diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b49a251..b4c8208 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,23 +6,26 @@ on:
     tags:
   pull_request:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
 
     steps:
+      - name: checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
       - name: set up go
         uses: actions/setup-go@v6
         with:
           go-version: "1.24"
         id: go
 
-      - name: checkout
-        uses: actions/checkout@v6
-
       - name: free disk space
         run: |
           sudo rm -rf /usr/share/dotnet
@@ -48,11 +51,11 @@ jobs:
           COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: available platforms
         run: echo ${{ steps.buildx.outputs.platforms }}
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 1151e67..120e5ab 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -30,6 +30,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Run Claude Code Review
         id: claude-review
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 44d70d9..cc8ddd2 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Run Claude Code
         id: claude
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e484d4e..da1dda6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -13,6 +16,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: set up go
         uses: actions/setup-go@v6
@@ -20,7 +24,7 @@ jobs:
           go-version: 1.24
 
       - name: run goreleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
         with:
           version: latest
           args: release --clean
diff --git a/.golangci.yml b/.golangci.yml
index e367001..e8dfc82 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -20,6 +20,11 @@ linters:
     - nestif
     - errorlint
   settings:
+    gosec:
+      excludes:
+        - G118
+        - G120
+        - G705
     goconst:
       min-len: 2
       min-occurrences: 2
@@ -47,6 +52,12 @@ linters:
       - linters:
           - staticcheck
         text: at least one file in a package should have a package comment
+      - linters:
+          - prealloc
+        text: "Consider preallocating"
+      - linters:
+          - staticcheck
+        text: "QF1012"
       - linters:
           - dupl
           - gosec