diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 212268e..4beba0e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,17 +7,21 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [windows-latest, macos-latest, ubuntu-latest]
-        node-version: [18.x]
+        node-version: [22.x]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v2
+      uses: actions/setup-node@v4
       with:
         node-version: ${{ matrix.node-version }}
     - run: npm ci
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5ac354d..bcc5f29 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -38,7 +38,9 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/azure-pipelines/publish.yml b/azure-pipelines/publish.yml
index 064a222..2f35918 100644
--- a/azure-pipelines/publish.yml
+++ b/azure-pipelines/publish.yml
@@ -33,15 +33,15 @@ extends:
         testPlatforms:
           - name: Windows
             nodeVersions:
-              - 18.x
+              - 22.x
 
           - name: macOS
             nodeVersions:
-              - 18.x
+              - 22.x
 
           - name: Linux
             nodeVersions:
-              - 18.x
+              - 22.x
 
         testSteps:
           - script: npm ci