diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 296da8211..60ce8d6fe 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,9 @@
 name: build
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: "${{ matrix.id }}"
@@ -57,6 +61,8 @@ jobs:
       - name: Install Git
         run: apt-get -y install git
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install build tools
         shell: bash
         run: |
@@ -114,7 +120,8 @@ jobs:
         # actually exclude it, so it must first be touched
         run: |
           touch ola-${{ matrix.id }}-source-tree.tar.gz
-          tar --exclude=ola-${{ matrix.id }}-source-tree.tar.gz -cvzf ola-${{ matrix.id }}-source-tree.tar.gz .
+          touch .git
+          tar --exclude=ola-${{ matrix.id }}-source-tree.tar.gz --exclude=.git -cvzf ola-${{ matrix.id }}-source-tree.tar.gz .
       - name: SHA256 artifact archives
         if: always()
         run: sha256sum ola-*.tar.gz
diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
index 7fff3d801..8f4c2987d 100644
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -3,6 +3,10 @@
 
 name: debian
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   debian-build:
     name: 'Debian Build ${{ matrix.image_tag }} ${{ matrix.architecture }}'
@@ -28,6 +32,8 @@ jobs:
       - name: Install Git
         run: apt-get -y install git
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install build tools
         run: apt-get -y install devscripts adduser fakeroot sudo
       - name: Install build dependencies
@@ -70,7 +76,9 @@ jobs:
         architecture: [amd64]
     container: debian:${{ matrix.image_tag }}
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Download build artifact
         uses: actions/download-artifact@v4
         with:
diff --git a/.github/workflows/isort.yml b/.github/workflows/isort.yml
index 9aff6b16d..503b77b3f 100644
--- a/.github/workflows/isort.yml
+++ b/.github/workflows/isort.yml
@@ -1,12 +1,15 @@
 name: isort
 
-on:
-  - push
-  - pull_request
+on: [push, pull_request]
+
+permissions:
+  contents: read
 
 jobs:
   isort:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: isort/isort-action@v1
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 12d892fb4..48ea86015 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,5 +1,9 @@
 name: lint
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build for Lint Tasks
@@ -17,6 +21,8 @@ jobs:
       - name: Install Git
         run: apt-get -y install git
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install build tools
         shell: bash
         run: |
@@ -53,7 +59,8 @@ jobs:
         # actually exclude it, so it must first be touched
         run: |
           touch ola-debian-stable-built-source-tree.tar.gz
-          tar --exclude=ola-debian-stable-built-source-tree.tar.gz -cvzf ola-debian-stable-built-source-tree.tar.gz .
+          touch .git
+          tar --exclude=ola-debian-stable-built-source-tree.tar.gz --exclude=.git -cvzf ola-debian-stable-built-source-tree.tar.gz .
       - name: SHA256 artifact archive
         run: sha256sum ola-debian-stable-built-source-tree.tar.gz
       - uses: actions/upload-artifact@v4
@@ -261,6 +268,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js v18
         uses: actions/setup-node@v3
         with:
diff --git a/Makefile.am b/Makefile.am
index 1da6851cb..57adc86fe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -246,7 +246,7 @@ else
 endif
 
 # cpplint linter
-CPP_LINT_FILTER = "-legal/copyright,-readability/streams,-runtime/arrays"
+CPP_LINT_FILTER = "-legal/copyright,-readability/streams,-runtime/arrays,-whitespace/indent_namespace"
 CPP_LINT_FILES = $(shell find . \( -name "*.h" -or -name "*.cpp" \) -and ! \( \
         -wholename "./common/protocol/Ola.pb.*" -or \
         -wholename "./common/rpc/Rpc.pb.*" -or \
diff --git a/include/ola/rdm/RDMAPI.h b/include/ola/rdm/RDMAPI.h
index 63c036b7e..b55018675 100644
--- a/include/ola/rdm/RDMAPI.h
+++ b/include/ola/rdm/RDMAPI.h
@@ -18,7 +18,7 @@
  * Copyright (C) 2010 Simon Newton
  *
  * This class provides a high level C++ RDM API for PIDs defined in
- * E1.20. It includes errors checking for out-of-range arguments. Each RDM
+ * E1.20. It includes error checking for out-of-range arguments. Each RDM
  * method takes a pointer to a string, which will be populated with an English
  * error message if the command fails.
  */
@@ -31,7 +31,7 @@
  *
  * This class provides a high level C++ RDM API for PIDS defined in E1.20. It
  * includes error checking for out-of-range arguments. Each RDM method takes a
- * pointer to a string, which will be populated with an english error message
+ * pointer to a string, which will be populated with an English error message
  * if the command fails.
  * @}
  *