diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..745ee94
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+.github/workflows/ @nickhammond
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..3a626c3
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
diff --git a/.github/workflows/test-local.yml b/.github/workflows/test-local.yml
index 608f395..3b6f2e6 100644
--- a/.github/workflows/test-local.yml
+++ b/.github/workflows/test-local.yml
@@ -7,12 +7,17 @@ on:
         description: "Base URL of your local Shipyrd instance."
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   test-pre-deploy:
     name: Test pre-deploy notification
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Run action (pre-deploy)
         uses: ./
@@ -26,7 +31,9 @@ jobs:
     name: Test post-deploy notification
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Run action (post-deploy, default status)
         uses: ./
@@ -38,7 +45,9 @@ jobs:
     name: Test failed notification
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Run action (failed)
         uses: ./
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6884613..34bf604 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,12 +4,17 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test-pre-deploy:
     name: Test pre-deploy notification
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Start mock server
         shell: bash
@@ -32,7 +37,9 @@ jobs:
     name: Test post-deploy notification
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Start mock server
         shell: bash
@@ -53,7 +60,9 @@ jobs:
     name: Test failed notification
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Start mock server
         shell: bash
@@ -75,7 +84,9 @@ jobs:
     name: Test auth failure exits non-zero
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Start mock server (returns 401)
         shell: bash
@@ -95,9 +106,11 @@ jobs:
           shipyrd-url: http://localhost:8080
 
       - name: Verify step failed
+        env:
+          NOTIFY_OUTCOME: ${{ steps.notify.outcome }}
         shell: bash
         run: |
-          if [ "${{ steps.notify.outcome }}" != "failure" ]; then
+          if [ "$NOTIFY_OUTCOME" != "failure" ]; then
             echo "Expected action to fail on 401 but it succeeded"
             exit 1
           fi