diff --git a/.github/workflows/_security-checks.yaml b/.github/workflows/_security-checks.yaml
index d84eeda..269cfb0 100644
--- a/.github/workflows/_security-checks.yaml
+++ b/.github/workflows/_security-checks.yaml
@@ -3,16 +3,19 @@ name: Security checks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   trivy:
     name: Trivy scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Scan repo
-        uses: aquasecurity/trivy-action@0.29.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -26,10 +29,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
         with:
           node-version: '22'
 
diff --git a/.github/workflows/_static-checks.yaml b/.github/workflows/_static-checks.yaml
index 8e8b6b1..4868e9f 100644
--- a/.github/workflows/_static-checks.yaml
+++ b/.github/workflows/_static-checks.yaml
@@ -3,6 +3,9 @@ name: Static checks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint and format checks
diff --git a/.github/workflows/on-pr.yaml b/.github/workflows/on-pr.yaml
index 6cec6a6..ebef0ee 100644
--- a/.github/workflows/on-pr.yaml
+++ b/.github/workflows/on-pr.yaml
@@ -14,4 +14,3 @@ jobs:
   static-checks:
     name: Static checks
     uses: ./.github/workflows/_static-checks.yaml
-    secrets: inherit