diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..6f3072cf
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,3 @@
+*                                  @anishnaik @bsamuels453 @james-miller-93 @Jaime-Iglesias
+/program-analysis/echidna/         @elopez
+/learn_evm/                        @bohendo
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1ce4d451..c95e24f9 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -23,9 +23,10 @@ jobs:
         with:
           fetch-depth: 0
           submodules: true
+          persist-credentials: false
       - name: Install mdbook
         run: |
-          cargo install --git https://github.com/montyly/mdBook.git mdbook || true
+          cargo install --git https://github.com/trail-of-forks/mdBook.git --branch building-secure-contracts mdbook || true
       - name: Build artifacts
         run: mdbook build
       - name: Upload artifact
diff --git a/.github/workflows/echidna.yml b/.github/workflows/echidna.yml
index b7e2b1d4..ff4c85dc 100644
--- a/.github/workflows/echidna.yml
+++ b/.github/workflows/echidna.yml
@@ -17,6 +17,9 @@ on:
     # run CI every day even if no PRs/merges occur
     - cron: "0 12 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.name }}
@@ -129,6 +132,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Checkout Damn Vulnerable DeFi solutions
         uses: actions/checkout@v5
@@ -137,6 +142,7 @@ jobs:
           repository: crytic/damn-vulnerable-defi-echidna
           ref: solutions
           path: ${{ matrix.workdir }}
+          persist-credentials: false
 
       - name: Set up Nodejs
         uses: actions/setup-node@v5
diff --git a/.github/workflows/lint_format.yml b/.github/workflows/lint_format.yml
index c3de35f5..cc962f71 100644
--- a/.github/workflows/lint_format.yml
+++ b/.github/workflows/lint_format.yml
@@ -6,6 +6,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -15,6 +18,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v5
diff --git a/.github/workflows/lint_links.yml b/.github/workflows/lint_links.yml
index 7147b0cc..bb1e8729 100644
--- a/.github/workflows/lint_links.yml
+++ b/.github/workflows/lint_links.yml
@@ -15,6 +15,9 @@ on:
     # run CI at 09:00 every Tuesday even if no PRs/merges occur
     - cron: "0 9 * * 2"
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
@@ -22,6 +25,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: recursive
+          persist-credentials: false
       - uses: tcort/github-action-markdown-link-check@v1
         with:
           use-quiet-mode: "yes"
diff --git a/.github/workflows/manticore.yml b/.github/workflows/manticore.yml
index 0830e109..a5e53ddc 100644
--- a/.github/workflows/manticore.yml
+++ b/.github/workflows/manticore.yml
@@ -15,13 +15,16 @@ on:
     # run CI every day even if no PRs/merges occur
     - cron: "0 12 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python 3.8
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/medusa.yml b/.github/workflows/medusa.yml
index 2810f48f..16756dfc 100644
--- a/.github/workflows/medusa.yml
+++ b/.github/workflows/medusa.yml
@@ -17,6 +17,9 @@ on:
     # run CI every day even if no PRs/merges occur
     - cron: "0 12 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.name }}
@@ -125,6 +128,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Checkout Damn Vulnerable DeFi solutions
         uses: actions/checkout@v5
@@ -133,6 +138,7 @@ jobs:
           repository: crytic/damn-vulnerable-defi-echidna
           ref: solutions
           path: ${{ matrix.workdir }}
+          persist-credentials: false
 
       - name: Set up Nodejs
         uses: actions/setup-node@v5
diff --git a/CODEOWNERS b/CODEOWNERS
deleted file mode 100644
index ea90a68b..00000000
--- a/CODEOWNERS
+++ /dev/null
@@ -1,3 +0,0 @@
-*                                  @montyly @ggrieco-tob @james-miller-93 @Jaime-Iglesias @anishnaik @bsamuels453
-/program-analysis/echidna/         @ggrieco-tob
-/learn_evm/                        @bohendo
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 10a41b54..3cbc804d 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -68,9 +68,9 @@ We utilize `mdbook` to generate [secure-contracts.com](https://secure-contracts.
 
 To run it locally:
 
-```
-cargo install --git https://github.com/montyly/mdBook.git mdbook
+```bash
+cargo install --git https://github.com/trail-of-forks/mdBook.git --branch building-secure-contracts mdbook
 mdbook build
 ```
 
-Note: We use https://github.com/montyly/mdBook.git, which contains https://github.com/rust-lang/mdBook/pull/1584.
+Note: We use https://github.com/trail-of-forks/mdBook.git, which contains https://github.com/rust-lang/mdBook/pull/1584.