diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 000000000..26e51f376
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,7 @@
+# This file is used by Github to prevent pull requests from modifying CI
+# workflow files without approval.
+#
+# https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-codeowners-to-monitor-changes
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+.github/ @evazion
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 4644a2bdb..d201c6987 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -17,6 +17,11 @@ name: Docker Build
 # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
 on: [push, create]
 
+# https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
+# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions
+permissions:
+  packages: write
+
 jobs:
   docker-build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 72aa78d71..a83496425 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -2,6 +2,9 @@
 
 name: Test
 
+# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
+permissions: read-all
+
 on:
   # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run
   workflow_run: