diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 1149d39c..34bf1451 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -8,6 +8,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index b1f93b25..45a7a032 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -18,6 +18,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 503e4b77..186b1b24 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index f8b17025..5304739f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -15,6 +15,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index ee11c1cb..c7b3fc3e 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -10,6 +10,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
index a3bb18da..539c2c98 100644
--- a/.github/workflows/release-integration.yml
+++ b/.github/workflows/release-integration.yml
@@ -19,6 +19,10 @@ on:
       PUBLISH_TOKEN:
         required: true
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish:
     name: Publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1b8ab36b..1ce61177 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -251,6 +251,7 @@ jobs:
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
     permissions:
+      contents: read
       id-token: write
     secrets:
       PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
diff --git a/package.json b/package.json
index 9db131e6..4e63e63f 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
     "posttest": "npm run lint"
   },
   "devDependencies": {
-    "@npmcli/template-oss": "4.23.3",
+    "@npmcli/template-oss": "4.24.3",
     "tap": "^12.7.0"
   },
   "license": "ISC",
@@ -32,6 +32,6 @@
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
     "content": "./scripts/template-oss",
-    "version": "4.23.3"
+    "version": "4.24.3"
   }
 }
diff --git a/release-please-config.json b/release-please-config.json
index a1676b9c..c56fd1d8 100644
--- a/release-please-config.json
+++ b/release-please-config.json
@@ -33,5 +33,5 @@
       "package-name": ""
     }
   },
-  "prerelease-type": "pre"
+  "prerelease-type": "pre.0"
 }