diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 14bccd5..cff984b 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,9 +8,13 @@ on:
 
 jobs:
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
       - run: pip install black
       - run: black pywisetransfer test
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 247ee39..f9ed700 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -7,11 +7,15 @@ on:
 
 jobs:
   test:
+    permissions:
+      contents: read
     environment: release-live
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
       - run: pip install poetry
       - run: poetry config pypi-token.pypi ${{ secrets.PYPI_API_KEY }}
       - run: poetry publish --build
diff --git a/.github/workflows/publish-tag.yml b/.github/workflows/publish-tag.yml
index 71e69d5..2208ceb 100644
--- a/.github/workflows/publish-tag.yml
+++ b/.github/workflows/publish-tag.yml
@@ -7,11 +7,15 @@ on:
 
 jobs:
   test:
+    permissions:
+      contents: read
     environment: release-test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
       - run: pip install poetry
       - run: poetry config repositories.testpypi https://test.pypi.org/legacy/
       - run: poetry config pypi-token.testpypi ${{ secrets.TEST_PYPI_API_KEY }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 90db59c..35baba6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,9 +8,13 @@ on:
 
 jobs:
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
       - run: pip install .[dev]
       - run: pytest