diff --git a/.github/workflows/build-go.yaml b/.github/workflows/build-go.yaml
index e14a352..f893be0 100644
--- a/.github/workflows/build-go.yaml
+++ b/.github/workflows/build-go.yaml
@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5
diff --git a/.github/workflows/format-go.yaml b/.github/workflows/format-go.yaml
index fb8cf60..ffa1045 100644
--- a/.github/workflows/format-go.yaml
+++ b/.github/workflows/format-go.yaml
@@ -32,6 +32,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5
diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml
index c044bb3..07d74df 100644
--- a/.github/workflows/lint-go.yaml
+++ b/.github/workflows/lint-go.yaml
@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5
diff --git a/.github/workflows/lint-markdown.yaml b/.github/workflows/lint-markdown.yaml
index 64daaf6..3f90f99 100644
--- a/.github/workflows/lint-markdown.yaml
+++ b/.github/workflows/lint-markdown.yaml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
         # See https://github.com/ruby/setup-ruby#versioning
diff --git a/.github/workflows/release-binary.yaml b/.github/workflows/release-binary.yaml
index d8ce04c..7d565ce 100644
--- a/.github/workflows/release-binary.yaml
+++ b/.github/workflows/release-binary.yaml
@@ -9,9 +9,6 @@ on:
       - "version.txt"
   workflow_dispatch:
 
-permissions:
-  contents: write
-
 jobs:
 
   generateTag:
@@ -19,6 +16,8 @@ jobs:
     name: "Auto-generate Git tag whenever version.txt changes"
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: write
 
     steps:
 
@@ -26,6 +25,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: true
 
       - name: Fetch git tags
         run: git fetch --force --tags
@@ -55,6 +55,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: generateTag
     timeout-minutes: 15
+    permissions:
+      contents: write
 
     steps:
 
@@ -62,6 +64,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: true
 
       - name: Fetch git tags
         run: git fetch --force --tags
@@ -69,7 +72,9 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: stable
-          cache-dependency-path: src/wp2hugo/go.sum
+          # To prevent cache poisoning
+          # Ref: https://woodruffw.github.io/zizmor/audits/#cache-poisoning
+          cache: false
 
       # More assembly might be required: Docker logins, GPG, etc. It all depends
       # on your needs.