diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 178d985..6768255 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,7 +9,11 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 3
   - package-ecosystem: "github-actions" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 3
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e5eee58..88771f0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,15 +4,17 @@ name: Java CI with Maven
 
 on: [pull_request]
 
+permissions: {}
+
 jobs:
   build:
 
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5.2.0
         with:
           java-version: '17'
           distribution: 'temurin'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4937dbf..ef3e81c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,18 +6,19 @@ on:
     tags:
       - '[0-9]+.[0-9]+.[0-9]+'
 
+permissions: {}
+
 jobs:
   build:
     if: github
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5.2.0
         with:
           java-version: '17'
           distribution: 'temurin'
-          cache: gradle
       - name: Build with Gradle
         # This just publishes to the local file system; jreleaser is responsible for uploading to maven central
         run: ./gradlew publish
diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
index 8b10626..8e3584b 100644
--- a/.github/workflows/snapshot.yml
+++ b/.github/workflows/snapshot.yml
@@ -6,13 +6,15 @@ on:
     branches:
       - 'main'
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5.2.0
         with:
           java-version: '17'
           distribution: 'temurin'
diff --git a/.github/workflows/update-dependancy-graph.yml b/.github/workflows/update-dependancy-graph.yml
index f7d4e09..1f9f256 100644
--- a/.github/workflows/update-dependancy-graph.yml
+++ b/.github/workflows/update-dependancy-graph.yml
@@ -4,18 +4,21 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: write
+
 jobs:
   dependency-graph:
 
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.2
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5.2.0
         with:
           java-version: '17'
           distribution: 'temurin'
           cache: gradle
       - name: Submit Dependency Snapshot
-        uses: gradle/actions/dependency-submission@v4
+        uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0