diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
index 321db470c55..ee1974409ad 100644
--- a/.github/workflows/basic.yml
+++ b/.github/workflows/basic.yml
@@ -1,6 +1,7 @@
 name: Basic checks
 
 on: workflow_dispatch
+permissions: {}
 
 # on:
 #   push:
@@ -20,6 +21,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # TODO: rename azure-pipelines/linux/xvfb.init to github-actions
       - name: Setup Build Environment
@@ -80,6 +83,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
@@ -146,6 +151,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 40dca0aaefb..61503aaa81c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,7 @@
 name: CI
 
 on: workflow_dispatch
+permissions: {}
 
 # on:
 #   push:
@@ -21,6 +22,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
@@ -103,6 +106,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # TODO: rename azure-pipelines/linux/xvfb.init to github-actions
       - name: Setup Build Environment
@@ -185,6 +190,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
@@ -258,6 +265,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
diff --git a/.github/workflows/monaco-editor.yml b/.github/workflows/monaco-editor.yml
index 2f32abb59b0..56c30d0ba74 100644
--- a/.github/workflows/monaco-editor.yml
+++ b/.github/workflows/monaco-editor.yml
@@ -9,6 +9,7 @@ on:
     branches:
       - main
       - release/*
+permissions: {}
 
 jobs:
   main:
@@ -19,6 +20,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
diff --git a/.github/workflows/no-package-lock-changes.yml b/.github/workflows/no-package-lock-changes.yml
index 45d5d17407b..059b1c2115f 100644
--- a/.github/workflows/no-package-lock-changes.yml
+++ b/.github/workflows/no-package-lock-changes.yml
@@ -1,12 +1,14 @@
 name: Prevent package-lock.json changes in PRs
-on: [pull_request]
+
+on: pull_request
+permissions: {}
 
 jobs:
   main:
     name: Prevent package-lock.json changes in PRs
     runs-on: ubuntu-latest
     steps:
-      - uses: octokit/request-action@v2.x
+      - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         id: get_permissions
         with:
           route: GET /repos/microsoft/vscode/collaborators/{username}/permission
diff --git a/.github/workflows/no-yarn-lock-changes.yml b/.github/workflows/no-yarn-lock-changes.yml
index 57082a28b1c..fd643cd56a9 100644
--- a/.github/workflows/no-yarn-lock-changes.yml
+++ b/.github/workflows/no-yarn-lock-changes.yml
@@ -1,12 +1,14 @@
 name: Prevent yarn.lock changes in PRs
-on: [pull_request]
+
+on: pull_request
+permissions: {}
 
 jobs:
   main:
     name: Prevent yarn.lock changes in PRs
     runs-on: ubuntu-latest
     steps:
-      - uses: octokit/request-action@v2.x
+      - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         id: get_permissions
         with:
           route: GET /repos/microsoft/vscode/collaborators/{username}/permission
@@ -22,7 +24,7 @@ jobs:
           echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}"
           echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT
       - name: Get file changes
-        uses: trilom/file-changes-action@ce38c8ce2459ca3c303415eec8cb0409857b4272
+        uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
         if: ${{ steps.control.outputs.should_run == 'true' }}
       - name: Check for lockfile changes
         if: ${{ steps.control.outputs.should_run == 'true' }}
diff --git a/.github/workflows/telemetry.yml b/.github/workflows/telemetry.yml
index a5ac3be4198..84a2ffaaf93 100644
--- a/.github/workflows/telemetry.yml
+++ b/.github/workflows/telemetry.yml
@@ -1,13 +1,15 @@
 name: 'Telemetry'
-on:
-  pull_request:
+on: pull_request
+permissions: {}
 jobs:
-  check-metdata:
+  check-metadata:
     name: 'Check metadata'
     runs-on: 'ubuntu-latest'
 
     steps:
       - uses: 'actions/checkout@v4'
+        with:
+          persist-credentials: false
 
       - uses: 'actions/setup-node@v4'
         with: