diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly
diff --git a/.github/workflows/binder-on-pr.yml b/.github/workflows/binder-on-pr.yml
index 8fc5b8f..5ac8807 100644
--- a/.github/workflows/binder-on-pr.yml
+++ b/.github/workflows/binder-on-pr.yml
@@ -1,5 +1,7 @@
 # Reference https://mybinder.readthedocs.io/en/latest/howto/gh-actions-badges.html
 name: Binder Badge
+permissions:
+  contents: read
 on:
   pull_request_target:
     types: [opened]
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 46b6c63..ed6fec0 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Docs
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -11,8 +13,10 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Conda environment with Micromamba
-        uses: mamba-org/setup-micromamba@v2
+        uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2
         with:
           environment-file: dev-environment.yml
       - name: Install
@@ -21,7 +25,7 @@ jobs:
         run: make -C docs html
       - name: Publish
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/_build/html
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 82ab3e0..4dc09f9 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,4 +1,6 @@
 name: Tests
+permissions:
+  contents: read
 
 on:
   push:
@@ -20,9 +22,11 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Install Conda environment with Micromamba
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2
       with:
           environment-file: dev-environment.yml
 
@@ -64,9 +68,11 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Conda environment with Micromamba
-        uses: mamba-org/setup-micromamba@v2
+        uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2
         with:
           environment-file: dev-environment.yml
           create-args: >-
@@ -134,7 +140,7 @@ jobs:
       # https://github.com/pymmcore-plus/pymmcore-widgets/blob/5e233384e223ca00101ef4b741d3c525a5cff9c9/.github/workflows/cron.yml#L49
       - name: Report Failures
         if: failure() && github.event_name == 'schedule'
-        uses: JasonEtco/create-an-issue@v2
+        uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           OS: ${{ matrix.os }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d924c41..3c95ced 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,4 +1,6 @@
 name: Publish Package
+permissions:
+  contents: read
 
 on:
   release:
@@ -9,9 +11,11 @@ jobs:
     steps:
 
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Install Conda environment with Micromamba
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2
       with:
         environment-name: ipympl-release
         create-args: >-
diff --git a/.github/workflows/update_galata_references.yaml b/.github/workflows/update_galata_references.yaml
index 4070260..b047c88 100644
--- a/.github/workflows/update_galata_references.yaml
+++ b/.github/workflows/update_galata_references.yaml
@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - name: Checkout the branch from the PR that triggered the job
         run: gh pr checkout ${{ github.event.issue.number }}
@@ -36,7 +37,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Conda environment with Micromamba
-        uses: mamba-org/setup-micromamba@v2
+        uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2
         with:
           environment-file: dev-environment.yml
           create-args: >-