diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml
index a7920b628..75927ca85 100644
--- a/.github/workflows/housekeeping.yaml
+++ b/.github/workflows/housekeeping.yaml
@@ -33,6 +33,9 @@ jobs:
   trivy:
     name: Scan with trivy
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      security-events: write
 
     steps:
       - name: Checkout repository
@@ -56,6 +59,8 @@ jobs:
   codeql:
     name: Analyze with codeql
     runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
 
     strategy:
       fail-fast: false
@@ -84,6 +89,7 @@ jobs:
   link_checker:
     name: Link checker
     runs-on: ubuntu-22.04
+
     steps:
       - name: Checkout markdown
         uses: actions/checkout@v4.1.1
@@ -98,10 +104,14 @@ jobs:
   stale:
     name: Tidy pull requests
     runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+
     steps:
       - name: Close stale PRs
         uses: actions/stale@v9
         with:
+          days-before-issue-stale: -1
           stale-pr-message: 'This PR is stale because it has been open 21 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days.'
           close-pr-message: 'This PR was closed because it has been stalled for 28 days with no activity.'
           days-before-pr-stale: 21
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
index d80b45590..0c040a3c3 100644
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -366,9 +366,12 @@ jobs:
         if: ${{ always() }}
 
   scan_image_with_trivy:
-    name: Site trivy scan
+    name: Scan with trivy
     runs-on: ubuntu-22.04
     needs: [build_docker_image]
+    permissions:
+      contents: write
+
     steps:
       # Need .trivyignore
       - name: Checkout
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index 5bc4cbf8f..e5755af4e 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -16,6 +16,7 @@ jobs:
   link_checker:
     name: Link checker
     runs-on: ubuntu-22.04
+
     steps:
       - name: Checkout markdown
         uses: actions/checkout@v4.1.1
@@ -30,6 +31,7 @@ jobs:
   md_linter:
     name: Lint markdown
     runs-on: ubuntu-22.04
+
     steps:
       - name: Checkout markdown
         uses: actions/checkout@v4.1.1
@@ -44,6 +46,8 @@ jobs:
   codeql:
     name: Analyze with codeql
     runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
 
     strategy:
       fail-fast: false
@@ -73,6 +77,7 @@ jobs:
     defaults:
       run:
         working-directory: td.server
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -105,6 +110,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -137,6 +143,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -170,6 +177,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -209,6 +217,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [site_unit_tests, server_unit_tests]
     if: github.repository == 'OWASP/threat-dragon'
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -249,6 +258,7 @@ jobs:
     name: Upload to Heroku
     runs-on: ubuntu-22.04
     needs: [build_docker_image]
+
     steps:
       - name: Pull docker image
         run: docker pull ${{ env.IMAGE_NAME }}
@@ -278,6 +288,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -322,6 +333,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -372,6 +384,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.1
@@ -419,6 +432,7 @@ jobs:
     name: Site zap scan
     runs-on: ubuntu-22.04
     needs: [build_docker_image]
+
     steps:
       - name: Run Threat Dragon
         run: |
@@ -463,9 +477,12 @@ jobs:
         if: ${{ always() }}
 
   scan_image_with_trivy:
-    name: Site trivy scan
+    name: Scan with trivy
     runs-on: ubuntu-22.04
     needs: [build_docker_image]
+    permissions:
+      contents: write
+
     steps:
       # Need .trivyignore
       - name: Checkout
@@ -482,6 +499,7 @@ jobs:
     name: SBOM web application
     runs-on: ubuntu-22.04
     needs: [e2e_smokes]
+
     steps:
       - name: Check out
         uses: actions/checkout@v4.1.1
@@ -542,6 +560,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Check out
         uses: actions/checkout@v4.1.1
@@ -584,6 +603,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Check out
         uses: actions/checkout@v4.1.1
@@ -636,6 +656,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Check out
         uses: actions/checkout@v4.1.1
@@ -673,6 +694,7 @@ jobs:
     defaults:
       run:
         working-directory: td.vue
+
     steps:
       - name: Check out
         uses: actions/checkout@v4.1.1