diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index f09fb76..02ac668 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -21,6 +21,8 @@ on:
   schedule:
     - cron: "22 8 * * 0"
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index 965d940..a4772bb 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -10,7 +10,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 env:
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2d9e6b6..d953d12 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,7 +6,7 @@ on:
     branches:
       - main
 
-permissions: read-all
+permissions: {}
 
 env:
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -72,5 +72,5 @@ jobs:
       - name: Semantic Release
         uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
         env:
-          GITHUB_TOKEN: ${{ secrets.PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index f6eb744..ba5d9db 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}
 
 jobs:
   stale:
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index b5906ea..9c1652a 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -20,7 +20,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 jobs:
   labels: