diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c846265..4c80cb4 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -40,7 +40,9 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index fcf7dd9..d9672c4 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -5,34 +5,49 @@ on:
     - cron: '0 2 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   nightly:
     name: Deploy nightly
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
         refs: [master, development]
     runs-on: ubuntu-latest
+    env:
+      SIGNING_KEY_PATH: ${{ github.workspace }}/../private.pem
     steps:
+      - name: Validate signing secret
+        run: |
+          test -n "${{ secrets.PRIVATE_KEY_B64 }}" || {
+            echo "PRIVATE_KEY_B64 is required for nightly signed releases." >&2
+            exit 1
+          }
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           ref: ${{ matrix.refs }}
           submodules: 'recursive'
+          persist-credentials: false
       - name: Restore private key
         run: |
-          echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > private.pem
-          chmod 600 private.pem
+          echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > "${SIGNING_KEY_PATH}"
+          chmod 600 "${SIGNING_KEY_PATH}"
       - name : Build
         env:
           PICO_SDK_PATH: ../pico-sdk
-          SECURE_BOOT_PKEY: ../private.pem
+          SECURE_BOOT_PKEY: ${{ github.workspace }}/../private.pem
         run: |
            ./workflows/autobuild.sh pico
            ./build_pico_hsm.sh --no-eddsa
            ./workflows/autobuild.sh esp32
       - name: Delete private key
-        run: rm private.pem
+        if: always()
+        run: rm -f "${SIGNING_KEY_PATH}"
       - name: Update nightly release
         uses: pyTooling/Actions/releaser@v6.7.0
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7d870eb..e7dc268 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,14 +21,20 @@ on:
     - cron: '23 5 * * 4'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: Checkout repository and submodules
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         submodules: recursive
+        persist-credentials: false
     - name: Build in container
       run: ./tests/build-in-docker.sh
     - name: Export image
@@ -45,14 +51,17 @@ jobs:
   test:
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: read
     strategy:
       matrix:
         suite: ["pkcs11", "pytest", "sc-hsm-pkcs11"]
     steps:
     - name: Checkout repository and submodules
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         submodules: recursive
+        persist-credentials: false
     - name: Retrieve saved image
       uses: actions/download-artifact@v4
       with: