diff --git a/.github/workflows/automerge-dependabot.yml b/.github/workflows/automerge-dependabot.yml
index 8ec096169..67b39b075 100644
--- a/.github/workflows/automerge-dependabot.yml
+++ b/.github/workflows/automerge-dependabot.yml
@@ -7,7 +7,7 @@ permissions: write-all
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index 910ad3dd3..420194a96 100644
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -13,6 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v5
+      with: { persist-credentials: false }
     - uses: actions/setup-node@v5
       with:
         node-version-file: '.nvmrc'
diff --git a/.github/workflows/publish-style-spec.yml b/.github/workflows/publish-style-spec.yml
index 53e2bf0f1..ba688f779 100644
--- a/.github/workflows/publish-style-spec.yml
+++ b/.github/workflows/publish-style-spec.yml
@@ -47,6 +47,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Use Node.js from nvmrc
         uses: actions/setup-node@v5
diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml
index ba38c156b..8bc84adf9 100644
--- a/.github/workflows/test-all.yml
+++ b/.github/workflows/test-all.yml
@@ -6,17 +6,15 @@ on:
   pull_request:
   workflow_dispatch:
 
-permissions:
-  checks: write
-  pull-requests: write
-  contents: write
-
 jobs:
   code-hygiene:
     name: Code Hygiene
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'
@@ -28,8 +26,11 @@ jobs:
   unit-and-integration-tests:
     name: Unit and Integration Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'
@@ -49,8 +50,11 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'