diff --git a/.github/actions/lint/action.yml b/.github/actions/lint/action.yml
index cc04e96ea..260338a23 100644
--- a/.github/actions/lint/action.yml
+++ b/.github/actions/lint/action.yml
@@ -3,4 +3,4 @@ description: 'Lint using devcontainer'
 runs:
   using: 'docker'
   image: '../../../.devcontainer/Dockerfile'
-  entrypoint: ".github/actions/lint/run.sh"
+  entrypoint: "/github/workspace/.github/actions/lint/run.sh"
diff --git a/.github/actions/test/action.yml b/.github/actions/test/action.yml
index 4e4cf0011..71bb888ce 100644
--- a/.github/actions/test/action.yml
+++ b/.github/actions/test/action.yml
@@ -3,4 +3,4 @@ description: 'Test using devcontainer'
 runs:
   using: 'docker'
   image: '../../../.devcontainer/Dockerfile'
-  entrypoint: ".github/actions/test/run.sh"
+  entrypoint: "/github/workspace/.github/actions/test/run.sh"
diff --git a/.github/workflows/ros.yaml b/.github/workflows/ros.yaml
index 026a447d7..4f1f3302c 100644
--- a/.github/workflows/ros.yaml
+++ b/.github/workflows/ros.yaml
@@ -1,4 +1,6 @@
 name: ROS C++ Testing and Linting
+permissions:
+  contents: read
 
 on:
   push:
@@ -14,6 +16,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Test
         uses: ./.github/actions/test/
 
@@ -27,6 +31,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Run linter
         uses: ./.github/actions/lint/
         env:
diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
index f483d412c..719cd6829 100644
--- a/.github/workflows/ruff.yml
+++ b/.github/workflows/ruff.yml
@@ -1,4 +1,6 @@
 name: Check Code Style - Ruff
+permissions:
+  contents: read
 
 on:
   push:
@@ -12,8 +14,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
-      - uses: astral-sh/ruff-action@v3
+      - uses: astral-sh/ruff-action@eaf0ecdd668ceea36159ff9d91882c9795d89b49 # v3
       - name: Ruff Check
         run: ruff check --fix
       - name: Ruff Format
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index 4db07240e..8b78bc882 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -5,6 +5,8 @@
 # For more information, see:
 # https://github.com/github/super-linter
 name: Lint Code Base (Super-Linter)
+permissions:
+  contents: read
 
 on:
   push:
@@ -18,8 +20,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint Code Base
         uses: github/super-linter@v7