diff --git a/.github/workflows/cli-test.yml b/.github/workflows/cli-test.yml
index 5e2463d00..8878ea74d 100644
--- a/.github/workflows/cli-test.yml
+++ b/.github/workflows/cli-test.yml
@@ -17,6 +17,8 @@ jobs:
   find-nightly:
     name: Find Nightly Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       url: ${{ steps.get-url.outputs.nightly-url }}
     steps:
@@ -33,6 +35,8 @@ jobs:
   set-matrix:
     name: Set Matrix for cli-test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -47,6 +51,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [find-nightly, set-matrix]
     timeout-minutes: 30
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c529a7726..66bc04a69 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,6 +11,12 @@ on:
 jobs:
   codeql:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language:
+          - javascript
+          - actions
+      fail-fast: false
 
     permissions:
       contents: read
@@ -24,7 +30,7 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@main
         with:
-            languages: javascript
+            languages: ${{ matrix.language }}
             config-file: ./.github/codeql/codeql-config.yml
             tools: latest
 
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 34be85e8f..c5cb6c22a 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   e2e-test:
     name: E2E Test
diff --git a/.github/workflows/label-issue.yml b/.github/workflows/label-issue.yml
index e4a51b71b..ac7bbeb70 100644
--- a/.github/workflows/label-issue.yml
+++ b/.github/workflows/label-issue.yml
@@ -3,6 +3,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  issues: write
+
 jobs:
   label:
     name: Label issue
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 82af7c7e8..167cee8cb 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 757d953de..c546d101a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,6 +16,8 @@ jobs:
   build:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -156,6 +158,8 @@ jobs:
     needs: build
     environment: publish-open-vsx
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       OPEN_VSX_TOKEN: ${{ secrets.OPEN_VSX_TOKEN }}
     steps: