diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 94f65e9..4fb4d9e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,3 +10,13 @@ updates:
     schedule:
       interval: "weekly"
       day: "saturday"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index 5c68500..b114754 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -4,12 +4,16 @@ on:
   push:
     tags: '*'
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v3
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 8ab73a4..3915bdc 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -3,12 +3,15 @@ on:
   push:
     branches: '*'
   pull_request:
+permissions: {}
 jobs:
   check:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Install Rust
       run: |
         rustup toolchain install 1.91 --profile minimal --no-self-update