diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index 53e71ae..0000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: msimerson
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9054b6f..f215e45 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,9 +11,13 @@ env:
 
 jobs:
   lint:
+    permissions:
+      contents: read
     uses: NicTool/.github/.github/workflows/lint.yml@main
 
   coverage:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Start MySQL
@@ -37,6 +41,8 @@ jobs:
           github-token: ${{ secrets.github_token }}
 
   get-lts:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - id: get
@@ -49,6 +55,8 @@ jobs:
       min: ${{ steps.get.outputs.min }}
 
   test:
+    permissions:
+      contents: read
     needs: [ get-lts ]
     runs-on: ${{ matrix.os }}
     strategy:
@@ -67,11 +75,13 @@ jobs:
       - run: npm test
 
   test-mac:
+    permissions:
+      contents: read
     needs: [ get-lts ]
     runs-on: macos-latest
     strategy:
       matrix:
-        node-version: ${{ fromJson(needs.get-lts.outputs.lts) }}
+        node-version: ${{ fromJson(needs.get-lts.outputs.active) }}
       fail-fast: false
     steps:
       - name: Install & Start MySQL
@@ -88,11 +98,13 @@ jobs:
       - run: npm test
 
   test-win:
+    permissions:
+      contents: read
     needs: [ get-lts ]
     runs-on: windows-latest
     strategy:
       matrix:
-        node-version: ${{ fromJson(needs.get-lts.outputs.lts) }}
+        node-version: ${{ fromJson(needs.get-lts.outputs.active) }}
         experimental: [true]
       fail-fast: false
     steps:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 46e21d1..bddfa1e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,4 +11,8 @@ on:
 
 jobs:
   codeql:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: NicTool/.github/.github/workflows/codeql.yml@main
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5fb3fdf..897946c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,6 +10,8 @@ env:
 
 jobs:
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - run: sudo /etc/init.d/mysql start
@@ -22,6 +24,9 @@ jobs:
       - run: npm test
 
   publish-npm:
+    permissions:
+      contents: read
+      id-token: write
     needs: build
     runs-on: ubuntu-latest
     steps: