diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly
diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index f9edcea..e67f0bf 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -1,4 +1,6 @@
 name: Lint with Black
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -7,4 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: psf/black@stable
+        with:
+          persist-credentials: false
+      - uses: psf/black@8a737e727ac5ab2f1d4cf5876720ed276dc8dc4b # 25.1.0
diff --git a/.github/workflows/check-test-coverage.yml b/.github/workflows/check-test-coverage.yml
index 5349300..342166a 100644
--- a/.github/workflows/check-test-coverage.yml
+++ b/.github/workflows/check-test-coverage.yml
@@ -1,4 +1,6 @@
 name: Coverage (with doctests)
+permissions:
+  contents: read
 on:
   push:
     branches: [ master ]
@@ -10,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Setup Python
       uses: actions/setup-python@v2
       with:
@@ -23,7 +27,7 @@ jobs:
         export MPL_IMGCOMP_TOLERANCE=20
         coverage run -m pytest --mpl --doctest-glob="probscale/*.py" --cov-report=xml
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v1
+      uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1
       with:
         # directory: ./coverage/reports/
         flags: unittests
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index c2d12c0..67922bb 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -2,6 +2,8 @@
 # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
 
 name: Publish Python Package
+permissions:
+  contents: read
 
 on:
   release:
@@ -14,6 +16,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
diff --git a/.github/workflows/python-runlinter.yml b/.github/workflows/python-runlinter.yml
index 1a27d2f..c99fda8 100644
--- a/.github/workflows/python-runlinter.yml
+++ b/.github/workflows/python-runlinter.yml
@@ -2,6 +2,8 @@
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
 
 name: Lint with flake8
+permissions:
+  contents: read
 
 on:
   push:
@@ -15,6 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
diff --git a/.github/workflows/python-runtests-all.yml b/.github/workflows/python-runtests-all.yml
index 6eecd68..35db319 100644
--- a/.github/workflows/python-runtests-all.yml
+++ b/.github/workflows/python-runtests-all.yml
@@ -2,6 +2,8 @@
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
 
 name: Run units test (w/ img comps)
+permissions:
+  contents: read
 
 on:
   push:
@@ -19,6 +21,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
       with: