diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 2087af6..ee48bcd 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -4,16 +4,19 @@ on:
   push:
     branches:
       - main
-      - "releases/**"
+      - releases/**
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   publish_mapmatching_docker_image_to_acr:
     name: Publish Map Matching Docker image to ACR
     permissions:
       id-token: write
       contents: read
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v6
     with:
       docker_image_name: jore4-postgres-mapmatching
       build_arm64_image: true
@@ -28,7 +31,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v6
     with:
       docker_image_name: jore4-postgres-azuredbmock
       build_arm64_image: true
@@ -134,7 +137,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Start up postgresql docker container
         run: |
diff --git a/.github/workflows/check-renovatebot-config.yml b/.github/workflows/check-renovatebot-config.yml
index 1eb9de0..66402ae 100644
--- a/.github/workflows/check-renovatebot-config.yml
+++ b/.github/workflows/check-renovatebot-config.yml
@@ -3,9 +3,12 @@ name: Check renovatebot config
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate renovatebot config
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v2
     with:
       config_file_path: .github/renovate.json5
diff --git a/.github/workflows/test-docker-compose.yml b/.github/workflows/test-docker-compose.yml
index d5afda4..37d01f8 100644
--- a/.github/workflows/test-docker-compose.yml
+++ b/.github/workflows/test-docker-compose.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [main, releases/**]
 
+permissions:
+  contents: read
+
 jobs:
   test-docker-compose:
     name: verify docker-compose setup
@@ -12,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Start postgres databases in docker-compose
         run: docker compose up -d