diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e781dc2..2bd062a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,15 +6,21 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions: { }
+
 env:
   CARGO_TERM_COLOR: always
 
 jobs:
   build-n-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - name: Check out code
+      - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Cache dependencies
         uses: Swatinem/rust-cache@v2
diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
new file mode 100644
index 0000000..7a242b6
--- /dev/null
+++ b/.github/workflows/pinact.yml
@@ -0,0 +1,20 @@
+name: Pinact
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  pinact:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Pin actions
+        uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml
index ea73281..3c7cd73 100644
--- a/.github/workflows/release-prepare.yml
+++ b/.github/workflows/release-prepare.yml
@@ -3,9 +3,7 @@ name: Prepare Release
 on:
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: { }
 
 env:
   CARGO_TERM_COLOR: always
@@ -13,12 +11,16 @@ env:
 jobs:
   crate-release-pull-request:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
 
       # TODO Consider using `taiki-e/install-action` instead of `baptiste0928/cargo-install`.
       #  See: https://github.com/taiki-e/install-action
@@ -67,6 +69,7 @@ jobs:
             --no-tag \
             --no-confirm \
             --execute \
+            --sign \
             --verbose
           new_version=$(cargo pkgid | cut -d@ -f2)
           echo "Proposed new version=$new_version"
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index b4beb8f..5a24f9e 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -6,17 +6,21 @@ name: Publish Release
 #    tags:
 #      - 'v*.*.*'
 
+permissions: { }
+
 jobs:
   release:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-      - name: Create tag
-        # TODO fetch version and create tag
+      # TODO fetch version and create tag
+      #- name: Create tag
 
       # TODO create release ??