diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml
index 64e20a81e83e..e8df16d8797b 100644
--- a/.github/workflows/build-test-distribute.yaml
+++ b/.github/workflows/build-test-distribute.yaml
@@ -107,7 +107,7 @@ jobs:
           rm -rf ./build/oapitmp
           rm -rf ./build/ebpf/
       - name: Upload build output
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: build-output
           path: build
@@ -209,7 +209,7 @@ jobs:
             ${{ runner.os }}-${{ runner.arch }}-devtools
       # FIXME: Workaround for Request Timeout issue of artifacts https://github.com/actions/download-artifact/issues/249
       - name: Download artifacts with retry
-        uses: Wandalen/wretry.action@master
+        uses: Wandalen/wretry.action@a163f62ae554a8f3cbe27b23db15b60c0ae2e93c # master
         with:
           action: actions/download-artifact@v4
           with: |
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
index dbb2875149d0..6676399cadff 100644
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -6,6 +6,8 @@ on:
       - opened
       - reopened
       - synchronized
+permissions:
+  contents: read
 jobs:
   # This job checks the PR title using
   # https://github.com/conventional-changelog/commitlint
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 71a456a74f23..b278c9d847aa 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -2,6 +2,8 @@ name: "CodeQL"
 on:
   push:
     branches: ["master"]
+permissions:
+  contents: read
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index cf4b1ce45203..485f15440ffb 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -80,7 +80,7 @@ jobs:
       # FIXME: Workaround for Request Timeout issue of artifacts https://github.com/actions/download-artifact/issues/249
       - name: "GitHub Actions: download build artifacts with retry"
         if: steps.eval-params.outputs.run-type == 'github'
-        uses: Wandalen/wretry.action@master
+        uses: Wandalen/wretry.action@a163f62ae554a8f3cbe27b23db15b60c0ae2e93c # master
         with:
           action: actions/download-artifact@v4
           with: |