -23,6 +23,9 @@ on:
 jobs:
   analyze:
     name: Analyze
+    permissions:
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
 
     strategy:
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index e4e8fc877..dc6d54f8d 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -1,4 +1,7 @@
 name: Node.js CI
+permissions:
+  contents: read
+  checks: write
 
 on:
   push:
@@ -35,6 +38,7 @@ jobs:
         run: yarn coverage
       - name: Publish to coveralls.io
         if: matrix.node-version == '20.x'
-        uses: coverallsapp/github-action@v2.3.4
+        # coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 corresponds to v2.3.4
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8
         with:
             github-token: ${{ github.token }}
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index eaa044770..73c115142 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -3,6 +3,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest