diff --git a/.github/workflows/auto-close-issues.yml b/.github/workflows/auto-close-issues.yml
index c882f4a843..627f85832d 100644
--- a/.github/workflows/auto-close-issues.yml
+++ b/.github/workflows/auto-close-issues.yml
@@ -7,13 +7,18 @@ on:
       - 2.0
       - dev-2.0
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: read
+
 jobs:
   close_issues:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     steps:
       - name: Close linked issues on non-default branches
-        uses: processing/branch-pr-close-issue@v1
+        uses: processing/branch-pr-close-issue@9fd7b409a12c677c5cdd8ff82c45600f790074e1 # v1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: dev-2.0
diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml
index 9410a25a43..7b448daf8d 100644
--- a/.github/workflows/ci-lint.yml
+++ b/.github/workflows/ci-lint.yml
@@ -7,15 +7,19 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
       - name: Use Node.js 20.x
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20.x
       - name: Get node modules
diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml
index ebf61a1d3f..4183ac7554 100644
--- a/.github/workflows/ci-test.yml
+++ b/.github/workflows/ci-test.yml
@@ -8,14 +8,19 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
       - name: Use Node.js 20.x
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20.x
       - name: Get node modules
@@ -27,6 +32,8 @@ jobs:
         env:
           CI: true
       - name: report test coverage
-        run: bash <(curl -s https://codecov.io/bash) -f coverage/coverage-final.json
-        env:
-          CI: true
+        if: always() && hashFiles('coverage/coverage-final.json') != ''
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+        with:
+          files: coverage/coverage-final.json
+          fail_ci_if_error: false
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 74e500b5e6..cc10da56c3 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -3,12 +3,13 @@ on:
   issues:
     types: [opened, edited]
 permissions:
+  contents: read
   issues: write
 jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: github/issue-labeler@v3.2
+      - uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           configuration-path: .github/labeler.yml
diff --git a/.github/workflows/release-workflow-v2.yml b/.github/workflows/release-workflow-v2.yml
index 4cd8fe562c..dff9a450b2 100644
--- a/.github/workflows/release-workflow-v2.yml
+++ b/.github/workflows/release-workflow-v2.yml
@@ -18,13 +18,15 @@ jobs:
       INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
     steps:
       # 1. Setup
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: 20
       - name: Get semver info
         id: semver
-        uses: akshens/semver-tag@v4
+        uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4
         with:
           version: ${{ github.ref_name }}
 
@@ -51,7 +53,7 @@ jobs:
       # 2. Prepare release files
       - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/
       - name: Create release zip file
-        uses: TheDoctor0/zip-release@0.6.2
+        uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2
         with:
           type: zip
           filename: release/p5.zip
@@ -62,15 +64,15 @@ jobs:
 
       # 3. Release p5.js
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v0.1.15
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           draft: true
           prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }}
           files: release/*
           generate_release_notes: true
-          token: ${{ secrets.ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish to NPM
-        uses: JS-DevTools/npm-publish@v1
+        uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939
         with:
           token: ${{ secrets.NPM_TOKEN }}
           tag: ${{ steps.semver.outputs.is-prerelease != 'true' && 'latest' || 'beta' }}
@@ -78,13 +80,14 @@ jobs:
       # 4. Update p5.js website
       - name: Clone p5.js website
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           repository: processing/p5.js-website
           ref: '2.0'
           path: website
           fetch-depth: 0
           token: ${{ secrets.ACCESS_TOKEN }}
+          persist-credentials: false
       - name: Updated website files
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
         run: |
@@ -105,9 +108,9 @@ jobs:
           git commit -m "Update p5.js to ${{ github.ref_name }}"
       - name: Push updated website repo
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: ad-m/github-push-action@v0.6.0
+        uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
         with:
           github_token: ${{ secrets.ACCESS_TOKEN }}
           branch: '2.0'
           directory: website/
-          repository: processing/p5.js-website
+          repository: processing/p5.js-website
\ No newline at end of file
diff --git a/.github/workflows/stewards-update.yml b/.github/workflows/stewards-update.yml
index e7d004d595..86fe00c5c7 100644
--- a/.github/workflows/stewards-update.yml
+++ b/.github/workflows/stewards-update.yml
@@ -7,15 +7,21 @@ on:
       - stewards.yml
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   build:
     if: github.ref == 'refs/heads/main' && github.repository == 'processing/p5.js'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: "20"
 
@@ -32,11 +38,10 @@ jobs:
           git checkout -- .
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 
         with:
           commit-message: "Update README table from stewards.yml"
           branch: update-readme-table
           title: "chore: update README table from stewards.yml"
           body: "This PR updates the README.md table to reflect changes in stewards.yml."
           add-paths: README.md
-          token: ${{ secrets.ACCESS_TOKEN }}