diff --git a/.github/workflows/assembleFlavors.yml b/.github/workflows/assembleFlavors.yml
index cb975d7ac..5aedc804b 100644
--- a/.github/workflows/assembleFlavors.yml
+++ b/.github/workflows/assembleFlavors.yml
@@ -1,31 +1,34 @@
 name: "Assemble"
 
 on:
-  pull_request:
-    branches: [ master, stable-* ]
+    pull_request:
+        branches: [ master, stable-* ]
+
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
-  flavor:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        flavor: [ Generic, Gplay ]
-    steps:
-      -   uses: actions/checkout@v3
-      -   name: set up JDK 11
-          uses: actions/setup-java@v3
-          with:
-            distribution: "temurin"
-            java-version: 11
-      -   name: Build ${{ matrix.flavor }}
-          run: |
-            echo "org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError" >> gradle.properties
-            ./gradlew assemble${{ matrix.flavor }}
-      -   name: Archive apk
-          uses: actions/upload-artifact@v3
-          if: ${{ always() }}
-          with:
-              name: Nextcloud-APK
-              path: app/build/outputs/apk/**/**/*.apk
-              retention-days: 5
+    flavor:
+        runs-on: ubuntu-latest
+        strategy:
+            fail-fast: false
+            matrix:
+                flavor: [ Generic, Gplay ]
+        steps:
+            -   uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
+            -   name: set up JDK 11
+                uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
+                with:
+                    distribution: "temurin"
+                    java-version: 11
+            -   name: Build ${{ matrix.flavor }}
+                run: |
+                    echo "org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError" >> gradle.properties
+                    ./gradlew assemble${{ matrix.flavor }}
+            -   name: Archive apk
+                uses: actions/upload-artifact@v3
+                if: ${{ always() }}
+                with:
+                    name: Nextcloud-APK
+                    path: app/build/outputs/apk/**/**/*.apk
+                    retention-days: 5
diff --git a/.github/workflows/autoApproveDependabot.yml b/.github/workflows/autoApproveDependabot.yml
index 66c92bd55..8deb91bf1 100644
--- a/.github/workflows/autoApproveDependabot.yml
+++ b/.github/workflows/autoApproveDependabot.yml
@@ -3,11 +3,14 @@ on:
     pull_request_target:
         branches: [ master, stable-* ]
 
+permissions:
+    pull-requests: write
+
 jobs:
     auto-approve:
         runs-on: ubuntu-latest
         steps:
-            -   uses: hmarr/auto-approve-action@v3.1.0
+            -   uses: hmarr/auto-approve-action@de8ae18c173c131e182d4adf2c874d8d2308a85b # v3.1.0
                 if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
                 with:
                     github-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 0f1e10a78..6cd5cd65a 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -4,6 +4,9 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
     check:
         runs-on: ubuntu-latest
@@ -12,9 +15,9 @@ jobs:
             matrix:
                 task: [ detekt, ktlintCheck ]
         steps:
-            -   uses: actions/checkout@v3
+            -   uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
             -   name: Set up JDK 11
-                uses: actions/setup-java@v3
+                uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
                 with:
                     distribution: "temurin"
                     java-version: 11
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index ad99040a4..0e649b2e9 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -4,10 +4,13 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
     validation:
         name: "Validation"
         runs-on: ubuntu-latest
         steps:
-            -   uses: actions/checkout@v3
-            -   uses: gradle/wrapper-validation-action@v1
+            -   uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
+            -   uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1
diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml
index b8c028da5..c28bc95b5 100644
--- a/.github/workflows/qa.yml
+++ b/.github/workflows/qa.yml
@@ -4,6 +4,10 @@ on:
     pull_request:
         branches: [ master, stable-* ]
 
+permissions:
+    pull-requests: write
+    contents: read
+
 jobs:
     qa:
         runs-on: ubuntu-latest
@@ -11,11 +15,11 @@ jobs:
             -   name: Check if secrets are available
                 run: echo "::set-output name=ok::${{ secrets.KS_PASS != '' }}"
                 id: check-secrets
-            -   uses: actions/checkout@v3
+            -   uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
                 if: ${{ steps.check-secrets.outputs.ok == 'true' }}
             -   name: set up JDK 11
+                uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
                 if: ${{ steps.check-secrets.outputs.ok == 'true' }}
-                uses: actions/setup-java@v3
                 with:
                     distribution: "temurin"
                     java-version: 11