diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b026948b..a8977db2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,4 +7,9 @@ updates:
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "weekly"
\ No newline at end of file
+      interval: "weekly"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 0e4925a0..c92beedf 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   bench-dnstaptcp:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 57f65f90..005fe4de 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
 
   go-ubuntu:
diff --git a/.github/workflows/golint.yml b/.github/workflows/golint.yml
index f6ceac2a..10457c16 100644
--- a/.github/workflows/golint.yml
+++ b/.github/workflows/golint.yml
@@ -14,8 +14,14 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   linter:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     runs-on: ubuntu-22.04
 
     steps:
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 277f3054..63d38b3b 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -4,8 +4,13 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+
 jobs:
   goreleaser:
+    permissions:
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b3533642..b2413be8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
 
   dockerhub:
diff --git a/.github/workflows/testing-dnstap.yml b/.github/workflows/testing-dnstap.yml
index dbc5ed10..bed1dfcd 100644
--- a/.github/workflows/testing-dnstap.yml
+++ b/.github/workflows/testing-dnstap.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   unbound:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/testing-go.yml b/.github/workflows/testing-go.yml
index 95226535..ef03183d 100644
--- a/.github/workflows/testing-go.yml
+++ b/.github/workflows/testing-go.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   dev:
     strategy:
diff --git a/.github/workflows/testing-powerdns.yml b/.github/workflows/testing-powerdns.yml
index 7455e64e..e17e0990 100644
--- a/.github/workflows/testing-powerdns.yml
+++ b/.github/workflows/testing-powerdns.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
 
   dnsdist: