diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index a83f08b..bf11dbb 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -14,6 +14,12 @@ on:
     paths:
       - .github/workflows/**
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   actionlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml
index c695b0f..3d99689 100644
--- a/.github/workflows/create-release-pr.yml
+++ b/.github/workflows/create-release-pr.yml
@@ -7,6 +7,12 @@ name: Create release pull request
 on:
   workflow_dispatch:
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   create-release-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/metacheck.yml b/.github/workflows/metacheck.yml
index d1fe6c0..9f73174 100644
--- a/.github/workflows/metacheck.yml
+++ b/.github/workflows/metacheck.yml
@@ -10,6 +10,12 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened ]  # Same as default
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   meta-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 724bcdc..7446f2c 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -7,6 +7,12 @@ on:
   pull_request:
     types: [ opened ]
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   pr-labeler:
     if: github.event.pull_request.head.repo.fork == false # Skip on public fork
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index df560b4..2e655b9 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -13,6 +13,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   release-drafter:
     if: github.repository_owner == 'nowsprinting' # Skip on forked repo
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5312dcf..3e782fa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,12 @@ on:
     paths:
       - package.json
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   check-bump-version:
     if: github.repository_owner == 'nowsprinting' # Skip on forked repo
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6d86c82..3b80719 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,6 +22,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   test:
     if: github.event.pull_request.head.repo.fork == false # Skip on public fork, because can not read secrets.