diff --git a/.github/workflows/dispatch-workflow.yml b/.github/workflows/dispatch-workflow.yml
index e4d3c314..a2b10cd1 100644
--- a/.github/workflows/dispatch-workflow.yml
+++ b/.github/workflows/dispatch-workflow.yml
@@ -21,6 +21,9 @@ on:
         type: number
         default: 1
 
+permissions:
+  contents: read
+
 jobs:
   repositories:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
index cd1dc231..77b40cb4 100644
--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -10,6 +10,9 @@ name: Lint
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   yaml-lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index b6828556..0d8e1962 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -11,6 +11,9 @@ name: REUSE Compliance Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml
index 3eaf3c8e..316ba144 100644
--- a/workflow-templates/appstore-build-publish.yml
+++ b/workflow-templates/appstore-build-publish.yml
@@ -12,6 +12,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   build_and_publish:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml
index e9e39751..70b29b29 100644
--- a/workflow-templates/command-compile.yml
+++ b/workflow-templates/command-compile.yml
@@ -11,6 +11,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml
index 24ce4a22..dbac01ee 100644
--- a/workflow-templates/command-openapi.yml
+++ b/workflow-templates/command-openapi.yml
@@ -11,6 +11,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml
index 9d7244f4..8eaa82dc 100644
--- a/workflow-templates/cypress.yml
+++ b/workflow-templates/cypress.yml
@@ -24,6 +24,10 @@ env:
   # n.b. server will use head_ref, as we want to test the PR branch.
   BRANCH: ${{ github.base_ref || github.ref_name }}
 
+
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest-low
diff --git a/workflow-templates/dependabot-approve-merge.yml b/workflow-templates/dependabot-approve-merge.yml
index ff4417a8..583fd481 100644
--- a/workflow-templates/dependabot-approve-merge.yml
+++ b/workflow-templates/dependabot-approve-merge.yml
@@ -9,7 +9,7 @@
 name: Dependabot
 
 on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers]
+  pull_request:
     branches:
       - main
       - master
@@ -24,7 +24,7 @@ concurrency:
 
 jobs:
   auto-approve-merge:
-    if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
     runs-on: ubuntu-latest-low
     permissions:
       # for hmarr/auto-approve-action to approve PRs
diff --git a/workflow-templates/documentation.yml b/workflow-templates/documentation.yml
index ca15d46a..289a3401 100644
--- a/workflow-templates/documentation.yml
+++ b/workflow-templates/documentation.yml
@@ -13,6 +13,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/npm-audit-fix.yml b/workflow-templates/npm-audit-fix.yml
index b3d4c266..462f2a24 100644
--- a/workflow-templates/npm-audit-fix.yml
+++ b/workflow-templates/npm-audit-fix.yml
@@ -14,6 +14,9 @@ on:
     # At 2:30 on Sundays
     - cron: '30 2 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/pr-feedback.yml b/workflow-templates/pr-feedback.yml
index cda79480..7d496690 100644
--- a/workflow-templates/pr-feedback.yml
+++ b/workflow-templates/pr-feedback.yml
@@ -15,6 +15,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pr-feedback:
     if: ${{ github.repository_owner == 'nextcloud' }}
diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml
index ff88c6cf..cbac517f 100644
--- a/workflow-templates/psalm-matrix.yml
+++ b/workflow-templates/psalm-matrix.yml
@@ -14,6 +14,9 @@ concurrency:
   group: psalm-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   matrix:
     runs-on: ubuntu-latest-low
diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml
index c2d2e862..452186ee 100644
--- a/workflow-templates/psalm.yml
+++ b/workflow-templates/psalm.yml
@@ -14,6 +14,9 @@ concurrency:
   group: psalm-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   static-analysis:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/renovate-approve-merge.yml b/workflow-templates/renovate-approve-merge.yml
index 2e10cf40..7d1c3f89 100644
--- a/workflow-templates/renovate-approve-merge.yml
+++ b/workflow-templates/renovate-approve-merge.yml
@@ -9,7 +9,7 @@
 name: Auto approve renovate PRs
 
 on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers]
+  pull_request:
     branches:
       - main
       - master
@@ -24,7 +24,7 @@ concurrency:
 
 jobs:
   auto-approve-merge:
-    if: github.actor == 'renovate[bot]'
+    if: github.event.pull_request.user.login == 'renovate[bot]'
     runs-on: ubuntu-latest
     permissions:
       # for hmarr/auto-approve-action to approve PRs
diff --git a/workflow-templates/reuse.yml b/workflow-templates/reuse.yml
index b6828556..0d8e1962 100644
--- a/workflow-templates/reuse.yml
+++ b/workflow-templates/reuse.yml
@@ -11,6 +11,9 @@ name: REUSE Compliance Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/update-nextcloud-ocp-matrix.yml b/workflow-templates/update-nextcloud-ocp-matrix.yml
index 4e0f1457..e7537ef6 100644
--- a/workflow-templates/update-nextcloud-ocp-matrix.yml
+++ b/workflow-templates/update-nextcloud-ocp-matrix.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: '5 2 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   update-nextcloud-ocp:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml
index 90abc74b..ebb1d9f2 100644
--- a/workflow-templates/update-nextcloud-ocp.yml
+++ b/workflow-templates/update-nextcloud-ocp.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: "5 2 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   update-nextcloud-ocp:
     runs-on: ubuntu-latest