diff --git a/.github/workflows/downstream_updates.yml b/.github/workflows/downstream_updates.yml
index ba8794a0f..7e6e61e3b 100644
--- a/.github/workflows/downstream_updates.yml
+++ b/.github/workflows/downstream_updates.yml
@@ -9,6 +9,7 @@ on:
         description: 'Version of the submodule to update downstream repos to'
         required: true
         type: string
+permissions: read-all
 
 jobs:
   update-dependencies:
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index cc52ec08e..aaada37fb 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,16 +1,19 @@
 name: "Pull Request"
 on: [pull_request]
+permissions: read-all
 
 jobs:
 
   analyze:
+    permissions:
+      statuses: write
     runs-on: macos-14
     env:
       # Infer 1.0.1 cannot parse the iOS 15 SDK headers
       DEVELOPER_DIR: /Applications/Xcode_15.4.app
     steps:
     - name: Checkout pull request HEAD
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         ref: ${{ github.event.pull_request.head.sha }}
     - name: Install dependencies
@@ -21,16 +24,19 @@ jobs:
       run: make oclint
 
   danger:
+    permissions:
+      pull-requests: write
+      statuses: write
     runs-on: macos-14
     steps:
     - name: Checkout target branch
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         ref: ${{ github.base_ref }}
     - name: Build framework
       run: xcodebuild -project Bugsnag.xcodeproj -configuration Release -target Bugsnag-iOS -destination generic/platform=iOS -quiet clean build VALID_ARCHS=arm64 RUN_CLANG_STATIC_ANALYZER=NO && mv build build.base
     - name: Checkout pull request merge branch
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         clean: false
         fetch-depth: 100
diff --git a/.github/workflows/update_docs.yml b/.github/workflows/update_docs.yml
index c482febc6..59e89600e 100644
--- a/.github/workflows/update_docs.yml
+++ b/.github/workflows/update_docs.yml
@@ -2,16 +2,17 @@ name: "Update Docs"
 on:
   release:
     types: [published]
+permissions: read-all
 
 jobs:
   build:
     runs-on: macos-latest
     steps:
       - name: Checkout bugsnag-cocoa
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Checkout docs branch
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           ref: gh-pages
           path: docs
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 000000000..c0541d810
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1 @@
+*       @robert-smartbear @kstenerud @tomlongridge