diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index be0e9fa3..e5e9fb64 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,6 +39,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index c417e888..9e8d20c6 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -3,6 +3,8 @@ name: PR Validation
 on:
   pull_request:
 
+permissions: {}
+
 env:
   NODE_VERSION: 18.17.1
   TEST_RESULTS_DIRECTORY: .
@@ -17,11 +19,13 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
@@ -29,6 +33,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -52,6 +58,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.9 even though you test it on other versions.
       - name: Use Python 3.9
diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml
index b667bb9c..0f01dde3 100644
--- a/.github/workflows/pr-labels.yml
+++ b/.github/workflows/pr-labels.yml
@@ -12,9 +12,12 @@ jobs:
   add-pr-label:
     name: 'Ensure Required Labels'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: 'PR impact specified'
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5.0
         with:
           mode: exactly
           count: 1
diff --git a/.github/workflows/push-check.yml b/.github/workflows/push-check.yml
index b6110bc3..722446af 100644
--- a/.github/workflows/push-check.yml
+++ b/.github/workflows/push-check.yml
@@ -8,6 +8,8 @@ on:
       - 'release/*'
       - 'release-*'
 
+permissions: {}
+
 env:
   NODE_VERSION: 18.17.1
   TEST_RESULTS_DIRECTORY: .
@@ -22,11 +24,13 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
@@ -34,6 +38,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -57,6 +63,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.9 even though you test it on other versions.
       - name: Use Python 3.9
diff --git a/.vscode/settings.json b/.vscode/settings.json
index f45b00b4..0de09696 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -20,4 +20,6 @@
         "editor.defaultFormatter": "charliermarsh.ruff",
         "editor.formatOnSave": true
     },
+    "git.branchProtection": ["main"],
+    "git.branchRandomName.enable": true,
 }
\ No newline at end of file