diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..f288d7e
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,10 @@
+/.github/ @nikuscs
+/package.json @nikuscs
+/bun.lock @nikuscs
+/tsconfig.json @nikuscs
+/tsconfig.build.json @nikuscs
+/vitest.config.ts @nikuscs
+/index.ts @nikuscs
+/src/ @nikuscs
+/tests/ @nikuscs
+/HomebrewFormula/ @nikuscs
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7c0c8bc..23d336d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,16 +6,19 @@ on:
     tags: ['v*'] # Only on version tags
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
 
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
-      - uses: oven-sh/setup-bun@v1
+      - uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1
         with:
           bun-version: latest
 
@@ -30,14 +33,17 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
           fetch-tags: true
 
-      - uses: oven-sh/setup-bun@v1
+      - uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1
         with:
           bun-version: latest
 
@@ -55,7 +61,7 @@ jobs:
           bun run build:binary:windows
 
       - name: Setup Node.js for NPM
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'
@@ -109,4 +115,4 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git add HomebrewFormula/glooit.rb
           git commit -m "chore: update Homebrew formula for $VERSION" || exit 0
-          git push origin HEAD:main
\ No newline at end of file
+          git push origin HEAD:main
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ee756ac..891d0d1 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,14 +6,20 @@ on:
   push:
     branches: [main]
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
-      - uses: oven-sh/setup-bun@v1
+      - uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1
         with:
           bun-version: latest
 
@@ -30,4 +36,4 @@ jobs:
         run: bun run test
 
       - name: Build
-        run: bun run build
\ No newline at end of file
+        run: bun run build