diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 63b2b0d..932f3e7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -14,7 +17,8 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Set up Docker Build
-      uses: docker/setup-buildx-action@v3.4.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0 
+      # update w/ git ls-remote https://github.com/docker/setup-buildx-action.git | grep refs/tags/v
 
     - name: Build current Docker image with tests
       run: |
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
index 3f1ab64..bc81f99 100644
--- a/.github/workflows/code-analysis.yml
+++ b/.github/workflows/code-analysis.yml
@@ -1,5 +1,8 @@
 name: Code Analysis
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/compatability-matrix.yml b/.github/workflows/compatability-matrix.yml
index ff7b076..87ba7b1 100644
--- a/.github/workflows/compatability-matrix.yml
+++ b/.github/workflows/compatability-matrix.yml
@@ -1,5 +1,8 @@
 name: Compatibility Matrix
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/docker-matrix.yml b/.github/workflows/docker-matrix.yml
index e874b96..a49dcef 100644
--- a/.github/workflows/docker-matrix.yml
+++ b/.github/workflows/docker-matrix.yml
@@ -1,5 +1,8 @@
 name: Docker Matrix
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
@@ -18,7 +21,8 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Set up Docker Build
-      uses: docker/setup-buildx-action@v3.4.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0 
+      # update w/ git ls-remote https://github.com/docker/setup-buildx-action.git | grep refs/tags/v
 
     - name: Build current Docker image with tests
       run: |