diff --git a/.github/workflows/check_changelog.yml b/.github/workflows/check_changelog.yml
index cc85b591977..6995c399b34 100644
--- a/.github/workflows/check_changelog.yml
+++ b/.github/workflows/check_changelog.yml
@@ -5,6 +5,9 @@ on:  # yamllint disable-line rule:truthy
     types: [opened, synchronize, labeled, unlabeled]
     branches: ["main"]
 
+permissions:
+  contents: read
+
 jobs:
   changelog_checker:
     name: Check towncrier entry in doc/changes/devel/
diff --git a/.github/workflows/circle_artifacts.yml b/.github/workflows/circle_artifacts.yml
index fa32e1ce80c..301c6234eb5 100644
--- a/.github/workflows/circle_artifacts.yml
+++ b/.github/workflows/circle_artifacts.yml
@@ -1,4 +1,7 @@
 on: [status]  # yamllint disable-line rule:truthy
+permissions:
+  contents: read
+  statuses: write
 jobs:
   circleci_artifacts_redirector_job:
     if: "${{ startsWith(github.event.context, 'ci/circleci: build_docs') }}"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cb769988655..34b3ce9b130 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 repos:
   # Ruff mne
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.9.1
+    rev: v0.9.2
     hooks:
       - id: ruff
         name: ruff lint mne
@@ -82,7 +82,7 @@ repos:
 
   # zizmor
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.1.1
+    rev: v1.2.2
     hooks:
       - id: zizmor