diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 51ace69..eb13d70 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 13791ce..7d3a9b0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Linting
+permissions:
+  contents: read
 on: [pull_request]
 
 jobs:
@@ -9,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
         uses: actions/setup-python@v3
@@ -17,7 +21,7 @@ jobs:
         run: pip3 install flake8
 
       - name: Set up reviewdog
-        uses: reviewdog/action-setup@v1
+        uses: reviewdog/action-setup@e04ffabe3898a0af8d0fb1af00c188831c4b5893 # v1
 
       - name: Run flake8
         env:
@@ -34,9 +38,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
         uses: actions/setup-python@v3
 
       - name: ansible-lint
-        uses: reviewdog/action-ansiblelint@v1
+        uses: reviewdog/action-ansiblelint@5b8ca4b12dcbcdf63d4739dacd90609abafe8924 # v1
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ce4018f..3a946f5 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Tests
+permissions:
+  contents: read
 on: [push, pull_request]
 
 jobs:
@@ -11,6 +13,8 @@ jobs:
         python-version: ["3.11", "3.12"]
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Install Python ${{ matrix.python-version }}
         uses: actions/setup-python@v3