diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml
index 74ceafd..694c94c 100644
--- a/.github/workflows/codespell.yaml
+++ b/.github/workflows/codespell.yaml
@@ -4,14 +4,16 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   codespell:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           submodules: recursive
 
-      - uses: codespell-project/actions-codespell@v2
+      - uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579  # v2.2
diff --git a/.github/workflows/scan-build.yaml b/.github/workflows/scan-build.yaml
index 40bcbdf..95ea112 100644
--- a/.github/workflows/scan-build.yaml
+++ b/.github/workflows/scan-build.yaml
@@ -14,6 +14,8 @@ on:
       - '**.cpp'
       - '**/CMakeLists.txt'
 
+permissions: {}
+
 jobs:
   scan-build:
     strategy:
@@ -37,7 +39,7 @@ jobs:
       run:
         shell: ${{ matrix.shell }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Install dependencies (apt)
         if: ${{ startsWith(matrix.os, 'ubuntu') }}
         run: |
@@ -45,7 +47,7 @@ jobs:
           sudo apt-get install coreutils build-essential libssl-dev
       - name: Install dependencies (msys2)
         if: ${{ startsWith(matrix.os, 'windows') }}
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d  # v2.31.0
         with:
           release: false
           update: false
@@ -75,7 +77,9 @@ jobs:
             cmake --build . -v
       - name: Store report
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7.0.0
         with:
           name: scan-build-reports-${{ matrix.os }}
           path: build/scan-build-reports
+          if-no-files-found: error
+          compression-level: 9  # highly compressible
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index ae254f1..5671278 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -14,6 +14,8 @@ on:
       - '**.cpp'
       - '**/CMakeLists.txt'
 
+permissions: {}
+
 jobs:
   ctest:
     strategy:
@@ -27,7 +29,7 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Install dependencies (apt)
         if: ${{ startsWith(matrix.os, 'ubuntu') }}
         run: |
@@ -45,7 +47,7 @@ jobs:
     # Just build with emscripten. There is no way to test the build yet.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Setup emsdk
         uses: mymindstorm/setup-emsdk@6ab9eb1bda2574c4ddb79809fc9247783eaf9021
         with: