diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e92a994..3b7b200 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,9 +8,13 @@ on:
   pull_request:
     branches: [main, develop]
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -33,7 +37,7 @@ jobs:
 
       - name: Get composer cache directory
         id: composer-cache
-        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
 
       - name: Cache composer dependencies
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
@@ -63,6 +67,8 @@ jobs:
   coverage:
     runs-on: ubuntu-latest
     name: Coverage
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
@@ -92,6 +98,8 @@ jobs:
   security:
     runs-on: ubuntu-latest
     name: Security Analysis
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d6a6498..53011ea 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,7 +39,7 @@ jobs:
 
       - name: Get tag name
         id: tag
-        run: echo "name=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "name=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
       - name: Extract changelog for this version
         id: changelog
@@ -49,14 +49,16 @@ jobs:
             # Get content between this version and next version header
             awk '/^## \[${{ steps.tag.outputs.name }}\]/{flag=1; next} /^## \[/{flag=0} flag' CHANGELOG.md > /tmp/changelog.txt
             if [ -s /tmp/changelog.txt ]; then
-              echo "content<<EOF" >> $GITHUB_OUTPUT
-              cat /tmp/changelog.txt >> $GITHUB_OUTPUT
-              echo "EOF" >> $GITHUB_OUTPUT
+              {
+                echo "content<<EOF"
+                cat /tmp/changelog.txt
+                echo "EOF"
+              } >> "$GITHUB_OUTPUT"
             else
-              echo "content=Release ${{ steps.tag.outputs.name }}" >> $GITHUB_OUTPUT
+              echo "content=Release ${{ steps.tag.outputs.name }}" >> "$GITHUB_OUTPUT"
             fi
           else
-            echo "content=Release ${{ steps.tag.outputs.name }}" >> $GITHUB_OUTPUT
+            echo "content=Release ${{ steps.tag.outputs.name }}" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Archive source code
diff --git a/.github/workflows/test-coverage.yaml b/.github/workflows/test-coverage.yaml
index 851544b..19c89d2 100644
--- a/.github/workflows/test-coverage.yaml
+++ b/.github/workflows/test-coverage.yaml
@@ -8,7 +8,7 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions: {}
 
 jobs:
   test:
@@ -51,8 +51,8 @@ jobs:
 
       - name: "Add Code Coverage to Job Summary"
         run: |
-          cat code-coverage-summary.md >> $GITHUB_STEP_SUMMARY
-          cat code-coverage-details.md >> $GITHUB_STEP_SUMMARY
+          cat code-coverage-summary.md >> "$GITHUB_STEP_SUMMARY"
+          cat code-coverage-details.md >> "$GITHUB_STEP_SUMMARY"
 
       - name: "Add Code Coverage Summary as PR Comment"
         uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4